FedRAMP Publishes Draft Rev. 5 Baselines
FedRAMP is releasing baselines for public comment, and we want your feedback.
Rev 5 Baselines
FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series , the baselines and test cases.
In 2020, NIST released SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 (Rev. 5) catalog of security and privacy controls and SP 800-53B, Control Baselines for Information Systems and Organizations. The FedRAMP PMO worked with the Joint Advisory Board to develop the FedRAMP baselines in alignment with NIST’s Rev. 5 update.
Applying Threat-Based Methodology to Rev 5 Baselines
Using the Threat-Based Methodology, FedRAMP analyzed each NIST SP 800-53, Rev. 5 control within the FedRAMP High baseline on their ability to protect, detect, and/or respond to each of the techniques outlined in the MITRE ATT&CK Framework version 8.2. FedRAMP applied the threat-based methodology to evaluate the controls FedRAMP adds above the published NIST Rev. 5 baseline.
By applying this methodology, FedRAMP significantly reduced the number of controls added by FedRAMP in addition to the NIST Rev. 5 baselines.
- Low baseline - FedRAMP added 1 additional control (above the NIST baseline)
- Moderate baseline - FedRAMP added 17 additional controls (above the NIST baseline)
- High baseline - FedRAMP added 22 additional controls (above the NIST baseline)
Each of these additional controls scored high enough in the threat scoring to retain in the FedRAMP baselines. Despite a significant increase in NIST baseline controls, FedRAMP was able to decrease the number of Moderate and High controls by leveraging threat scoring.
We Want Your Feedback!
FedRAMP anticipates that more strategic control selection will result in a more focused security authorization process. The FedRAMP PMO is releasing this initial draft of the FedRAMP Rev. 5 baselines for public comment. Your feedback is critical in continuing to provide the best guidance possible.