FedRAMP - Major Regulatory Release
(NIST SP 800-53 Rev. 4 to Rev. 5)
Abstract
In 2020, the National Institute for Standards and Technology (NIST) published the final version of SP 800-53 Revision 5 and SP 800-53B, Control Baselines for Information Systems and Organizations. This represents a multi-year effort to develop a more reflective security and privacy controls integration. While the framework natively still applies only to federal agencies and their information systems, NIST is encouraging the document to be more applicable to both non-federal and private organizations
The FedRAMP PMO has since worked with the Joint Authorization Board (JAB) over that time to further develop the FedRAMP baselines in alignment with NIST’s Rev. 5 update (draft most recently published December 21, 2021). As noted in NIST and FedRAMP PMO notices, key changes to the security requirements are more on threat-based methodologies (outcome based), empirical attack data, systems engineering, and supply chain best practices.
This post is intended to provide FedRAMP stakeholders (CSP’s, 3PAO’s, Federal Agencies, Research Institutions) better visibility into the FedRAMP draft release of NIST SP 800-53 Rev. 5 to assist in your data analysis for the upcoming comment period, technical, and business impacts.
Aggregate FedRAMP View (NIST SP 800-53 Rev. 4 to Rev. 5 Comparison)
- Low Baseline – FedRAMP added 1 additional control (above the NIST baseline)
- Moderate Baseline – FedRAMP added 17 additional controls (above the NIST baseline)
- High Baseline – FedRAMP added 22 additional controls (above the NIST baseline)
|
High Baseline |
Moderate Baseline |
Low Baseline |
FedRAMP (Rev 4) Baseline |
421 |
325 |
125 |
Controls & Enhancements withdrawn (FedRAMP PMO and NIST) |
-74 |
-62 |
-3 |
Subtotal |
347 |
263 |
122 |
FedRAMP & NIST (Rev 5) Controls Added* |
+45 |
+41 |
+28 |
Subtotal |
392 |
304 |
150 |
Controls withdrawn, but consolidated/ merged* |
+21 |
+16 |
+2 |
Total |
413 |
320 |
152 |
*Withdrawn controls consolidated to a new control were not counted twice |
FedRAMP Control Parameter Changes
Security control parameter changes should also be taken into consideration when looking to evaluate the security control deltas. Due to the timing of the release and our feedback, we wanted to get out some initial thoughts out. We will have a follow-up to this blog with the parameter changes once the PMO baseline is considered final.
Let Your Voice Be Heard
Published in earlier guidance – the FedRAMP PMO has established a general timeline on how the review process will proceed. This is very similar to the standard NIST publications/releases.
It’s important that the FedRAMP business community get involved to ensure a more refined work product in the end.
- Cloud Service Providers (CSP) – look to understand what’s being asked of you. What material differences can you identify? What feedback can you give the FedRAMP PMO to promote a reasonable interpretation of the requirements and security risk?
- Third Party Assessment Organizations (3PAO) – understand the requirements (withdrawn, consolidated, and net-new). Do your own analysis and determine any material changes within the new proposed baseline. What’s missing? How do you advise or test the CSP’s against these requirements?
- Government direct and research community stakeholders – it’s really important that your feedback is part of the baseline. The more integrated the FedRAMP baseline is from the viewpoint of an agency, the more reciprocity is achieved across government.
- Industry Best Practice stakeholders – promoting industry best practices amongst our government should be a civic duty. Share your thoughts and insights to ensure this truly is the greatest good security requirements and practices for government.
The FedRAMP PMO has released an initial draft of the FedRAMP Rev. 5 for your review and comment. As noted in the release, industry feedback will be accepted through info@fedramp.gov via this format by Friday, April 1, 2022.
Historically speaking, a similar approach was taken when FedRAMP released the initial baseline associated with NIST SP 800-53 Rev. 4. CSPs were provided a period of time to review the new controls, provide feedback on if the parameter was accurate or if the control should even be included in the baseline. After that time period came and went, FedRAMP finalized their baseline for all to use. At that time, it was not an instantaneous adoption. FedRAMP worked with each CSP to determine at what point in the process would they look to uplift to the new baseline. This is primarily because new security controls must first be implemented and that just doesn’t happen overnight. FedRAMP knows this. You will have time to implement the controls and then have it properly tested by your 3PAO.
FedRAMP has not officially said what that the time period will look like, but if history repeats itself, it may look similar to something like this:
- CSPs with an existing ATO will uplift to the new baseline at their next annual, or the one after, depending on the ATO date
- If a CSP is in the middle of their initial assessment, they will be allowed to continue under NIST SP 800-53 Rev. 4, but will be expected to uplift to Rev. 5 during their first annual
- If a CSP is in the early stages of FedRAMP preparation and has not started an assessment, it will truly depend how early it is in the process. However most likely, these CSPs will need to look at the new baseline and have a strategy around how those new controls will be implemented. This will probably be handled on a case-by-case basis with the CSP and the FedRAMP PMO.
Summary
Major releases of the NIST SP 800-53 security guidance does not come along often and takes several years to be fully evaluated, revised, impacted, and implemented.
The number of security controls (plus or minus) does not necessarily equate level of effort or material impacts from a regulation perspective. Complexity of the control, parameter changes (frequency/how restrictive) and technical feasibility for the cloud service provider to implement is what will drive impacts on what these regulations mean to the FedRAMP community. Another key aspect to consider is the shared responsibility model with underlying infrastructure as a service or platform as a service provider. This new baseline will impact the number of controls or portions of controls are fully inherited or partially inherited by these providers.
As noted above, take the time to review and provide feedback. You can’t complain about the process if you haven’t taken the time to response and be heard.
Our initial review and research are providing a more detailed view into potential impacts (Draft release from the FedRAMP PMO – subject to change based on feedback), but further research and discussions will be needed to better understand material impacts. Fortreum will look to release more content in the future (especially once this publication is final) to assist the FedRAMP community in understanding the full impacts of these changes.
Appendix A: Key Control Considerations
Control Family | Controls | Control Name |
Identification and Authentication | IA-05 (11)* | Authenticator Management | Hardware Token-based Authentication |
Identification and Authentication | IA-08 (03)* | Identification and Authentication | Use of FICAM-Approved Products |
System and Information Integrity | SI-16 | Memory Protection |
*Indicates controls removed from NIST 800-53 Rev. 5 but consolidated into another control in the baseline.
Controls Removed from the FedRAMP Moderate Baseline (62)
Control Family | Controls | Control Name |
Access Control | AC-02 (10)* | Account Management | Shared / Group Account Credential Termination |
Access Control | AC-04 (21) | Information Flow Enforcement | Physical / Logical Separation of Information Flows |
Access Control | AC-10 | Concurrent Session Control |
Access Control | AC-17 (09) | Remote Access | Disconnect / Disable Access |
Audit and Accountability | AU-02 (03)* | Audit Events | Reviews and Updates |
Audit and Accountability | AU-08 (01) | Time Stamps | Synchronization with Authoritative Time Source |
Audit and Accountability | AU-09 (02) | Protection Of Audit Information | Store on Separate Physical Systems Or Components |
Security Assessment and Authorization | CA-02 (02) | Control Assessments | Specialized Assessments |