cloud processes (Omelchenko/

FedRAMP transitioning to meet latest NIST controls

The Federal Risk and Authorization Management Program is updating its materials to align with the latest cloud security guidance issued by the National Institute of Standards and Technology.

NIST recently released final versions of Revision 5 of SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” and SP 800-53B, “Control Baselines for Information Systems and Organizations.”

SP 800-53 provides a catalog of flexible and customizable security and privacy controls to protect operations, assets and individuals – from enterprise networks and industrial control systems to internet-of things devices -- from threats and risks. SP 800-53B, a companion publication to SP 800-53 Rev. 5, can help organizations select the baseline that is appropriate for the risk level and threats they face

FedRAMP leverages SP 800-53’s security and privacy controls, baselines and test cases for setting security standards for federal information systems.

The FedRAMP Program Management Office plans to work with the Joint Authorization Board to develop draft high, moderate and low baselines as well as control and implementation guidance and release that draft for public comment. Based on the comments, the PMO will update its baselines and associated documents, templates and implementation guidance for cloud service providers. The updates will include the machine-readable Open Security Controls Assessment Language versions to allow OSCAL-enabled applications to import the baselines.

When the final updated baselines are published, compliance deadlines will be issued and training and educational forums on the transition will be provided.

“FedRAMP recognizes that this transition cannot be completed overnight, ” a FedRAMP informational video states. “We will provide sufficient time to implement and test these updates and provide guidance on many of the new  controls many of which are focused on supply chain.”

When NIST releases the final version of SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” the PMO will update the FedRAMP test cases as well.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected