Deep Dive into Changes to the Risk Assessment Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Risk Assessment control family that the new baselines bring.

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement to update policies and procedures after specified events
• An addition of categorizing information processed, stored, and transmitted
• An inclusion of privacy considerations during risk assessment and a statement regarding integrating risk assessment results and risk management decisions with system-level risk assessments
• A new control requiring that supply chain risks associated with systems, system components, and system services be assessed
• A new requirement to employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned
• A new control requiring the establishment of a public reporting channel for receiving reports of vulnerabilities in systems and system components
• A new control requiring that organizations respond to findings from security and privacy assessments, monitoring, and audits and determine an appropriate response to risk before adding an entry to the Plan of Actions & Milestones (POA&M)

Considerable Changes to the Moderate and High baselines include:

• Removal of the control requiring to use automated mechanisms to analyze multiple vulnerability scans over time can help determine trends in system vulnerabilities and identify patterns of attack
• Removal of the control requiring that the organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited
• The addition of a new control requiring the identification of critical system components and functions by performing a criticality analysis at specified decision points in the system development life cycle

Considerable Changes to the High baseline include:

• Removal of the control requiring that the organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp