The stereotype of the government as a slow-moving behemoth is not ill-fitting, but when it makes adjustments and changes, it does so with deliberation and intent. An excellent example is the ongoing development and evolution of things like security standards. Technology moves much, much faster than the government can respond to or that even most businesses could adjust to without a significant investment or a time delay.
From time to time, though, the government needs to update their standards and minimums. It happens all the time across various security frameworks, and it should come as no surprise that it’s time for one of the big ones to receive its own update.
FedRAMP has had updates before, and this time isn’t much different from the past updates. Of course, your business may not have experienced those prior updates if you only sought certification when FedRAMP Rev 4 was in play. What do you need to know to handle the migration seamlessly?
What Changes in the Baselines for FedRAMP Rev 5?
The first thing you should know is what changes between FedRAMP Rev 4 and FedRAMP Rev 5.
To know that, you need to look deeper, at the documents that actually control what FedRAMP does. As always, those documents come from the National Institute of Standards and Technology, NIST. FedRAMP is based on NIST SP 800-53’s security controls list and guidelines.
A lot has changed. Moreover, the specific changes aren’t just listed in NIST SP 800-53; they’re governed by your FedRAMP baseline impact level.
- Low Impact now has 156 controls. 31 controls have been added to the baseline, and 58 controls have had parameters changed.
- Moderate Impact now has 323 controls. Two controls were removed, but a net 21 new controls were added, and the parameters of 100 controls have changed.
- High Impact now has 410 controls. 11 controls were removed from the baseline, but a net 76 new controls have been added, and 33 controls have had parameters changed.
Enumerating all of these changes, additions, and removals here would take up a ton of space and time, and frankly, there’s no reason for us to do so. So, for obvious reasons, we aren’t. You can view the full revision 5 document here.
FedRAMP also adds more changes beyond just the security controls in NIST SP 800-53. Some of the more notable changes include new privacy considerations and guidance for implementation for CSPs, changes to control families, reorganization of controls between families, and the creation of new control families.
- AT-3 role-based training now requires, in addition to security training, privacy training.
- CM-3 now requires a privacy impact analysis whenever configuration changes are included in a security impact analysis.
- CP-9 now requires that system backups include a backup of privacy-related system documentation.
These are just some examples of the way privacy has been added to security and how changes are adding or altering existing requirements.
One of the more interesting and significant changes is a change to adversarial testing. As you know, FedRAMP Rev 4 has always mandated a penetration test as a way to validate that the security and other controls are in place as part of the certification audit. However, a common and recurring problem that the government has faced is that, once a CSP obtained certification, they grew lax; as a result, they let their security posture slip.
To help mitigate this, FedRAMP Rev 5 now includes a requirement to include annual “Red Team Exercises” as a way to test and validate that security is being upheld. Technically, Red Teaming and penetration testing are slightly different, so it’s important to be aware of what these new requirements require of you.
What Are the Phases of the FedRAMP Rev 5 Transition?
The transition from FedRAMP Rev 4 to Rev 5 is not a simple or easy change to make. It takes place through several phases, and it’s important to know which phase you’re in so you can know how to proceed. Note that this is not a progression you move through; your CSP is in one of three phases, and that phase describes how you pursue compliance with FedRAMP Rev 5. You don’t move from phase one to phase two in this process. Phase simply describes the position you’re in and the steps you need to take to achieve an ATO.
The Planning Phase
The first phase is the planning phase.
This phase applies to:
- CSPs that are applying to FedRAMP or that are in the readiness review process.
- CSPs that have not partnered with a federal agency prior to May 30, 2023.
- CSPs that have not contracted with a 3PAO for a Rev 4 assessment, again prior to May 30, 2023.
- CSPs with a JAB prioritization that have not started an assessment after the release of the Rev 5 baseline.
In other words, it applies to CSPs that are not currently certified, not most of the way through the certification, or have not started the certification process.
CSPs in the planning phase are to proceed with implementing Rev 5 baselines immediately according to updated templates, documentation, testing procedures, and frameworks. Basically, if you haven’t already achieved Rev 4 certification or are about to, then there’s no reason to delay and pursue Rev 4 when you can simply readjust and pursue Rev 5.
The Initiation Phase
The second possible phase that your CSP could be in is the initiation phase.
This phase applies to:
- CSPs that are currently prioritized for the JAB and are currently under contract with a 3PAO or in 3PAO assessment prior to May 30, 2023.
- CPSs that have been assessed and are working towards P-ATO package submission prior to May 30, 2023.
- CPSs that have kicked off the JAB P-ATO review process prior to May 30, 2023.
It also applies to:
- CSPs who have partnered with a federal agency and are currently under contract with a 3PAO prior to May 30, 2023.
- CSPs who are undergoing 3PAO assessment that began prior to May 30, 2023.
- CSPs who have been assessed and have submitted the package for Agency ATO review prior to May 30, 2023.
Since CSPs in this category have virtually completed the process of obtaining authority to operate under FedRAMP Rev 4, the process becomes somewhat more complicated than for CSPs in the planning phase. What do these CSPs need to do?
First, CSPs in this phase are allowed to finish obtaining certification for FedRAMP Rev 4. However, they must – by September 1, 2023 (so the deadline has already passed) or by the date of issuance of an ATO/P-ATO – identify the differences in controls and implementation that apply to them, between Rev 4 and Rev 5.
Part of this identification and documentation is the creation of a plan of action and milestones document to have a plan in place on how to adjust for Rev 5 standards. This POAM and the transition plan will be assessed, either as part of the POAM analysis process or during the annual assessment, and work must be done to push for Rev 5 compliance.
The Continuous Monitoring Phase
Any CSP that has achieved FedRAMP Authorization to Operate in the past and has maintained its status is in what is known as the Continuous Monitoring phase. ConMon, as it’s called, is an important part of FedRAMP authorization.
As you can see by now, the divisions of phases for the transition essentially come down to: CSPs that have not achieved ATO, CSPs that are about to achieve ATO, and CSPs that already have ATO. This is the third group.
Requirements here are roughly what you might expect as well.
- By the deadline of September 1, 2023, the CSP must identify the difference between Rev 4 implementation as they currently have it and Rev 5 implementation as it will apply to them. Using this knowledge, they must develop a POAM and submit both the POAM and SSP to the relevant agency and authorities.
- By the deadline of October 2, 2023, the CSP must update its plan as necessary upon receiving information based on leveraged CSP and shared controls.
After this, it’s just a matter of implementing the new rules and controls for FedRAMP Rev 5. There are deadlines here as well.
CSPs with their last assessment completed between January 2, 2023, and July 3, 2023, have a maximum of one year from the date of their last assessment to complete all implementation and testing activities. Meanwhile, CSPs with an annual assessment scheduled between July 3, 2023, and December 15, 2023, will complete all implementation and testing activities no later than their next scheduled assessment in 2023/2024.
Common Tasks for the Transition from FedRAMP Rev 4 to Rev 5
Though many of the deadlines have already passed, CSPs that had only just finished their annual assessment for Rev 4 when the transition was announced and new CSPs that are preparing for Rev 5 have some room and leeway to complete the transition and certification for Rev 5.
If you haven’t already, develop your schedule. The time is running out to complete the transition to FedRAMP Rev 5, so if you don’t already have a completed System Security Plan and POAM, you need to have it done ASAP.
Update your documentation. FedRAMP Rev 5 has additional documentation requirements and changes some existing documents. Both CSPs and assessors will need to adjust documentation and make sure everything is in order. If you need additional information or access to the Revision 5 templates, all of the information is maintained on the official FedRAMP website. Expect to have to complete an entirely new authorization package.
What Happens if You Don’t Meet Your Deadlines?
If you’re a CSP looking to achieve ATO or P-ATO with a government agency, it means complying with FedRAMP’s framework. FedRAMP’s framework is now, officially, Rev 5. That means, no matter what phase you’re in or what part of the process you’re going through, you need to pursue the current set of security controls as outlined in NIST SP 800-53 Rev 5.
Failure to comply means what it always has: the inability to achieve or the loss of an existing ATO or P-ATO. CSPs that are in the first phase will simply fail their testing and be unable to proceed with their contracts. CSPs that are in the second phase will have their temporary Rev 4 ATO, but when it comes time to validate progress along their POAM, they will fail and be removed. CSPs in the continuous monitoring phase that fail to achieve Rev 5 security will lose their ATOs and the associated contracts.
Is There Help for Tracking and Implementing Changed Controls?
Of course.
First of all, FedRAMP, the various certified 3PAOs, the assessors and auditors, and even the Red Teams tasked with handling that portion of the assessment are all on your side. Everyone wants security to be maintained, so there is plenty of communication and additional assistance available. Anyone you’ve worked with before is likely able to help continue to work with you to achieve compliance.
Secondly, FedRAMP.gov includes dozens of documents and guides for virtually every CSP that has a need to adapt to new FedRAMP standards. We’ve linked it above, but here it is again. All of the new documentation templates, all of the new guidelines and transition documents; they’re all here.
Third, we’re also here to help. At Ignyte, we are both a certified 3PAO and a platform made to assist other CSPs in pursuing compliance with all manner of different frameworks. Our complete guide to the changes in FedRAMP Rev 5 can be found here.
More importantly, our platform can help you out. We serve to replace various inefficient and siloed software that limits communication and collaboration, which are paramount for a successful transition. So, whether you’re a CSP looking to achieve FedRAMP ATO for the first time and have to figure out what Rev 5 means, or you’re an old hand at this with a Rev 4 ATO that you need to update to Rev 5, we can help. Just reach out and request a demo, and we’ll help you get the ball rolling on modern compliance.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.