Unveiling FedRAMP Revision 5

Recently, the Federal Risk and Authorization Management Program (FedRAMP) released its highly anticipated Revision 5 guidance, marking a significant milestone in cloud security compliance. With the release of FedRAMP Revision 5 (Rev 5), CSPs listed on the FedRAMP Marketplace are required to complete a delta assessment. This assessment ensures that existing CSPs align with the new control requirements by September 1st, 2023. Additionally, by October 1st, 2023, shared control information provided by cloud providers must be updated to adhere to the latest guidance.

What is new in FedRAMP Rev 5?

Expanded Control Set: FedRAMP Revision 5 introduces an expanded control set with 156 controls for Low, 323 controls for Moderate, and 410 controls for High impact systems. The testing of the Rev 5 controls is more threat based with a Risk Management approach. In Rev 5, there is a greater emphasis on aligning controls with the identified threats and risks that are relevant to the cloud service being assessed. This approach helps to ensure that the controls implemented by the cloud service provider (CSP) are designed to address the threats and vulnerabilities associated with their environment.

New Controls and Enhancements: Revision 5 brings forth 20 new base controls and 17 existing controls with enhancements. These additions include controls focused on privacy, such as PII data handling, data residency, and software supply chain management. These new controls reflect the growing emphasis on safeguarding privacy and mitigating risks associated with data breaches and unauthorized access. An example of these changes is the addition of supply chain risk management requirements. CSPs must implement controls to assess vendors, validate software integrity, and monitor the supply chain continuously. This includes ensuring software integrity and verifying the authenticity of hardware and software components as well as continuous monitoring of the supply chain to identify and mitigate potential risks and vulnerabilities. An updated list of inherited controls from cloud providers like AWS, Azure will also be released soon.

Transition Timelines – 09.01.2023 and 10.02.2023

CSP’s ATO JourneyDelta Assessment RequirementsAnnual or New AssessmentDeliverables to Agency or JAB
Starting ATO ProcessNoneTesting will be against Rev 5 unless CSP testing and package submission is completed by September 2023.Rev 5 FedRAMP Package
Engaged with JAB or 3PAO for ATO AssessmentA delta assessment needs to be performed with testing schedules by a 3PAO.Complete current ATO assessment in flight using Rev 4 base lines and templates if package will be submitted to the PMO no later than September 2023.Document implementation and testing schedules for delta between Rev 4 and Rev 5 including plans to leverage shared controls. SSP and POA&M documents need to be updated with the implementation plans for Rev 5. Implementation of the Rev 5 controls must be completed by the next Annual Assessment to support testing of the control implementation.
CSPs with ATO Listed on MarketplaceBy 09.01.2023 or prior to issuance of ATO (whichever is latest), a delta assessment needs to be performed with testing schedules by a 3PAO. By 10.02.2023, CSPs need to update shared controls implementation plans.CSPs whose reassessment is between Jan. 1st, 2023 – July 3rd, 2023, have one year from last assessment date to complete implementation of Rev 5 controls. For customers with annual reassessment from July 4th, 2023, to Dec. 15th, 2023, will need to complete all Rev 5 implementations no later than their next scheduled annual assessment in 2023/2024.Standard FedRAMP package for annual assessment with Rev 5 updates SSP and POA&M monitoring the status of the Rev 5 implementation.
Delta Assessment report and POA&M.

These milestones and activities are essential for successfully transitioning from Rev 4 to Rev 5 and ensuring compliance with the updated FedRAMP requirements.

Conclusion: FedRAMP Revision 5 represents a significant step forward in the realm of cloud security compliance. With an expanded control set, new controls and enhancements, and a focus on continuous monitoring and documentation, CSPs have a short timeline to complete delta assessments and implementation of new Rev 5 controls.

FedRAMP Authorization Act


FedRAMP provides a standardized approach to security authorizations for Cloud Service Offerings within the Federal ecosystem and is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data. Gaining this certification in advance means placement in the FedRAMP marketplace, from which government divisions and agencies can choose a provider at the level of security they choose.

Cloud Service providers have a multi-billion dollar federal market to address with some clarity on security requirements.

President Joe Biden has signed a legislation that will reform the Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity authorization program, as part of the National Defense Authorization Act (NDAA). The act is designed to promote the federal implementation of FedRAMP government wide.

The latest iteration of FedRAMP Authorization Act makes sure that the FedRAMP program has a board to continue improving the quality and shorten the time for a Cloud Service Provider (CSP) to attain an Authorization to Operate (ATO). The act also creates a new cloud advisory committee consisting of five representatives from cloud service companies with the specification that two of those positions will be filled by small cloud vendors.

Why is this important to cloud service providers (CSPs)?

There are hundreds if not thousands of cloud service providers who need to be FedRAMP certified and the journey for many has been long with millions of dollars in investment.  The old rules made it difficult to cross sell to federal agencies as each agency can have additional security requirements extending the sales process.

One of the most significant aspects of the FedRAMP reform language is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used by any federal agency without additional cost, or time increasing CSPs market size.

The cloud advisory board will have voice of the CSPs’ making the rules relevant and effective for continuous compliance and ensure highest level of data protection. The shortage of 3PAOs increased the assessment timelines and the single assessment approach will free up 3PAO’s to get more CSPs certified.

If a CSP wants to make a business case to pursue the Federal market, they can start with the NIST controls benchmark with approved FedRAMP services from GCP, AWS and Azure GovCloud instances.  Once they complete their readiness and demonstrate compliance to NIST 800-53 controls, they can now find a 3PAO to validate the controls and submit the package to FedRAMP board for approval.  Once approved, they are listed, and every Federal agency can now subscribe to the service. A FedRAMP certified CSP has demonstrated highest security control implementation and monitoring eliminating the need to chase less known commercial security certifications. FedRAMP has now millions of dollars in funding to market its program to State agencies.  Many states are adopting FedRAMP as their security framework and this only increases the addressable market.