Deep Dive into Changes to the System and Information Integrity Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the System and Information Integrity control family that the new baselines bring.

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement to update policies and procedures after specified events

Considerable Changes to the Moderate and High baselines include:

• An addition of a new parameter specifying automated mechanisms used to determine the state of information system components with regarding flaw remediation
• Removal of the control requiring that the organization centrally manages malicious code protection mechanisms
• Removal of the control requiring that the information system automatically updates malicious code protection mechanisms
• Removal of the control requiring that the information system implements nonsignature-based malicious code detection mechanisms
• An addition of a new parameter specifying unusual or unauthorized activities or conditions when monitoring inbound and outbound communications traffic
• New control text adding the requirement to take actions when unauthorized changes are detected in software, firmware, and information
• Removal of the control requiring that the organization centrally manages spam protection mechanisms
• An addition of a new parameter requiring defining the frequency in which spam protection mechanisms are automatically updated

Considerable Changes to the Moderate baseline include:

• Removal of the control requiring that the organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system

Considerable Changes to the High baseline include:

• Removal of the control requiring that the organization centrally manages the flaw remediation process
• An addition of a new control requiring that the organization make provisions so that encrypted communications traffic is visible to system monitoring tools and mechanisms
• An addition of a new control requiring that personnel or roles be alerted using automated mechanisms when indications of inappropriate or unusual activities with security or privacy implications occur
• Removal of the control requiring that the organization analyzes outbound communications traffic at the external boundary of the information system and at interior points within the system to detect covert exfiltration of information
• Removal of the control requiring that the information system discovers, collects, distributes, and uses indicators of compromise
• Removal of the control requiring that the organization prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official
• An addition of a new control requiring the implementation of cryptographic mechanisms to authenticate specified software or firmware components prior to installation

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp