Deep Dive into Changes to the System and Services Acquisition Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the System and Services Acquisition control family that the new baselines bring.

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement to update policies and procedures after specified events
• An addition of determining privacy requirements for the system during mission and business process planning
• An addition of incorporating privacy considerations during the system development life cycle
• A requirement to include privacy functional, assurance, and documentation requirements into acquisition contracts
• A new parameter requiring specifying applicable systems security and privacy engineering principles
• A new control requiring that system components be replaced when the support for the components are no longer available from the developer, vendor, or manufacturer, unless an alternative source for continued support of the components can be provided

Considerable Changes to the Moderate and High baselines include:

• Removal of the control requiring the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness
• Removal of emphasis on identification of the functions, ports, protocols, and services intended for organizational use only during early stages in development life cycle
• Removal of the control requiring that an organizational assessment of risk be conducted prior to the acquisition or outsourcing of dedicated information security services
• Removal of the control requiring that acquisition or outsourcing of dedicated information security services is approved by designated personnel
• Removal of the control requiring that the organization employs security safeguards to ensure that the interests of external service providers are consistent with and reflect organizational interests
• Removal of the control requiring that the developer of the system enables integrity verification of software and firmware components
• An addition of a new parameter requiring specifying the frequency of performing unit, integration, system, and/or regression testing
• Removal of a control requiring the developer of the system to employ static code analysis tools to identify common flaws and document the results of the analysis
• Removal of a control requiring the developer of the system to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service
• Removal of the control requiring the developer of the system to employ dynamic code analysis tools to identify common flaws and document the results of the analysis
• An addition of a new control requiring the developer of the system to perform a criticality analysis at specific decision points in the system development life cycle

Considerable Changes to the Moderate baseline include:

• Removal of the control requiring that the organization restricts the location information processing; information/data; information system services to specific locations based on specific requirements or conditions
• An addition of a control requiring the developer of the system to follow a documented development process that explicitly addresses security requirements, identifies the standards and tools used in the development process, and documents the specific tool options and configurations used in the development process
• An addition of a control requiring the developer of the system to review the development process, standards, tools, and tool options and configurations to determine if they satisfy security requirements

Considerable Changes to the High baseline include:

• Removal of the control requiring that the organization protects against supply chain threats to the system by employing security safeguards as part of a comprehensive, defense-in-breadth information security strategy (this control has been incorporated into the new Supply Chain Risk control family)
• A new control requiring that the developer of the system has appropriate access authorizations and satisfies specific personnel screening criteria

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp