Skip to main content

FedRAMP NIST 800-53 Revision 5 Deep Dive

FedRAMP Releases Proposed Updated Baselines  

Following the release of NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5) the FedRAMP Program Management Office (PMO) has developed new FedRAMP High, Moderate, Low, and Li-SaaS baselines. Cloud Service Providers (CSPs) looking to achieve a FedRAMP ATO and CSPs looking to recertify their existing ATO, will need to consider the impact to their security implementations, processes, and documentation, as well as their overall compliance program.  

What Changed 

Due to the withdrawal of certain controls and the consolidation of other controls in Rev 5, the new High and Moderate baselines will now have fewer controls, while the Low baseline will have an increased number of controls. The High baseline will go from 421 controls to 392 controls, the Moderate baseline will go from 325 controls to 304 controls, and the Low and Li-SaaS baselines will increase to 150 controls. 

SR Control Family 

The significant changes to the baselines includes an expansion of the security controls catalog,  which includes a new control family – Supply Chain Risk Management (SR). The SR family calls for a Supply Chain Risk Management Plan, which suggests that at least one new System Security Plan (SSP) Attachment will be coming to the FedRAMP documentation package once the Rev 5 baselines are adopted. Many CSPs will need to develop a supply chain risk management policy, supply chain risk management procedures, and the accompanying plan/attachment. The new SR control family also brings requirements for new security tools, such as anti-tamper solutions, and a risk management team, which will add new roles and responsibilities to CSP personnel. To ensure compliance with the new requirements, a CSP should consider having a gap assessment performed. 

Policy Enhancements 

Another change to the new baselines is a requirement that CSPs include in their policies for each control family the designation of a specific official to manage the development, documentation, and dissemination of policies and procedures. The new baselines also require the selection of policies and procedures as either organization-level, mission or business process level, or system level.  These changes will require many CSPs to update their policy and procedures documentation. 

Threat Hunting 

The new baselines also establish “state-of-the-practice” controls, such as a requirement to establish a threat hunting capability that monitors, detects, tracks, and disrupts threats that evade existing controls and controls that support cyber resilience and secure systems design based on threat intelligence and cyber-attack data. Threat analysis and intelligence capabilities will be necessary to any organization looking to comply with the new baselines.


With constantly evolving cybersecurity threats and increasing amounts of supply chain attacks every year, these changes will help to improve security for any entity following the new baselines, with an eye towards mitigating risk and preventing security incidents before they occur.  Below is a review of the key changes: 

  • 39 fewer controls in the High Baseline
  • 21 fewer controls in the Moderate Baseline
  • 25 more controls in the Low Baseline 
  • 24 more controls in the Li-SaaS Baseline
  • Supply Chain Risk Management (SR) family addition 
  • Implied addition of Supply Chain Risk Management attachment
  • Policy enhancements to include corrective action
  • “State of the Practice” controls


The PMO will provide CSPs at least six months to transition to the new templates. Check back here for deeper dives into changes in each control family and updates from the FedRAMP PMO.

Contact InfusionPoints for assistance with your FedRAMP journey. 


Control Family Deep Dive


Comply & Conquer - FedRAMP Rev 5 Updates