Rev5 Transition Update
FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST’s Special Publication (SP) 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, including the baselines and test cases.
Last year, NIST released SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 (Rev5) catalog of security and privacy controls and SP 800-53B, Control Baselines for Information Systems and Organizations. In November 2020, FedRAMP released a blog about the steps FedRAMP is taking to revise all applicable FedRAMP materials to align with NIST’s updates.
FedRAMP is still in Step 1: Develop a draft FedRAMP Baseline from NIST SP 800-53 Rev5 Updates. To date, FedRAMP reviewed all NIST Rev5 baseline controls and created initial recommendations for parameters and additional controls. We are now internally reviewing controls by applying a threat-based methodology. This analysis will support FedRAMP and other key stakeholders to come to consensus, while limiting the number of controls in our baselines that will ensure Cloud Service Providers (CSPs) maintain a comprehensive security posture against known and future threats.
In Step 2: Release draft FedRAMP Baselines for Public Comment, we will release our draft baselines for a public comment period of at least 90 days The date of the public comment period has not been determined, and will be announced via the FedRAMP blog.
As we progress towards determining baselines and evaluate potential implementation guidance for CSPs, FedRAMP is taking into consideration the scope of the changes required and the various dependencies across the federal government.