Recently, the Federal Risk and Authorization Management Program (FedRAMP) released its highly anticipated Revision 5 guidance, marking a significant milestone in cloud security compliance. With the release of FedRAMP Revision 5 (Rev 5), CSPs listed on the FedRAMP Marketplace are required to complete a delta assessment. This assessment ensures that existing CSPs align with the new control requirements by September 1st, 2023. Additionally, by October 1st, 2023, shared control information provided by cloud providers must be updated to adhere to the latest guidance.
What is new in FedRAMP Rev 5?
Expanded Control Set: FedRAMP Revision 5 introduces an expanded control set with 156 controls for Low, 323 controls for Moderate, and 410 controls for High impact systems. The testing of the Rev 5 controls is more threat based with a Risk Management approach. In Rev 5, there is a greater emphasis on aligning controls with the identified threats and risks that are relevant to the cloud service being assessed. This approach helps to ensure that the controls implemented by the cloud service provider (CSP) are designed to address the threats and vulnerabilities associated with their environment.
New Controls and Enhancements: Revision 5 brings forth 20 new base controls and 17 existing controls with enhancements. These additions include controls focused on privacy, such as PII data handling, data residency, and software supply chain management. These new controls reflect the growing emphasis on safeguarding privacy and mitigating risks associated with data breaches and unauthorized access. An example of these changes is the addition of supply chain risk management requirements. CSPs must implement controls to assess vendors, validate software integrity, and monitor the supply chain continuously. This includes ensuring software integrity and verifying the authenticity of hardware and software components as well as continuous monitoring of the supply chain to identify and mitigate potential risks and vulnerabilities. An updated list of inherited controls from cloud providers like AWS, Azure will also be released soon.
Transition Timelines – 09.01.2023 and 10.02.2023
| CSP’s ATO Journey | Delta Assessment Requirements | Annual or New Assessment | Deliverables to Agency or JAB |
| Starting ATO Process | None | Testing will be against Rev 5 unless CSP testing and package submission is completed by September 2023. | Rev 5 FedRAMP Package |
| Engaged with JAB or 3PAO for ATO Assessment | A delta assessment needs to be performed with testing schedules by a 3PAO. | Complete current ATO assessment in flight using Rev 4 base lines and templates if package will be submitted to the PMO no later than September 2023. | Document implementation and testing schedules for delta between Rev 4 and Rev 5 including plans to leverage shared controls. SSP and POA&M documents need to be updated with the implementation plans for Rev 5. Implementation of the Rev 5 controls must be completed by the next Annual Assessment to support testing of the control implementation. |
| CSPs with ATO Listed on Marketplace | By 09.01.2023 or prior to issuance of ATO (whichever is latest), a delta assessment needs to be performed with testing schedules by a 3PAO. By 10.02.2023, CSPs need to update shared controls implementation plans. | CSPs whose reassessment is between Jan. 1st, 2023 – July 3rd, 2023, have one year from last assessment date to complete implementation of Rev 5 controls. For customers with annual reassessment from July 4th, 2023, to Dec. 15th, 2023, will need to complete all Rev 5 implementations no later than their next scheduled annual assessment in 2023/2024. | Standard FedRAMP package for annual assessment with Rev 5 updates SSP and POA&M monitoring the status of the Rev 5 implementation. Delta Assessment report and POA&M. |
These milestones and activities are essential for successfully transitioning from Rev 4 to Rev 5 and ensuring compliance with the updated FedRAMP requirements.
Conclusion: FedRAMP Revision 5 represents a significant step forward in the realm of cloud security compliance. With an expanded control set, new controls and enhancements, and a focus on continuous monitoring and documentation, CSPs have a short timeline to complete delta assessments and implementation of new Rev 5 controls.