FedRAMP released its plan to align with the National Institute of Standards and Technology’s (NIST) latest update to SP 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 (Rev5).
In a Nov. 24 blog post, FedRAMP said it is in the process of revising all applicable FedRAMP materials to align with NIST’s updates, which NIST said “will provide a solid foundation for protecting organizations and systems – including personal privacy of individuals – well into the 21st century.” This is likely a complicated and lengthy process, given that NIST described the update as not just a minor one, but rather an entire renovation of the SP to address structural issues and technical content.
FedRAMP said it relies on NIST’s guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages SP 800-53, including the baselines and test cases specified in the guidance.
In addition to the recent update, FedRAMP also noted that NIST released the final version of SP 800-53A – Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. FedRAMP said it will update the FedRAMP test cases as well.
FedRAMP provided its road map for making the necessary updates:
- “Step 1: Develop draft FedRAMP Baselines from NIST SP 800-53 Rev5 Updates (Current State): FedRAMP will review Rev5 and update the FedRAMP baselines, parameters, FedRAMP control guidance, and develop an implementation guide for CSPs.
- Step 2: Release draft FedRAMP Baselines for Public Comment: FedRAMP will share draft updates for our government partners and stakeholder community to review and provide comments and feedback.
- Step 3: Update FedRAMP Baselines and Documentation Based on Public Comments: FedRAMP will review and adjudicate public comments and update the FedRAMP baselines (including Open Security Controls Assessment Language (OSCAL) versions) and associated documents, templates, and guidance accordingly.
- Step 4: Release Final Rev5 FedRAMP Baseline Documentation Updates, and CSP Implementation Plan: FedRAMP will publish the final version of FedRAMP’s updated baselines (including OSCAL versions), associated documentation and templates, an implementation guide, and compliance timeline. Additionally, FedRAMP will provide training and educational forums on the updates and transition process, and will be available to answer questions.”