Skip to main content

Blog

Rev. 5 - Additional Documents Released

June 30 | 2023

Rev. 5 - Additional Documents Released

The next wave of updated Rev. 5 documents has been released. This is the third wave of documents and templates released by FedRAMP to support the transition and compliance from Rev. 4 to Rev. 5 of the National Institute of Standards and Technology’s Special Publication (SP) 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations. For information on the previously-released documents, please see the FedRAMP blog page.

The documents and templates released today are outlined below and can be found on the Rev. 5 Transition page. This release includes all artifacts required to plan for and develop a Rev. 5 package for an initial assessment, annual assessment, and readiness assessment.

  • FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template
  • FedRAMP OSCAL Templates, OSCAL Registry, OSCAL Implementation Guides
  • FedRAMP System Security Plan (SSP) Template (“front matter” sections for all baselines)
    • Appendix A: FedRAMP Security Controls templates (all baselines)
    • Appendix F: Rules of Behavior (RoB) Template
    • Appendix G: ISCP Template
    • Appendix J: CIS and CRM Workbook Template
    • Appendix M: Integrated Inventory Workbook Template
    • Appendix Q: Cryptographic Modules Table
  • FedRAMP Security Assessment Plan (SAP) Template
    • Appendix A: Security Test Case Procedures Templates (Low, Moderate, High)
  • FedRAMP Security Assessment Report (SAR) Template
    • Appendix A: FedRAMP Risk Exposure Table (RET) Template
  • FedRAMP Moderate and High Readiness Assessment Report (RAR) Templates
  • 3PAO Readiness Assessment Report Guide
  • FedRAMP Laws, Regulations, Standards, and Guidance Reference

The FedRAMP team has been improving documentation through streamlining content, removing duplicative information, and addressing common issues; therefore, significant updates were made to core FedRAMP security package templates (SSP, SAP, SAR). There is now one template each for the SSP, SAP and SAR. The same SSP template will be used for the “front matter” sections, with the appropriate control baseline added as an appendix. There are no longer separate SAP/SAR templates for Initial and Annual Assessments; they have been combined. The new SAP/SAR templates can also be used for Significant Change Requests. We also included more Instructional text to help CSPs and 3PAOs understand what is expected in each section of the templates.

If you have any questions, please email info@fedramp.gov and/or join our weekly Rev. 5 Office Hours every Wednesday through July 26 from 12:00 -1:00PM.

We request that you submit your questions in advance of the Office Hours by filling out this form. Please note this question should benefit the larger Rev. 5 stakeholder community. Questions about a specific Rev. 5 requirement or scenario should be directed to info@fedramp.gov.

You can also find answers to questions in the Rev. 5 section of the FedRAMP FAQ page.

Back to Blogs