An Update to FedRAMP’s Low, Moderate, and High Baseline SA-4 Controls and IR-3 High Baseline
The Federal Risk and Authorization Management Program (FedRAMP) provides standardized security requirements for the authorization and ongoing cybersecurity of cloud services. Cloud technology and the security landscape is dynamic and changes over time, so it’s important that the program regularly reviews and updates the FedRAMP security authorization requirements in order to keep pace with technology advances and new security threats.
The Joint Authorization Board (JAB) is required by the following government guidance to “Define and regularly update the FedRAMP security authorization requirements in accordance with the Federal Information Security Management Act of 2002 (FISMA) and DHS guidance”. The JAB has updated the SA-4 control parameter, within the Low, Moderate and High Baselines, specifying the following requirement in the SA-4 Additional FedRAMP Requirements and Guidance section:
- The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).
This update is effective immediately and applies to all cloud products and services that are authorized or in-process of achieving a FedRAMP Authorization. Cloud Service Providers (CSPs) will be required to have a plan for implementation within 30 days and be fully implemented within six (6) months.
Additionally, the following updates were made to the Incident Response Testing High baseline control (IR-3) (in bold):
- IR-3-2 Requirement:
The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional Testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
The parameter for IR-3-1 has also been amended to: “at least every six (6) months, including functional at least annually.”
CSPs will be required to include functional testing as part of their next Security Assessment Plan (SAP) submission (either as part of initial authorization, or by their next annual assessment) and be reflected in the Security Assessment Report (SAR). As always, we appreciate your partnership.
See the below links to download the updated System Security Plan (SSP) documents and contact us firstname.lastname@example.org with any questions.