Skip to main content

Planning Deep Dive

Deep Dive into Changes to the Planning Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Planning control family that the new baselines bring.


Considerable Changes to the Low, Moderate, and High baselines include:

  • Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
  • A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
  • A requirement to update policies and procedures after specified events
  • A greater focus on privacy, including changing System Security Plan to System Security and Privacy Plan
  • New requirements to describe specific threats
  • New requirement to provide results of privacy risk assessment for systems processing PII
  • A new parameter specifying individuals or groups responsible for assessing risk for coordination
  • An additional parameter requiring selection of actions taken when the rules of behavior change


Considerable Changes to the Moderate and High baselines include:

  • Additional restrictions on posting information and on use of organization-provided identifiers
  • Additional references to privacy and requirements to describe how the architectures are integrated into and support the enterprise architecture
  • A new control requiring selecting the control baseline for the system to address the protection needs of a group, organization, or community of interest
  • A new control requiring the tailoring of selected control baselines by applying specified tailoring actions, which allows organizations to specialize or customize a set of baseline controls to reflect their specific missions and business functions, environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success


Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey.