Skip to main content
Security Assessment & Authorization

Security Assessment and Authorization Deep Dive

Deep Dive into Changes to the Security Assessment and Authorization Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Security Assessment and Authorization control family that the new baselines bring.


Considerable Changes to the Low, Moderate, and High baselines include:

  • Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
  • A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
  • A requirement to update policies and procedures after specified events
  • Removal of the parameter specifying the level of independence for the Third Party Assessment Organization
  • A requirement to document privacy requirements, controls, and responsibilities for each system
  • A requirement to assign a senior official as the authorizing official to authorize use of common controls available for inheritance by organizational systems
  • A change from metrics to system-level metrics for continuous monitoring
  • A requirement to define specific conditions for terminating internal system connections
  • A requirement to define the frequency for reviewing the continued need for internal connections


Considerable Changes to the High baseline include:

  • A requirement to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey.