RFC-0027 FedRAMP Rev5 Security Controls Baseline Update for AC, AT, AU, CA, and CM Control Families
Summary
This is a technical RFC that proposes updates to the Additional FedRAMP Security Technical Controls Requirements and Guidance for FedRAMP Rev5 baselines.
To save space and to limit the breadth of a single RFC, this technical document shows only the proposed changes to the current baseline document and is restricted to a few control families. If verbiage is being updated, only the specific wording that is to be changed is identified in the old verbiage section. If the verbiage to be added is not replacing previous verbiage, but being added, it will be identified as “NEW” in the old verbiage section.
Since this spreadsheet covers hundreds of controls across multiple tabs and sections, only those specific controls, sections, and tabs identified are being proposed for updates. If it is not mentioned below, changes are NOT being proposed.
Commenters are advised to please mention specific controls in their comments!
This RFC addresses controls in the following families:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Assessment, Authorization and Monitoring (CA)
- Configuration Management (CM)
Motivation
Many Rev5 FedRAMP Requirements and Guidance statements are based on outdated approaches that predated the release of the FedRAMP Authorization Act and M-24-15. This set of Requirements and Guidance needs a refresh to match FedRAMP’s current rules and approach.
The updates formalized after this RFC will be included in the FedRAMP Consolidated Rules for 2026. That set of rules will be valid until December 31, 2028. FedRAMP will provide a transition plan for adopting any new guidance that will enable cloud service providers to update their approach as part of their annual assessment as appropriate.
These changes are designed to lower the burden for cloud service providers and eliminate previous pain points.
Additionally, NIST released 800-53 Rev 5.2.0 in August of 2025. While this update was minor, control updates from NIST will require updates to FedRAMP Security Control Baseline in order to reflect this update. These changes will happen without public comment through FedRAMP since these are direct reflections of NIST changes. As subsequent iterations of the FedRAMP Security Control Baseline are published, it is FedRAMP’s intent only to carry over the following information from NIST 800-53; Control Family, Control Name, and Control ID. Following this will be FedRAMP-Defined Assignment / Selection Parameters and additional FedRAMP Requirements and Guidance.
Proposed Changes to Access Control Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
AC-02: Account Management
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: NEW
Proposed Change: a. Accounts types should align to those accounts identified within the FedRAMP Secure Configuration Guidance where applicable.
Rationale: Alignment with the FedRAMP Secure Configuration Guidance (SCG).
AC-10: Concurrent Session Control
Tabs Affected: High Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: AC-10-2 [three (3) sessions for privileged access and two (2) sessions for non-privileged access]
Proposed Change: AC-10-2 [one (1) session for Top-level administrative, three (3) sessions for privileged access, and two (2) sessions for non-privileged access]
Rationale: Alignment with the FedRAMP Secure Configuration Guidance (SCG).
Proposed Changes to Awareness and Training Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
AT-03 Role-based Training:
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: NEW
Proposed Change: a. Top-Level Administrative and Privileged Accounts Secure Configuration Guidance must be included as part of role based training where applicable.
Rationale: Alignment with the FedRAMP Secure Configuration Guidance (SCG).
Proposed Changes to Audit and Accountability Family
No changes are being proposed
Proposed Changes to Assessment, Authorization, and Monitoring Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
CA-05: Plan of Action and Milestones
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: CA-5 (b) [at least monthly]
Proposed Change: CA-5 (b) [at least monthly for traditional FedRAMP Processes][every three months if opting into Collaborative Continuous Monitoring BIR] [Monthly Activity Report in lieu is due every month if opting into Vulnerability and Detection Response BIR]
Rationale: Updated based on BIRs
CA-05: Plan of Action and Milestones
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CA-5 Requirement: POA&Ms must be provided at least monthly. CA-5 Guidance: Reference FedRAMP-POAM-Template
Proposed Change: CA-5 Requirement: POA&Ms must be provided at least monthly for traditional FedRAMP processes. For those opting into Collaborative Continuous Monitoring BIR, Ongoing Authorization Reports must be provided every three months. For those opting into Vulnerability Detection and Response BIR, a Monthly Activity Report is also required.
CA-5 Guidance: Reference FedRAMP-POAM-Template [traditional], CCM-OAR-AVL for those opting into Collaborative Continuous Monitoring BIR, and VDR-TFR-MHR for those opting into Vulnerability Detection and Response BIR
Rationale: Updated based on BIRs
CA-05: Plan of Action and Milestones
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Continuous Monitoring Periodicity
Current Verbiage: CA-5 (b) [at least monthly]
Proposed Change: CA-5 (b) [at least monthly for traditional FedRAMP Processes][Ongoing Activity Report in lieu is due every three months if opting into Collaborative Continuous Monitoring BIR] [Monthly Activity Report in lieu is due every month if opting into Vulnerability and Detection Response BIR]
Rationale: Updated based on BIRs
CA-06: Authorization
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: CA-6 (e) [in accordance with OMB A-130 requirements or when a significant change occurs]
Proposed Change: CA-6 (e) [in accordance with OMB A-130 requirements or when a significant change occurs for those NOT participating in the SCN BIR]
Rationale: Updated based on BIRs
CA-07: Continuous Monitoring
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CA-7 Requirement: Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
CA-7 Requirement: CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Continuous Monitoring Playbook. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight.
CA-7 Guidance: FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the continuous monitoring guidance provided in the FedRAMP Continuous Monitoring Playbook when developing the Continuous Monitoring Plan.
Proposed Change: Changes to CA-7 are being proposed in RFC-0026 Clarifying CA-7 Continuous Monitoring Expectations for Rev5 Providers, under the “CA-7 Additional FedRAMP Requirements and Guidance” section. Any comments associated with CA-7 should be submitted under RFC-0026.
Rationale: Updated based on BIRs and implementation issues within agencies.
Proposed Changes to Configuration Management Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
CM-06: Configuration Settings
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CM-6 (a) Requirement 1: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;
CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).
Proposed Change: CM-6 (a) Requirement 1: The service provider shall use Security Configuration Guidelines (See CM-6) to establish instructions on how to securely access, configure, operate, and decommission top-level administrative accounts within the cloud service offering. This MUST include explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications. This SHOULD include explanations of security-related settings that can be operated only by privileged accounts and their security implications.
CM-6 (a) Requirement 2: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;
CM-6 (a) Requirement 3: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).
Rationale: Updated based on SCG BIR
CM-07: Least Functionality
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CM-7 (b) Requirement: The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.
Proposed Change: CM-7 (b) Requirement: The service provider shall use Security Configuration Guidelines (See CM-6) to establish instructions on how to securely access, configure, operate, and decommission top-level administrative accounts within the cloud service offering as well as provide a list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.
Rationale: Updated based on SCG BIR
CM-08: System Component Inventory
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: CM-8 (b) [at least monthly]
Proposed Change: CM-8 (b) [at least monthly for those CSPs following traditional Rev 5 processes]. Those CSPs participating in VDR and CCM BIRs are exempt from this formal reporting requirement.
Rationale: Updated based on BIRs
CM-08: System Component Inventory
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CM-8 Requirement: must be provided at least monthly or when there is a change.
Proposed Change: CM-8 Requirement: must be provided at least monthly or when there is a change for those CSPs following traditional Rev 5 processes. Those CSPs participating in VDR and CCM BIRs are exempt from this formal reporting requirement.
Rationale: Updated based on BIRs
CM-12: Information Location
Tabs Affected: Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CM-12 Requirement: According to FedRAMP Authorization Boundary Guidance
Proposed Change: CM-12 Requirement: According to FedRAMP Boundary Guidance for those following traditional FedRAMP processes and the Minimum Assessment Scope (MAS) for those who are voluntarily participating in the Rev 5 MAS BIR.
Rationale: Updated based on BIRs
CM-12(1): Information Location | Automated Tools to Support Information Location
Tabs Affected: Moderate Baseline, High Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: NEW
Proposed Change: CP-2 (8) - [essential]
Rationale: Parameter previously undefined