FedRAMP Revision 5 Transition Plan: Everything You Need to Know

On May 30, 2023, FedRAMP released the NIST SP 800-53 Revision (Rev) 5 security baselines. This release brings forth fresh security controls that cater to the growing necessity of assessing a Cloud Service Provider's (CSP) risk maturity and their ability to effectively mitigate risks amidst the constantly evolving threat landscape.

With Revision 5 being released, Quzara recognize that CSPs are now seeking answers to crucial questions such as:

When do I need to meet Revision 5 requirements? and
Where do I start the transition to Revision 5?

Rest assured; we are here to guide you through this transition period whether you are just starting out or are currently authorized.

In this blog post, we will delve into the latest FedRAMP release, break down the notable changes within Revision 5, discuss the transition timeline for CSPs currently in any phase within their FedRAMP Authorization Journey, offer expert insights and invaluable guidance, and equip you with the essential knowledge to flourish in the dynamic cloud security landscape.

FedRamp-Rev5-created

Since its inception in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has played a vital role in the U.S. government's cloud security strategy, providing a standardized risk-based approach for assessing, authorizing, and continuously monitoring cloud products and services used by federal agencies.

At the core of FedRAMP's security framework are the National Institute of Standards and Technology's (NIST) Special Publication (SP) 800-53 guidelines with emphasis on security and protection of federal information.

FedRAMP uses a core set of processes to set the seal on effective, repeatable cloud security for the government. It also utilizes a mature marketplace to increase utilization and familiarity with cloud services while facilitating collaboration across government through open exchanges of lessons learned, use cases, and tactical solutions.

What are the New FedRAMP Revision 5 Baselines?

The FedRAMP baseline comparison was authored based on the MITRE NIST 800-53 Revision 4 to Revision 5 Change analysis.

Baseline	# of Controls	Control Changes	Parameter Changes
Tailored / Low Impact SaaS (LI-SaaS)	156	Added 31 additional controls to the baseline.	58
Low	156	Added 31 additional controls to the baseline.	58
Moderate	323	2 controls have been removed from the baseline total and 21 net new controls.	100
High	410	11 controls have been removed from the baseline total and 76 net new controls.	33

What are the Transition Phases for Revision 5 and how do I determine what phase I am in?

The transition plan released by FedRAMP on May 30, 2023, provides guidance that will assist CSPs in various stages of FedRAMP in identifying the requirements and actions needed to move forward from Revision 4 to Revision 5:

1. Planning Phase - CSPs are in the “Planning” phase and will implement and have an assessor test the new Rev. 5 baseline and use the updated FedRAMP templates prior to submitting a package for authorization if any of the following criteria is met:

CSPs that are applying to FedRAMP or are in the FedRAMP Readiness review process.
CSPs that have not partnered with a federal agency (i.e., the Agency Authorizing Official has not submitted a formal “In Process” Request to the PMO) prior to May 30th, 2023.
CSPs that have not contracted with a Third-Party Independent Assessor (3PAO) for a Rev. 4 assessment prior to May 30th, 2023.
CSPs with a Joint Authorization Board (JAB) prioritization that have not begun an assessment after the release of the Rev. 5 baseline and templates.

Implement and test the Rev 5 baseline.
Use the updated FedRAMP templates when submitting a RAR/SAR package.

Note: A general rule of thumb is – If you have not contracted with a 3PAO assessor by May 30th, 2023, you will be required to implement Revision 5 prior to your assessment.

2. Initiation Phase – CSPs are in the “Initiation” phase if any of the following criteria is met:

CSPs that are currently prioritized for the JAB and are currently:
- under contract with a 3PAO or in 3PAO assessment
- have been assessed and are working toward Provisional Authorization to Operate (P-ATO) package submission.
- have kicked off the JAB P-ATO review process prior to May 30, 2023.
CSPs who have partnered with a federal agency and are currently:
- under contract with a 3PAO
- are undergoing a 3PAO assessment, or
- have been assessed and have submitted the package for Agency Authorization to Operate (ATO) review prior to May 30, 2023.

Note: If the above conditions are met, the CSP can complete the ATO or JAB P-ATO using the Rev. 4 baseline and templates.

A CSP can obtain an ATO/P-ATO using the Rev 4 baseline and templates, but the CSP must identify the differences between the current Rev 4 implementation and the Rev 5 requirements by September 1, 2023, or before the issuance of an ATO/P-ATO—whichever is latest—and that includes:
- Developing and documenting plans in the current Rev. 4 SSP and POA&M to address the Rev. 4 vs Rev. 5 delta; and
  - If a CSP is undergoing their annual assessment after 1/2/24, CSPs should utilize the Rev. 5 SSP template and documentation package (once released)
- Posting those documents to the CSP’s package repository.
The CSPs transition plan will be assessed during the POA&M management process and/or as part of the upcoming annual assessment (if applicable). Customers can use defined CSP schedules and Customer Responsibilities Matrix (CRM) to understand the impact of planned changes on their own implementation.

The FedRAMP PMO has stated that CSPs with a current authorization will need to work closely with their AOs to coordinate the development and timeline delivery of their Rev. 5 transition plan prior to their assessment schedule.

Notably, CSPs will rest assured that their current state Rev. 4 FedRAMP documentation package can remain for their next assessment if it is scheduled for 2023, but will need to deliver their completed transition plan.

3. Continuous Monitoring Phase - CSPs are in the Continuous Monitoring Phase if the CSP has achieved an ATO and are currently in ConMon of their authorization cycle.

By September 1, 2023, CSPs should identify the delta between their current Rev. 4 implementations and the Rev. 5 requirements. This includes developing a plan of implementation and testing schedules to address the identified deltas.
By October 2, 2023, CSPs should update plans based on leveraged CSP information (shared controls).
During the POA&M management process and/or next Annual Assessment (as applicable), assess the implementation of the steps above.
- CSPs with their last assessment completed between January 2, 2023, and July 3, 2023, have at maximum one year from the date of their last assessment to complete all implementation and testing activities.
- CSPs with an annual assessment scheduled between July 3, 2023, and December 15, 2023, will complete all implementation and testing activities no later than their next scheduled annual assessment in 2023/24.
  - All CSPs with an assessment date after 1/2/24 will be required to utilize Rev. 5 templates and documentation resources, Rev. 4 will not be permitted during an assessment and may result in a failure from the 3PAO.

What are the Key Impacts on CSPs?

The points below detail the actions a CSP will need to take so that the CSP is prepared for the assessment following all Revision 5 implementations and requirements.

Gap Assessment to Identify Deltas – CSPs are now required to perform an assessment (whether it be a self-assessment or guided assessment) that will identify all deltas between the current Rev. 4 implementations and the new Rev. 5 security requirements and controls.
- CSPs with a current authorization will need to develop a plan utilizing the FedRAMP template (once released) to show their ability to implement all identified deltas from Revision 4 to meet the Revision 5 requirements at their chosen impact level.
Update technology– many controls within the Rev. 5 baseline will require a CSP to implement either a new technology or implement new features to an existing technology to satisfy the newly published security requirements. For CSPs currently authorized this may cause additional costs and technology upgrades to meet Rev. 5. This may include the need for new vulnerability management solutions (ie: Tenable), a more comprehensive SIEM (Microsoft Sentinel), and/or MDR solution.
New Controls, Parameters, and Enhancements – each baseline (High, Moderate, Low, LI-SaaS) contains net new controls, parameters, or additional enhancements that will require the CSP to evaluate their information system environment to a higher degree to mitigate additional risk exposure. Additionally, CSPs will now be required to adhere to the Supply Chain Risk Management (SR) Control family which provides requirements that relate to how a CSP manages supply chain risk, and third-party solutions.
Technical Considerations – several controls have undergone new requirements and followed guidance that will require CSPs to implement more stringent hardening standards such as the requirement of DoD Security Technical Implementation Guides (STIGs), although CIS Level 2 benchmarks may be utilized if a STIG does not exist, marking a notable change from Rev. 4 which only required the usage of CIS Level 1 benchmarks. CSPs will need to utilize or enhance current hardening standards and process to meet the DISA STIGs implementation requirements for all applicable components and assets within their FedRAMP Inventory (CM-6); this will also lead to downstream effects on application developments and code uplifts. Additionally, CSPs will need to utilize vulnerability and compliance scanning solutions that are able to provide comprehensive scan reporting against STIG implementations (RA-5).
Updating Documentation - there are a significant number of new controls, as well as controls that have undergone parameter changes. Before engaging in an assessment with a 3PAO, the CSP will need to update the entire FedRAMP Authorization Package such as the System Security Plan (SSP) and the additional ancillary documents including the Policies & Procedures and Attachments.
Privacy considerations – FedRAMP has released update emphasis on privacy requirements across several of the control families, some of the highlights to include:
- Role-based training now requires privacy training in addition to security training (AT-3);
- Privacy Impact Analysis are now required for configuration changes as part of the Security Impact Analysis (CM-3);
- System Backups now require the backup of all privacy-related system documentation within the information system environment (CP-9);
- The SSP and Privacy Plan now requires results of a privacy risk assessment for systems identified as a Privacy Impact System who process Personally Identifiable Information (PII) (PL-2/ SSP Attachment 4).

How can Quzara Assist in your Transition Journey

Here are some ways that Quzara can assist organizations in their transition to FedRAMP Revision 5:

Gap Assessment Service: Quzara can conduct a comprehensive Gap Assessment that compares your current compliance with the Revision 4 requirements to the new requirements of Revision 5. This service provides an understanding of the differences (the "gap") and what steps need to be taken to comply with Revision 5. The intended outcome is a clear roadmap detailing the actions required for compliance.

Documentation Revision and Preparation: In line with the new requirements, Quzara can aid in the revision of your System Security Plan (SSP), Policies & Procedures, and other ancillary documents. The intended outcome here is to have updated documentation that aligns with the Revision 5 requirements and is ready for submission to the relevant authorities.

Technical Implementation Consultation: Quzara can provide consultation and guidance on necessary technological updates and system hardening to meet new controls, parameters, and enhancements brought about by Revision 5. Our experts can also provide advice on the management of supply chain risk and the integration of third-party solutions. The intended outcome is a system that meets the technical requirements of Revision 5.

Privacy Consultation: Given the heightened emphasis on privacy in Revision 5, Quzara can provide a thorough review of your existing privacy practices and offer suggestions for improvement. This includes the development of privacy training, Privacy Impact Analysis, and more. The intended outcome is an improved privacy posture that aligns with the new FedRAMP guidelines.

Training and Workshops: Quzara can provide training sessions and workshops on Revision 5 for your teams. These would cover the new controls, requirements, and other changes to ensure your team is equipped to handle the transition and maintain compliance thereafter. The intended outcome is a well-informed and competent team ready to tackle the new challenges.

Continuous Monitoring Service: Post-authorization, Quzara can assist in maintaining your compliance with the ongoing monitoring requirements under Revision 5. This includes periodic assessments to ensure compliance is maintained and assisting in the implementation of new controls as they are introduced. The intended outcome is the preservation of your authorization status and a reduced burden on your internal teams.

Conclusion

The transition to Revision 5 of the FedRAMP program is a critical milestone for organizations that provide services and products to the federal government. With its new, comprehensive approach, this revision promises to ensure compliance with security standards in an increasingly complex cyber landscape. By following the guidelines outlined in this article, business owners can successfully navigate their way through the transition period while ensuring that their customers’ data remains secure and compliant with all applicable regulations. As soon as additional information becomes available from FedRAMP, we'll be delving into more intricate details in our upcoming blog posts.

For additional information on this topic, or to learn how Quzara can further help you understand the NIST 800-53 Revision 5 or conduct a Rev. 4 to Rev. 5 gap assessment, contact our team.