FedRAMP Revision 5 has been Released!

The FedRAMP Joint Authorization Board has approved the FedRAMP Revision 5 baselines to align with Revision 5 of the National Institute of Standards and Technology (NIST) Special Publication 800-53. At a high level, the changes include the following:

  • Aligns security controls with NIST 800-53 Revision 5 and adds additional guidance for many of the controls.
  • Privacy controls remain at the agency’s discretion.
  • Program Management (PM) controls remain an agency responsibility and are therefore not included in the baselines.
  • Addition of a new Supply Chain Risk Management (SR) control family (taking the total number of control families from 17 to 18) that requires separate policy and procedures with new controls to be implemented and added to the updated System Security Plan (SSP) template.
  • A new requirement that mandates organizations identify a documentation manager and categorize policies and procedures by system, organization, mission or business process.
  • Updated documentation templates as well as FedRAMP OSCAL baseline catalogs.

A transition plan is available from FedRAMP for moving to the updated standard that also provides a suggested timeline. This plan will become part of the FedRAMP package to show how you will transition to Rev. 5. All Cloud Service Providers (CSPs) will be required to align with Rev. 5 baselines based on the guidance within the transition plan. If you are still in the planning stages and have not started your Third-Party Assessment review you will need to adopt Revision 5 now.

Documentation Updates:

The following new FedRAMP documentation templates are scheduled to be released by June

  • System Security Plan (SSP)
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestones (POA&M) for High, Moderate, Low, and Li-SaaS baselines
  • Corresponding FedRAMP OSCAL SSP, SAP, SAR, and POA&M guides

BSC will continue to provide new information, as it is available, on our website: https://www.passfisma.com/fedramp-3.html. BSC can help with your FedRAMP readiness and/or transition to Revision 5. BSC can provide a detailed FedRAMP Gap Analysis so you know where you stand with each control and to help prepare the FedRAMP package that you’ll need to become FedRAMP authorized.