On May 30, 2023, the FedRAMP PMO released the finalized Revision 5 of its security controls catalog, which includes updates to the baseline security controls for low, moderate, and high-impact systems and new templates for the System Security Plan and its attachments.  

In this blog, we will discuss the changes included in Revision 5 and how InfusionPoints can help cloud service providers (CSPs) prepare for the new requirements. 

FedRAMP Revision 5 Changes 

One of the key changes is the adoption of outcome-based control definitions, which provide clearer goals for each control and greater flexibility in implementation. This approach allows a broader range of organizations to meet baseline standards, including commercial entities. The removal of prioritization guidance also offers greater flexibility in control implementation and management. 

Significant importance is placed on integrating threat-based intelligence and methodologies into controls. FedRAMP conducted a second round of scoring efforts in late 2021 to ensure that the Threat-Based Approach is in alignment with version 8.2 of the MITRE ATT&CK threat framework. Previously, FedRAMP used the NSA/CSS Technical Cyber Threat Framework (NTCTF) for its scoring, which is no longer in use. To ensure compliance with the MITRE ATT&CK threat framework, FedRAMP meticulously examined each NIST SP 800-53, rev. 5 control in the FedRAMP High baseline to determine their ability to protect, detect, and/or respond to each technique outlined in version 8.2 of the MITRE ATT&CK Framework. 

A new family of controls, called Supply Chain Risk Management, was added to the baseline, reflecting the growing concern over supply chain security, particularly in critical infrastructure and government supply chains. This new family complements the existing controls and highlights the importance of addressing supply chain risks. 

For those who reviewed the draft Revision 5 baseline released in December 2021, you will notice that there are differences in the finalized baselines, such as the inclusion of the information spillage response controls, which were not on the draft Revision 5 baselines. 

Overall, Rev. 5 introduces many new and improved controls, with a focus on smarter cybersecurity operations rather than simply adding more controls. The changes aim to help organizations implement controls that are effective in mitigating risk and achieving desired outcomes. 

How Can InfusionPoints Help CSPs Prepare for FedRAMP Revision 5? 

Preparing for FedRAMP Revision 5 can be a daunting task for CSPs. By September 1, 2023, CSP’s must identify the delta between your current Rev.4 implementation and the Rev.5 requirements. InfusionPoints can provide invaluable assistance in making the necessary updates and preparing for the compliance process. We can start by conducting a comprehensive assessment of the CSP's current systems and processes to identify the deltas in compliance with the FedRAMP Revision 5 standards. Based on the assessment, we can then develop a customized roadmap that outlines the steps needed to achieve compliance with the latest revision of FedRAMP. 

InfusionPoints can also guide the CSP in updating its System Security Plan (SSP) documentation, policies, and procedures to align with the latest FedRAMP requirements and provide recommendations on the tools and technologies that the CSP can use to automate compliance processes and improve its security posture. 

InfusionPoints is a certified FedRAMP Third Party Assessment Organization (3PAO) and can perform FedRAMP assessments. With years of experience in FedRAMP, InfusionPoints has the expertise and knowledge to help CSPs achieve FedRAMP certification. 

For CSPs using another firm as their 3PAO, InfusionPoints can also serve as an advisor to provide support to the CSP's team, including attending assessment meetings and providing clarifications on technical issues. 

In summary, InfusionPoints can provide a range of services to help CSPs prepare for and achieve FedRAMP Revision 5 compliance, including assessments, roadmap development, documentation updates, tool recommendations, and ongoing support. Working with InfusionPoints can make the compliance process smoother and less stressful for CSPs, allowing them to focus on their core business operations.