Deep Dive into Changes to the Incident Response Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Incident Response control family that the new baselines bring.

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement to update policies and procedures after specified events
• A new requirement to review and update incident response training content at a specified frequency and following specified events
• An addition of text to ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization
• An addition of a new requirement of the Incident Response Plan (IRP) to address the sharing of incident information
• An addition of a parameter specifying the frequency of IRP review and approval
• An addition of a parameter to explicitly designate responsibility for incident response to specified entities, personnel, or roles
• An inclusion of personally identifiable information in the IRP

Considerable Changes to the Moderate and High baselines include:

• An addition of a new parameter specifying the automated mechanisms used to support incident handling processes
• An addition of a new parameter specifying the automated mechanisms used to report incidents
• An addition of a new control that requires providing incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident
• An addition of a new parameter specifying the automated mechanisms used to increase the availability of incident response information and support
• A complete removal of requirements to identify and respond to information spillage

Considerable Changes to the High baseline include:

• An addition of a new parameter specifying the automated mechanisms used to provide an incident response training environment
• An addition of a new parameter specifying the types of dynamic reconfiguration used for system components as part of the incident response capability
• A new control requiring establishing and maintaining an integrated incident response team that can be deployed to any location identified by the organization
• An addition of a new parameter specifying the automated mechanisms used to track incidents and collect and analyze incident information

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp