Deep Dive into Changes to the System and Communications Protection Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the System and Communications Protection control family that the new baselines bring.

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement to update policies and procedures after specified events
• An addition of a requirement to select protecting against or limiting the effects of denial-of-service events
• A new parameter requiring the specific types of denial-of-service events in which safeguards are in place
• A change from monitoring and controlling communications at the external boundary to monitoring and controlling communications at managed interfaces
• An addition of control text specifying a need to determine cryptographic protection in addition to implementing cryptographic protection

Considerable Changes to the Moderate and High baselines include:

• An addition of control text to prevent unauthorized exchange of control plane traffic with external networks, publish information to enable remote networks to detect unauthorized control plane traffic from internal networks, and filter unauthorized control plane traffic from external networks
• An addition of a new parameter adds selection of managed interfaces that deny network communications traffic by default and allow network communications traffic by exception
• An addition of a new parameter specifying safeguards securely provisioning the use of split tunneling
• The removal of a control requiring that the organization isolate security tools from other internal information system components by implementing physically separate subnetworks
• A change from ‘fails securely’ to ‘prevent systems from entering unsecure states’ in the event of an operational failure of a boundary protection device
• Removal of a parameter requiring specifying the alternative physical safeguards that prevent unauthorized disclosure of information and detect changes to information during transmission
• Removal of the control requiring the organization produces, controls, and distributes asymmetric cryptographic keys using NSA-approved key management technology and processes, approved PKI Class 3 certificates or prepositioned keying material, and/or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key
• Adds text to include only approved trust anchors in trust stores or certificate stores managed by the organization when issuing or obtaining public key certificates
• Removal of the control requiring the organization to establish usage restrictions and implementation guidance for Voice over Internal Protocol (VoIP)
• Removal of the control requiring the authorization, monitoring, and control of the use of VoIP

Considerable Changes to the High baseline include:

• Removal of the control requiring that the organization prevents the unauthorized exfiltration of information across managed interfaces
• Removal of the control requiring that the information system invalidates session identifiers upon user logout or other session termination

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp