FedRAMP Adds Three New Control Families to Catalog
Updated: Jul 14
If you’re currently preparing for FedRAMP Revision 5, or wondering if its new requisites apply to your organization, you may be wondering how exactly Rev 5 differs from its predecessor – and rightly so.
While the primary difference is the introduction of a threat-based methodology, which will reduce the total number of controls, Rev 5 does add a series of new control families to its roster.
What are the new control families?
FedRAMP Revision 5 introduces three new control families: Supply Chain Risk Management, Personally Identifiable Information Processing and Transparency, and Program Management.
Supply Chain Risk Management (SR)
The new SR family under FedRAMP Rev 5 is essentially an expansion of Rev 4’s high baseline control SA-12, or Supply Chain Protection. Once adopted, this will require Cloud Service Providers (CSPs) to have a Supply Chain Risk Management Plan, and corresponding procedures and personnel, in place.
Personally Identifiable Information Processing and Transparency (PT)
Privacy and amplified efforts to protect it are a hallmark of Revision 5. As such, the PT control family addresses privacy risk management, which is currently included in Revision 4’s Privacy Control Catalog, Appendix J.
Program Management (PM)
Like the two previous families, the PM control family expands upon current FedRAMP provisions. In this case, it builds upon the Information Security Program Management controls included in Appendix G of Revision 4.
Why are these families being added?
FedRAMP, like many other compliance bodies, utilizes NIST guidelines as a baseline standard. Accordingly, when NIST 800-53 Revision 5 was released in fall 2020, compliance frameworks following NIST standards, like FedRAMP, quickly announced pending revisions of their own to ensure compliance with the new guidelines.
How will these families affect my cybersecurity and compliance needs?
In addition to these new control families, FedRAMP Rev 5 also introduces a threat-based methodology and increased requirements dedicated to protecting privacy. Organizations bound to comply with FedRAMP (or any framework following NIST standards, for that matter) will need to review their current programs and all documentation will need to be updated to account for the new requirements presented. This is essential because once the revision is fully adopted, all parties subject to it will need to obtain compliance shortly thereafter.
When will Revision 5 take effect?
FedRAMP Rev 5 closed for public feedback on April 1st, which means FedRAMP is currently reviewing all comments and making any corresponding edits. Our team expects the final portion will be released in summer 2023, giving organizations a year to adjust to their compliance programs.
Need help reviewing or getting ready for Rev 5? Get in touch with a member of our team below.