What’s New in NIST 800-53 Revision 5 for FedRAMP Cloud Service Providers
On May 30, 2023, the FedRAMP PMO released the long awaited FedRAMP baselines for FedRAMP High, Moderate, Low, and Li-SaaS based on NIST 800-53 rev5. Now, it's time for cloud service providers to turn their attention to the newest revision and plan accordingly Cloud Service Providers (CSPs) looking to achieve a FedRAMP ATO and CSPs looking to recertify their existing ATO will need to consider the impact the new baselines have on their security implementations, processes, and documentation, as well as their overall compliance program.
Control Selections
Revision 5 brings a host of new controls to the table, uplifts and/or consolidates many controls from its predecessor and removes controls that are no longer deemed essential or that have been replaced by more pertinent and effective alternatives. The FedRAMP High and Moderate baselines have reduced the amount of controls they require, from 421 and 325 controls selected for Revision 4 to 410 and 323 controls in the new Revision 5 baselines, while the FedRAMP Low and Li-SaaS baselines have increased the number of controls selected from 125 to 156 controls. From incident response to continuous monitoring and supply chain risk management, Revision 5 equips you with the essentials to stay one step ahead of potential breaches.
Supply Chain Risk Management (SR) Control Family
Gone are the days of blind trust in your third-party vendors - updates to the baselines have resulted in an expansion to the security controls catalog, including the new Supply Chain Risk Management (SR) control family. Under the SR-2 control, the addition of a Supply Chain Risk Management Plan to the System Security Plan (SSP) Attachments becomes not only required, but an essential piece of your authorization package that helps to mitigate supply chain risks. Therefore, CSPs will need to develop a supply chain risk management policy, supply chain risk management procedures, and the accompanying plan/attachment to stay on top of compliance. CSPs will also be required to implement security programs for tamper protection (SR-9), component authenticity (SR-11), supplier assessments / reviews (SR-6) and more to ensure unwavering security.
Policies and Procedures
Every NIST control family reserves the first security control, or -1 control, for establishing the requirements for policies and procedures. Revision 5 provides a significant update to these controls by implementing a new requirement that there is a designated official to manage the development, documentation, and dissemination of each policy and procedure. Furthermore, policies and procedures must now be categorized as organization-level, mission / business process-level, or system-level. As a cloud service provider, it is important to be aware of these requirements and how your organization will need to implement any policy and procedure uplifts.
What You Don’t Have to Worry About
While the new FedRAMP baselines were released in May 2023, Revision 5 of NIST 800-53 was released way back in 2020. This has led to a lot of speculation amongst the FedRAMP community on what could be included in the baselines, and now that they have been released, we can provide definitive answers. Although there is another new control family included in the Revision 5 catalog, the Program Management (PM) family, the FedRAMP PMO has stated that they remain an agency responsibility and are not included in the baselines. Additionally, privacy controls and requirements (and any other controls outside of the FedRAMP baselines) remain at the sponsoring agency’s discretion. Furthermore, many advisors thought that CSPs would be required to exemplify a robust threat hunting capability, however this is not required as the RA-10 control was not included in the baseline updates. Understanding what controls have been selected in the baseline updates is key to delivering a compliant Revision 5 package.
In today's rapidly evolving landscape, cloud service providers need a trusted partner who can seamlessly navigate the intricacies of NIST 800-53 Revision 5 and the FedRAMP baselines at every level of authorization. At InfusionPoints, we possess the expertise and in-depth understanding needed to help you embrace this framework with unwavering confidence. Our team of seasoned professionals is dedicated to delivering tailored solutions that align with your unique requirements. With our extensive knowledge of NIST standards and compliance, we'll collaborate closely with you to conduct a comprehensive review of the new requirements, assess your existing practices, and chart a personalized roadmap towards achieving Revision 5 compliance. We'll help you fortify your cloud environment, mitigate gaps, and ensure that you surpass the stringent expectations set by FedRAMP.
Don't hesitate to take the next decisive step towards a more secure future. Reach out to us today and discover how InfusionPoints can empower your business in the new era of Revision 5.