FedRAMP’s Latest Changes and Expectations

FedRAMP’s Changes: What Exactly Does It Mean?

Everything changes, which means nothing stays the same. The Federal Risk and Authorization Management Program (FedRAMP) has encountered changes, and those changes mean that requirements are not the same for Cloud Service Providers (CSPs) who provide or plan to provide cloud service offerings (CSOs) to U.S. Government agencies.

Effective FY 2023, the FedRAMP Joint Authorization Board (JAB) approved the FedRAMP Rev. 5 baselines, which makes U.S. contractors responsible for paying strict attention to the services they offer to government entities; this applies to CSPs because the services they offer codify the FedRAMP Authorization Act (the “Act”). The newly implemented changes include several new security measures such as changes to control totals, the integration of new privacy considerations, notable control families, and guidance not featured in Rev 4; all of which reinforce cloud protective protocols.

What is Rev. 5?

Rev. 5 refers to the fifth revision of the security and privacy controls catalog of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

What are the New Changes?

FedRAMP’s newest changes consist of transitioning from NIST 800-53 Rev. 4 to Rev. 5 baselines. NIST changed the requirement in Rev. 5, which now utilizes a Threat-based Methodology to assess each control’s ability to prevent, detect, and respond to the adversary techniques found in the MITRE ATT&CK Framework. “Within Rev. 5, FedRAMP has modified the requirement to implement a Controlled Access Area (CAA). The changes in Rev. 5 make compliance with the physical protection requirements considerably easier to attain.”

Another change lies with the Federal Secure Cloud Advisory Committee (FSCAC). This committee now provides general recommendations regarding FedRAMP and cloud services procurement.

Understanding the New Changes

Sometimes change can be confusing, but this change for FedRAMP is important to the overall enhancement of security measures of data and information systems; it makes for a sound security plan. As a result, understanding the significance of the new changes is necessary. Keep in mind the differences that exist in the NIST SP 800-53 Rev. 5; the major revision includes new baselines, test cases, and guidance on completing security assessments and reporting.

What Does the Change Mean for CSPs?

Cloud service providers are essential to the FedRAMP process; they offer cloud-based products and services to their customers, and they must have FedRAMP approval to work with government agencies. The new change means that “CSPs must implement these security controls, enhancements, parameters, and requirements within a cloud computing environment to satisfy FedRAMP requirements.”

Also, under the new legislation, CSPs can now function with a “presumption of adequacy.” This means that as long as a CSP has authorization with one agency, they can use that same authorization with other agencies.

What Must a CSP Do Differently?

Cloud Service Providers are an essential part of FedRAMP’s latest changes. Since the NIST 800-53 Rev. 5 transition strategy went into effect May 30, 2023, the requirements and timeline for CSPs to transition to the FedRAMP Rev. 5 baseline (and its templates) depend on the CSP’s current FedRAMP authorization phase. The proper timeline is determined by which phase the CSP is in: Planning, Initiation, or Continuous Monitoring.

• For CSPs in the Planning Phase, they will implement the new Rev. 5 baseline requirements and use updated FedRAMP templates. Also, they will test all new Rev. 5 controls before submitting a package for authorization.

• For CSPs in the Initiation Phase, they will determine and identify the gaps that exist between the Rev. 4 implementation and the Rev. 5 requirements. Also, CSPs will develop plans including implementation and testing schedule(s) to address these gaps. In addition, CSPs document those plans in the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) and post them to the CSP’s package repository. Afterwards, plans are updated based on leveraged CSP information (e.g., shared controls). Once the plans are updated, customers can use CSP schedules and Customer Relationship Management (CRM) schedules to understand planned changes for their own implementation plans. Finally, during the POA&M management process and/or next Annual Assessment (as applicable), CSPs will assess the implementation of the Rev. 4 to Rev. 5 transition plan. Implementation of the Rev. 5 controls must be completed by the next Annual Assessment to support testing of the control implementation.

• CSPs in the Continuous Monitoring Phase, (after they have identified any existing gaps) will proceed to develop plans (including implementation and testing schedules) to address the gaps. Then they will document those plans in the SSP and POA&M (and post them to the CSP’s package repository).
  By October 2, 2023, they will update plans based on leveraged CSP information (e.g., shared controls). At this time, customers can use CSP schedules and CRMs to understand planned changes for their own implementation plans.
  During the POA&M management process and/or next Annual Assessment (as applicable), CSPs will assess the implementation of the steps above. Those CSPs with their last assessment completed between January 2, 2023 and July 3, 2023, have at maximum one year from the date of their last assessment to complete all implementation and testing activities. Those CSPs with an annual assessment scheduled between July 3, 2023, and December 15, 2023, will complete all implementation and testing activities no later than their next scheduled annual assessment in 2023/24.

[1] Anitian. 2023 FedRAMP Timeline Milestones: Critical Deadlines Growing Companies Must Know. January 26, 2022. 2023 FedRAMP Timeline and Milestones critical to Vendors | Anitian

[2] Covington & Burling LLP. FY23 NDAA: Provisions of Interest for Almost All Government Contractors. Covington Alert. December 23, 2022. FY23 NDAA: Provisions of Interest for Almost All Government Contractors | Covington & Burling LLP

[3] FedRAMP. FedRAMP Baseline Revision 5 Transition Plan, Transition to the FedRAMP: Baselines Based on NIST SP 800-53 Revision 5. May 30, 2023. FedRAMP Baselines Rev 5 Transition Guide.

[4] FedRAMP. Frequently Asked Questions. Find Answers to FedRAMP FAQs | FedRAMP.gov

[5] FedRAMP. The Rev. 5 Approach to SC-8, and Protecting Data-in-Transit. July 13, 2023. The Rev. 5 Approach to SC-8, and Protecting Data-in-Transit | FedRAMP.gov

[6] FedRAMP. Rev. 5 - Additional Documents Released. Rev 5 Updated. June 30, 2023. Rev. 5 - Additional Documents Released | FedRAMP.gov

[7]FedRAMP. Rev. 5 Baselines Have Been Approved and Released! May 30, 2023. Rev. 5 Baselines Have Been Approved and Released! | FedRAMP.gov

[8] Krishan, Nihal. FedRAMP Reform Measures Enacted as Biden Signs NDAA into Law. December 23, 2022. FedRAMP reform measures enacted as Biden signs NDAA into law | FedScoop

[9] Newberry, Christina. FedRAMP Certification: What Is It, Why It Matters, and Who Has It? May 29, 2023. FedRAMP Certification: What Is It, Why It Matters, and Who Has It (hootsuite.com)

[10] Waddell, Nate. FedRAMP Revision 5 Explained. 2023. FedRAMP Revision 5 Explained | Schellman