Everyone has been waiting a long time, but it’s finally here! FedRAMP has released the FedRAMP Revision 5 Baselines and Transition Plan! For those new to FedRAMP and its involved process, FedRAMP is the Federal Risk and Management Program. Its purpose is to provide the US Federal Government with a cybersecurity assessment framework that is consistent across all of government. Established in 2011, the intent was “to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.”
The FedRAMP control baseline is based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, and everyone has been asking when FedRAMP would be updated to accommodate the current NIST SP 800-53, Revision 5 that was originally published in September 2020 and updated in December 2020.
The 3 main questions everyone involved with FedRAMP has been asking the FedRAMP Program Management Office have been:
When will the Revision 5 control baseline for FedRAMP be released? (Spoiler, it is here, and already relevant)
What will the transition timeline look like for Cloud Solution Providers (CSPs) to become compliant?
What are the transition requirements to demonstrate compliance with the new control baselines?
The FedRAMP Baseline Revision 5 Transition Guide provides the answers to these questions.
The guide is based on 3 assumptions:
The CSP is currently compliant with, or working towards compliance with, FedRAMP based on NIST SP 800-53, Rev. 4.
CSPs providing Infrastructure as a Service (IaaS) services will be transitioning all services and components included in the boundary for authorization for NIST SP 80-53, Rev. 5 compliance.
CSPs will be required to identify the impact and risks associated with leveraging IaaS and/or Platform as a Service (PaaS) services that have not yet become FedRAMP NIST SP 800-53, Rev. 5, compliant.
The Revision 5 transition strategy goes into effect 30 May 2023. The transition strategy CSPs in one of three phases, Planning, Initiation, and Continuous Monitoring. At a high level this refers to CSPs not authorized but haven’t started their FedRAMP Assessment, CSPs currently undergoing an assessment, and those CSPs with a FedRAMP Authorization, respectively. Further details in which phase CSP falls under can be found in the Transition Strategy Guide.
For those CSPs in this phase, the new Revision 5 templates and controls requirements are in effect for your initial FedRAMP Authorization Assessment as of 30 May 2023. Meaning a CSP must implement the new Revision 5 baseline, use updated FedRAMP templates, and be assessed against the entire Revision 5 baseline before submitting a package for authorization.
For those CSPs in this phase, CSPs will be assessed against the Revision 4 baseline and use the current FedRAMP templates. However, by 1 September 2023 or prior to the issuance of an Agency ATO or JAB P-ATO, whichever is latest, the CSP must identify the delta between their current Revision 4 implementation and the Revision 5 requirements. This means the CSP must develop plans (including implementation and testing schedule(s)) to address the delta; document those plans in their SSP and POAM; and update those plans based on leveraged CSP information. The CSP will also be expected to assess the implementation of the Revision 4 to Revision 5 transition plan and the implementation of the Revision 5 controls must be assessed during the next Annual Assessment.
Continuous Monitoring Phase:
For those CSPs in this phase, as with the “Initiation” phase, identification of the delta between Revision 4 and Revision 5, plan development, etc. must be completed by 1 September 2023. Additionally, updates to plans based on leveraged CSP information should be completed by 2 October 2023. Regarding an authorized CSP’s initial or annual assessment, if the CSP’s last assessment was completed between 2 January 2023 and 3 July 2023, the CSP has a maximum of one year from the date of their last assessment to complete all implementation and testing activities. If the annual assessment is scheduled between 3 July 2023 and 15 December 2023, all implementation and testing activities must be completed no later than the CSP’s next scheduled annual assessment.
As everyone becomes familiar with this transition more details and practical considerations will be forthcoming. For those navigating the FedRAMP landscape please reach out to trusted advisors and 3PAOs to make sure you understand the ramifications and impacts to your strategic goals in pursuing or maintaining a FedRAMP Authorization.
For more detail about the transition to revision 5, check out our FedRAMP Revision 4 to Revision 5 Transition Guidebook.
RISCPoint is a partner-owned, industry leading cybersecurity and compliance consultancy. We are a tight-knit team of experienced professionals that focus on integrating seamlessly with our clients to harmonize their security and compliance obligations with their business success. RISCPoint’s team of experienced advisors deliver a comprehensive suite of FedRAMP services designed to guide your unique cloud solution through a successful initial and continued authorization. To learn more, visit riscpoint.com/contact