Are you ready to adopt new FedRAMP baselines?
The Federal Risk and Authorization Management Program (FedRAMP) has released proposed updated baselines following the release of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Revision 5 which should come in effect in 2023. So, what is changing? The new baselines include changes to the number of controls required for the High, Moderate, Low, and Li-SaaS baselines, a new Supply Chain Risk Management (SR) control family, adding new advanced capabilities to support the security of a system, and policy enhancements.
Let’s take a closer look.
The updated versions of the High and Moderate FedRAMP baselines will have fewer controls, while the Low and Li-SaaS baselines will have more controls. Specifically, the number of controls in the High baseline will be reduced from 421 to 392, the number of controls in the Moderate baseline will be reduced from 325 to 304, and the number of controls in the Low and Li-SaaS baselines will increase to 150. These changes are a result of the withdrawal of certain controls and the consolidation of others in the NIST SP 800-53 Revision 5.
Additionally, the updated baselines include requirements for new security tools, such as anti-tamper solutions, and the creation of a threat hunting capability to detect and disrupt threats. Also, policy enhancements, such as the designation of a specific official to manage policy development and the classification of policies and procedures as organization-level, mission or business process level, or system level.
The SR family requires the creation of a Supply Chain Risk Management Plan, which may necessitate the development of a new policy, procedures, and plan/attachment. Additionally, the SR family also includes controls related to supply chain risk assessment, supplier agreements, and incident response in the event of a supply chain breach. These new controls represent an expansion of the concepts previously covered by the single control SA-12 and represent a significant increase in regulatory oversight of supply chain management in the cloud.
However, the external information system services and interconnections, which are technically part of a cloud system’s (CSO’s) supply chain, will likely still be evaluated separately through the External System Services (SA-9) and Information Exchange (CA-3) security controls. External services are typically logical connections between CSOs and other systems that are not owned by the hosting cloud service provider (CSP). The requirements in SA-9 and CA-3 will continue to impose strict requirements for external services used in a cloud service offering.
In order to stay compliant with FedRAMP, all CSPs participating in the program must review their current compliance status and make any necessary adjustments due to the forthcoming changes.
KyberStorm has the following services that can assist you in preparing to adopt new baselines:
- Gap analysis to identify gaps and solutions needed to transition from FedRAMP Revision 4 to Revision 5
- Package updates to meet the requirements for FedRAMP Revision 5