cloud processes (Omelchenko/

FedRAMP transitioning to meet latest NIST controls

The Federal Risk and Authorization Management Program is updating its materials to align with the latest cloud security guidance issued by the National Institute of Standards and Technology.

NIST recently released final versions of Revision 5 of SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” and SP 800-53B, “Control Baselines for Information Systems and Organizations.”

SP 800-53 provides a catalog of flexible and customizable security and privacy controls to protect operations, assets and individuals – from enterprise networks and industrial control systems to internet-of things devices -- from threats and risks. SP 800-53B, a companion publication to SP 800-53 Rev. 5, can help organizations select the baseline that is appropriate for the risk level and threats they face

FedRAMP leverages SP 800-53’s security and privacy controls, baselines and test cases for setting security standards for federal information systems.

The FedRAMP Program Management Office plans to work with the Joint Authorization Board to develop draft high, moderate and low baselines as well as control and implementation guidance and release that draft for public comment. Based on the comments, the PMO will update its baselines and associated documents, templates and implementation guidance for cloud service providers. The updates will include the machine-readable Open Security Controls Assessment Language versions to allow OSCAL-enabled applications to import the baselines.

When the final updated baselines are published, compliance deadlines will be issued and training and educational forums on the transition will be provided.

“FedRAMP recognizes that this transition cannot be completed overnight, ” a FedRAMP informational video states. “We will provide sufficient time to implement and test these updates and provide guidance on many of the new  controls many of which are focused on supply chain.”

When NIST releases the final version of SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” the PMO will update the FedRAMP test cases as well.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected