Skip to main content

Maintenance Deep Dive

Deep Dive into Changes to the Maintenance Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Maintenance control family that the new baselines bring.


Considerable Changes to the Low, Moderate, and High baselines include:

  • Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
  • A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
  • A requirement to update policies and procedures after specified events
  • An additional parameter for specifying information that must be sanitized from associated media prior to removal


Considerable Changes to the Moderate and High baselines include:

  • An addition of a new parameter to review previously approved maintenance tools at a specified frequency


Considerable Changes to the High baseline include:

  • Removal of a control requiring implementation of cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications


Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey.