Preparing for FedRAMP Rev 5

Chue Moua

Jun 16, 2020

Share This Article

Prepare for FedRAMP Rev 5

In preparation for FedRAMP Revision 5 (Rev. 5), the National Institute of Standards and Technology (NIST) has recently unveiled the latest iteration of Special Publication 800-53, titled “Security and Privacy Controls for Information Systems and Organizations.” This release marks a significant leap forward, breaking a seven-year update cycle to provide guidance on the next generation of security and privacy controls. It addresses the growing need for a more proactive and systematic approach to cybersecurity.

Rev. 5 introduces substantial changes to the framework’s structure and technical content. Its aim is to broaden its applicability, transforming it into what NIST describes as the “first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, spanning all types of systems. This encompasses everything from supercomputers to industrial control systems to Internet of Things (IoT) devices.” Notably, Rev. 5 takes steps to reduce its exclusive federal focus, encouraging wider adoption by non-federal entities and striving for greater international acceptance.

NIST’s assertion is that Rev. 5 represents the inaugural comprehensive catalog of security and privacy controls capable of addressing risk management for organizations across various sectors and sizes, encompassing diverse types of systems. This transition involves the expansion of control families from 17 in Rev. 4 to 20 in Rev. 5. Notable among these are two new security control families: Program Management (PM), featuring 33 supporting controls and three control enhancements, and Supply Chain Risk Management (SR), encompassing 11 supporting controls and 14 control enhancements. Additionally, a new privacy control family, Processing and Transparency (PT), is introduced, comprising nine controls and 12 control enhancements, which are designated to the privacy control baseline. Importantly, PT is a standalone family, distinct from the security controls.

Furthermore, Rev. 5 integrates various privacy controls within the framework, fostering a comprehensive approach to privacy and security. These include controls such as PM-25 (Minimization of Personally Identifiable Information Used in Testing, Training, and Research), MP-6 (Media Sanitization), PL-4 (Rules of Behavior), IR-4 (Incident Handling), and IR-7 (Incident Response Assistance).

In essence, the release of FedRAMP Rev. 5 represents a significant evolution in the world of security and privacy controls, acknowledging the evolving threat landscape and the growing importance of privacy in the realm of cybersecurity.

Preparing for Rev. 5 is essential for organizations seeking to align with the latest standards and enhance their risk management capabilities.

What we found…

In today’s dynamic cybersecurity landscape, where threats, vulnerabilities, and technologies are constantly evolving, organizations face the critical task of maintaining robust defenses. The goal is to create systems that are not only resistant to attacks but can also limit damage when breaches occur, ensuring resilience and recoverability. Therefore, the adaptability of security controls is paramount, requiring them to be agile and updated in response to the shifting threat landscape.

NIST (National Institute of Standards and Technology) recognized the need for a more outcome-focused approach and removed the allocation of implementation responsibilities, shifting the focus towards achieving control set outcomes rather than specifying who should implement them.

One of the notable changes in Rev. 5 is a stronger emphasis on defining security and privacy control baselines. NIST has introduced a standalone publication, Special Publication 800-53B – Control Baselines for Information Systems and Organizations (Draft), to guide organizations in selecting and tailoring the appropriate security control baselines for their systems. This publication facilitates customization for specific communities of interest, technologies, and operational environments.

The three traditional security control baselines for low-impact, moderate-impact, and high-impact systems are retained. However, the Privacy Controls Catalog has been replaced with a Privacy Controls Baseline, which is now applied to systems regardless of their impact level. Special Publication 800-53B provides a chart that assigns controls and control enhancements to the relevant security and privacy control baselines. Notably, some controls and control enhancements are not assigned to any baseline. Organizations must review these unassigned controls to determine if they are necessary to meet applicable requirements or beneficial in mitigating risks in their specific environments.

This tailoring process offers organizations greater flexibility in selecting controls and control enhancements that align with their unique risk management needs and the evolving threat landscape. By adapting their controls effectively, organizations can better protect their systems and data against the constantly changing and growing cyber threats.

Summary of the major changes to the publication:

  • Privacy elements are no longer relegated to an appendix; instead, they are seamlessly integrated into the unified catalog. This integration encompasses 86 privacy controls, with 26 standing independently and 60 woven into the security controls. The guidance now includes next-generation privacy and security controls along with practical guidelines for their application.
  • The structure of the controls has shifted to an outcome-based approach, emphasizing the desired results.
  • While previous editions had a single supply chain control, Revision 5 introduces an entire dedicated control family. It also offers guidance on integrating these standards throughout an organization.
  • New, state-of-the-art controls have been added, supporting cyber resilience and secure systems design. These controls are informed by the latest threat intelligence and cyber attack data. They encompass areas such as cyber resilience, secure systems design, security and privacy governance, and accountability.
  • Control baselines and tailoring guidance have been relocated to NIST SP 800-53B, specifically in the (Draft) Control Baselines for Information Systems and Organizations.
  • Control selection processes have been separated from the controls themselves, making them more accessible to diverse communities of interest, including systems engineers, software developers, enterprise architects, and mission/business owners.
  • Descriptions of content relationships have been refined, clarifying the connections between requirements and controls, as well as between security and privacy controls.
  • The term “information system” has been replaced with “system,” broadening the applicability of the controls to various system types, including general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices.
  • The publication’s federal focus has been de-emphasized, encouraging broader usage within the public sector and international organizations.
  • The publication now promotes integration with various risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework.

These changes reflect a comprehensive overhaul of the publication, aligning it with current and future cybersecurity needs and promoting its use across a broader spectrum of systems and organizations.

Are you either up for renewal and your agency is asking to be FedRAMP certified ver 5?

Give us a call… We are eager to hear your challenges and utilize our experience to fast track your compliance requirements.

Visit us at https://fabriclake.com.

Published On: October 24th, 2023 / Categories: Blogs, compliance, Tips & Tricks /

Share This Article

Other Articles that may be of interest:

How can I help?

With over 2+ decades of experience in the field of IT and compliance, I have successfully overseen multiple FedRAMP certifications and a dozen ATOs within the realms of the DOJ and DOD.

“Chue is a brilliant technologist who is a SME for everything with InfoSec and Federal Government Compliance. He is incredibly diligent, hard-working and is able to easily discuss complicated technical matters with both experts and beginners. His can-do, humble attitude made it a distinct pleasure to work with and learn from him.”

Other endorsements…

“Working with Chue has been an honor. He’s incredibly knowledgeable and always travels out of his way to offer assistance and guidance. He made sure our systems were completely secure and gave us the peace of mind to focus on our responsibilities without worry of interruption.

Outside of a work capacity, Chue has been a positive and motivating force and he has a keen ability to instill trust.”

By submitting my data I agree to be contacted

Experts who understands the Federal landscape

Imagine a world where organizations enthusiastically embrace cutting-edge AI technology, harnessing its power to gain profound insights into high-risk scenarios and propelling themselves toward their core business objectives with confidence!

Here at FabricLake, we take the charge in revolutionizing federal compliance solutions! We’ve masterfully entwined the power of artificial intelligence into the very essence of our compliance processes. This astute integration doesn’t just optimize workflows; it paves the way for seamless task management and issue resolution, all while upholding the highest industry standards. In the heart of our Federal Compliance division, AI has seamlessly woven itself into the fabric of our operations, giving birth to RiskGuardian360 – a specialized application that unleashes the full potential of AI to steer us towards our compliance objectives with unwavering determination. Join us in embracing this cutting-edge technology and watch your compliance needs transform into opportunities for excellence!