Planning for FedRAMP’s NIST SP 800-53 Rev 5 Baseline

Overview of the draft release of NIST SP 800-53 Rev. 5 for FedRAMP

Table of Contents

FedRAMP - Major Regulatory Release
(NIST SP 800-53 Rev. 4 to Rev. 5)

Abstract

In 2020, the National Institute for Standards and Technology (NIST) published the final version of SP 800-53 Revision 5 and SP 800-53B, Control Baselines for Information Systems and Organizations. This represents a multi-year effort to develop a more reflective security and privacy controls integration. While the framework natively still applies only to federal agencies and their information systems, NIST is encouraging the document to be more applicable to both non-federal and private organizations 

The FedRAMP PMO has since worked with the Joint Authorization Board (JAB) over that time to further develop the FedRAMP baselines in alignment with NIST’s Rev. 5 update (draft most recently published December 21, 2021). As noted in NIST and FedRAMP PMO notices, key changes to the security requirements are more on threat-based methodologies (outcome based), empirical attack data, systems engineering, and supply chain best practices.

This post is intended to provide FedRAMP stakeholders (CSP’s, 3PAO’s, Federal Agencies, Research Institutions) better visibility into the FedRAMP draft release of NIST SP 800-53 Rev. 5 to assist in your data analysis for the upcoming comment period, technical, and business impacts.

Aggregate FedRAMP View (NIST SP 800-53 Rev. 4 to Rev. 5 Comparison)

In the FedRAMP PMO Rev 5 blog post, they provided the following control impacts from a NIST SP 800-53 Rev. 5 to a FedRAMP PMO Rev. 5 comparison [not a comparison of NIST SP 800-53 Rev. 4 to Rev. 5)
  • Low Baseline – FedRAMP added 1 additional control (above the NIST baseline)
  • Moderate Baseline – FedRAMP added 17 additional controls (above the NIST baseline)
  • High Baseline – FedRAMP added 22 additional controls (above the NIST baseline)
As we evaluated the security controls, we wanted to also include impacts from NIST SP 800-53 Rev. 4 to Rev. 5 FedRAMP PMO security control perspective. Summarized below are some of the key control number changes proposed with more control detail in Appendix.

 

High Baseline

Moderate Baseline

Low Baseline

FedRAMP (Rev 4) Baseline

421

325

125

Controls & Enhancements withdrawn

(FedRAMP PMO and NIST)

-74

-62

-3

Subtotal

347

263

122

FedRAMP & NIST (Rev 5) Controls Added*

+45

+41

+28

Subtotal

392

304

150

Controls withdrawn, but consolidated/ merged*

+21

+16

+2

Total

413

320

152

*Withdrawn controls consolidated to a new control were not counted twice

The question we’re all trying to discern is what does the new revision really mean in terms of material changes and level of impact to CSPs? Sheer number of controls is one thing, but the extent of what the control is asking for is something else entirely.

FedRAMP Control Parameter Changes

Security control parameter changes should also be taken into consideration when looking to evaluate the security control deltas. Due to the timing of the release and our feedback, we wanted to get out some initial thoughts out. We will have a follow-up to this blog with the parameter changes once the PMO baseline is considered final.

Let Your Voice Be Heard

Published in earlier guidance – the FedRAMP PMO has established a general timeline on how the review process will proceed. This is very similar to the standard NIST publications/releases.

It’s important that the FedRAMP business community get involved to ensure a more refined work product in the end.

  • Cloud Service Providers (CSP) – look to understand what’s being asked of you. What material differences can you identify? What feedback can you give the FedRAMP PMO to promote a reasonable interpretation of the requirements and security risk?
  • Third Party Assessment Organizations (3PAO) – understand the requirements (withdrawn, consolidated, and net-new). Do your own analysis and determine any material changes within the new proposed baseline. What’s missing? How do you advise or test the CSP’s against these requirements?
  • Government direct and research community stakeholders – it’s really important that your feedback is part of the baseline. The more integrated the FedRAMP baseline is from the viewpoint of an agency, the more reciprocity is achieved across government.
  • Industry Best Practice stakeholders – promoting industry best practices amongst our government should be a civic duty. Share your thoughts and insights to ensure this truly is the greatest good security requirements and practices for government.

 

The FedRAMP PMO has released an initial draft of the FedRAMP Rev. 5 for your review and comment. As noted in the release, industry feedback will be accepted through info@fedramp.gov via this format by Friday, April 1, 2022.

Historically speaking, a similar approach was taken when FedRAMP released the initial baseline associated with NIST SP 800-53 Rev. 4. CSPs were provided a period of time to review the new controls, provide feedback on if the parameter was accurate or if the control should even be included in the baseline. After that time period came and went, FedRAMP finalized their baseline for all to use. At that time, it was not an instantaneous adoption. FedRAMP worked with each CSP to determine at what point in the process would they look to uplift to the new baseline. This is primarily because new security controls must first be implemented and that just doesn’t happen overnight. FedRAMP knows this. You will have time to implement the controls and then have it properly tested by your 3PAO.

FedRAMP has not officially said what that the time period will look like, but if history repeats itself, it may look similar to something like this:

  • CSPs with an existing ATO will uplift to the new baseline at their next annual, or the one after, depending on the ATO date
  • If a CSP is in the middle of their initial assessment, they will be allowed to continue under NIST SP 800-53 Rev. 4, but will be expected to uplift to Rev. 5 during their first annual
  • If a CSP is in the early stages of FedRAMP preparation and has not started an assessment, it will truly depend how early it is in the process. However most likely, these CSPs will need to look at the new baseline and have a strategy around how those new controls will be implemented. This will probably be handled on a case-by-case basis with the CSP and the FedRAMP PMO.

Summary

Major releases of the NIST SP 800-53 security guidance does not come along often and takes several years to be fully evaluated, revised, impacted, and implemented.

The number of security controls (plus or minus) does not necessarily equate level of effort or material impacts from a regulation perspective. Complexity of the control, parameter changes (frequency/how restrictive) and technical feasibility for the cloud service provider to implement is what will drive impacts on what these regulations mean to the FedRAMP community. Another key aspect to consider is the shared responsibility model with underlying infrastructure as a service or platform as a service provider. This new baseline will impact the number of controls or portions of controls are fully inherited or partially inherited by these providers.

As noted above, take the time to review and provide feedback. You can’t complain about the process if you haven’t taken the time to response and be heard.

Our initial review and research are providing a more detailed view into potential impacts (Draft release from the FedRAMP PMO – subject to change based on feedback), but further research and discussions will be needed to better understand material impacts. Fortreum will look to release more content in the future (especially once this publication is final) to assist the FedRAMP community in understanding the full impacts of these changes.

Appendix A: Key Control Considerations

Control Family

Controls

Control Name

Identification and Authentication

IA-05 (11)*

Authenticator Management | Hardware Token-based Authentication

Identification and Authentication

IA-08 (03)*

Identification and Authentication | Use of FICAM-Approved Products

System and Information Integrity

SI-16

Memory Protection

*Indicates controls removed from NIST 800-53 Rev. 5 but consolidated into another control in the baseline.

Controls Removed from the FedRAMP Moderate Baseline (62)

Control Family

Controls

Control Name

Access Control

AC-02 (10)*

Account Management | Shared / Group Account Credential Termination

Access Control

AC-04 (21)

Information Flow Enforcement | Physical / Logical Separation of Information Flows

Access Control

AC-10

Concurrent Session Control

Access Control

AC-17 (09)

Remote Access | Disconnect / Disable Access

Audit and Accountability

AU-02 (03)*

Audit Events | Reviews and Updates

Audit and Accountability

AU-08 (01)

Time Stamps | Synchronization with Authoritative Time Source

Audit and Accountability

AU-09 (02)

Protection Of Audit Infor