FedRAMP Rev. 5 Baselines are Here, Now What?

The FedRAMP Joint Authorization Board (JAB) has given the green light to update to FedRAMP Rev. 5.

With this revision, FedRAMP baselines are now updated in line with the National Institute of Standards and Technology’s (NIST) SP 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations. This transformation brings opportunities and challenges for all stakeholders involved, including Cloud Service Providers (CSP), Third Party Assessment Organizations (3PAOs), and Federal Agencies.

But worry not – with RegScale, we have your back! Let’s dive in and understand the impact and how to prepare for the coming changes.

Decoding the Transition

The transition has been in the works for a very long time, and FedRAMP has updated many of their controls to accurately reflect updates in technology since Rev. 4 was published in 2015.  FedRAMP Rev. 5 brings with it significant updates to the security controls to meet emerging threats, including new families such as supply chain risk management, and places a greater emphasis on privacy controls.  FedRAMP continues to strongly encourage package submission in NIST Open Security Controls Assessment Language (OSCAL) format to accelerate review and approval processes.

To aid with a clear comprehension of the updates, FedRAMP has also released a Rev. 4 to Rev. 5 Baseline Comparison Summary.  There are more than 250 controls with significant changes, including several whole new families of controls.

In the coming weeks, FedRAMP plans to release a series of updated OSCAL baseline profiles, resolved profile catalogs, System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plans of Action and Milestones (POA&M) templates as well as supporting guides for each of these.

What is OSCAL, You Ask?

OSCAL is a set of standards for digitizing the authorization package through common machine-readable formats developed by NIST in conjunction with the FedRAMP PMO and industry.  NIST defines it as a “set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls.”   OSCAL makes it easier to validate the quality of your FedRAMP packages and expedites the review of those packages.

The Impact on CSPs

FedRAMP has published the CSP Transition Plan, providing a comprehensive roadmap and tool for CSPs to identify the scope of the Rev. 5 controls that require testing and offering support for everyone based on their stage in the FedRAMP authorization process.  Timelines for the full transition range from immediate to 12-18 months.

You should find a technology partner to assist you regardless of your FedRAMP stage so that you can quickly and completely adapt from Rev. 4 to Rev. 5 baselines as well as update, review, and submit your packages in both human-readable (Word, Excel) and machine-readable (OSCAL) formats.

If you are a CSP just getting started with your FedRAMP journey…

As of May 30, 2023, CSPs in the “planning” stage of FedRAMP authorization must adopt the new Rev. 5 baseline in their controls documentation and testing and submit their packages in the updated FedRAMP templates as they become available.  You are in the planning phase if you are:

• Applying for FedRAMP or are in the readiness review process
• Have not partnered with a federal agency prior to May 30, 2023
• Have not contracted with a 3PAO for a Rev. 4 assessment prior to May 30, 2023
• Have a JAB prioritization but have not begun an assessment after the release of the Rev. 5 baselines and
  templates

If you are a CSP in the “Initiation” phase

CSPs in the initiation phase will complete an Authority to Operate (ATO) using the Rev. 4 baseline and templates.  By the latest of the issuance of your ATO or September 1, 2023, you will identify the delta between your Rev. 4 implementation and the Rev. 5 requirements, develop plans to address the differences, and document those plans in the SSP and POA&M.  You are in the initiation phase if any of the following apply prior to May 30, 2023:

• Prioritized for the JAB and are under contract with a 3PAO or in 3PAO assessment
• Have been assessed and are working toward P-ATO package submission
• Kicked off the JAB P-ATO review process
• Partnered with a federal agency and are:
  • Currently under contract with a 3PAO
  • Undergoing a 3PAO assessment
  • Have been assessed and have submitted the package for Agency ATO review

If you are a Fully Authorized CSP

You are in the “continuous monitoring” phase if you are a CSP with a current FedRAMP authorization.  By September 1, 2023, you need to identify the delta between your current Rev. 4 implementation and the Rev. 5 requirement, develop plans to address the differences and document those plans in the SSP and POA&M.  By October 2, 2023; you should update plans based on any shared controls.

If your latest assessment was completed between January 2 and July 3, 2023, you have a maximum of one year from the date of the last assessment to complete all implementation and testing activities for Rev. 5.  If your annual assessment is scheduled between July 3 and December 15, 2023, you will need to complete all implementation and testing activities no later than your next, scheduled annual assessment in 2023/2024.

A Complete Technology and Transition Partner

The transition to FedRAMP Rev. 5 is not just about meeting the new requirements but doing so in the most efficient and seamless manner. You should focus on your core business while technology like RegScale handles the intricacies of the compliance transition.

Beyond compliance documentation, RegScale serves as a comprehensive FedRAMP compliance technology and transition partner. Our platform assists with mapping your security controls against FedRAMP and NIST SP 800-53 baselines for Rev. 4 and Rev. 5, supports gap analysis, provides remediation support, and enables continuous monitoring and improvement.  The platform currently includes FedRAMP support and tools to develop human-readable and OSCAL-formatted content for Catalogs, Profiles, SSPs, Components, SAPs, SARs, POAMs and Asset Inventory. To help eliminate the friction and confusion of where to begin with OSCAL, RegScale provides an intuitive Graphical User Interface (GUI) to build artifacts using our wizards and then easily export them as valid OSCAL.

By automating the creation of audit-ready documentation and allowing direct submission to the FedRAMP Project Management Office (PMO) through OSCAL and/or Word/Excel templates, RegScale provides a seamless transition experience to Rev. 5, reducing complexities and saving you valuable time and resources.

In closing, it is crucial for all CSPs and stakeholders to review the new mandates and the CSP Transition Plan and begin planning to address the updated templates.  Let RegScale help make the shift to FedRAMP Rev. 5 a streamlined, efficient, and effective process with minimum costs and business disruptions.

Keep Up to Date

If you are ready to start discussing your particular FedRAMP use case, schedule a live demo today.