FedRAMP transitioning to meet latest NIST controls
The Federal Risk and Authorization Management Program is updating its materials to align with the latest cloud security guidance issued by the National Institute of Standards and Technology.
NIST recently released final versions of Revision 5 of SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” and SP 800-53B, “Control Baselines for Information Systems and Organizations.”
SP 800-53 provides a catalog of flexible and customizable security and privacy controls to protect operations, assets and individuals – from enterprise networks and industrial control systems to internet-of things devices -- from threats and risks. SP 800-53B, a companion publication to SP 800-53 Rev. 5, can help organizations select the baseline that is appropriate for the risk level and threats they face
FedRAMP leverages SP 800-53’s security and privacy controls, baselines and test cases for setting security standards for federal information systems.
The FedRAMP Program Management Office plans to work with the Joint Authorization Board to develop draft high, moderate and low baselines as well as control and implementation guidance and release that draft for public comment. Based on the comments, the PMO will update its baselines and associated documents, templates and implementation guidance for cloud service providers. The updates will include the machine-readable Open Security Controls Assessment Language versions to allow OSCAL-enabled applications to import the baselines.
When the final updated baselines are published, compliance deadlines will be issued and training and educational forums on the transition will be provided.
“FedRAMP recognizes that this transition cannot be completed overnight, ” a FedRAMP informational video states. “We will provide sufficient time to implement and test these updates and provide guidance on many of the new controls many of which are focused on supply chain.”
When NIST releases the final version of SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” the PMO will update the FedRAMP test cases as well.
Connect with the GCN staff on Twitter @GCNtech.