RFC-0028 FedRAMP Rev5 Security Controls Baseline Update for CP, IA, IR, MA, and MP Control Families
Summary
This is a technical RFC that proposes updates to the Additional FedRAMP Security Technical Controls Requirements and Guidance for FedRAMP Rev5 baselines.
To save space and to limit the breadth of a single RFC, this technical document shows only the proposed changes to the current baseline document and is restricted to a few control families. If verbiage is being updated, only the specific wording that is to be changed is identified in the old verbiage section. If the verbiage to be added is not replacing previous verbiage, but being added, it will be identified as “NEW” in the old verbiage section.
Since this spreadsheet covers hundreds of controls across multiple tabs and sections, only those specific controls, sections, and tabs identified are being proposed for updates. If it is not mentioned below, changes are not being proposed.
Commenters are advised to please mention specific controls in their comments!
This RFC addresses controls in the following families:
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
Motivation
Many Rev5 FedRAMP Requirements and Guidance statements are based on outdated approaches that predated the release of the FedRAMP Authorization Act and M-24-15. This set of Requirements and Guidance needs a refresh to match FedRAMP’s current rules and approach.
The updates formalized after this RFC will be included in the FedRAMP Consolidated Rules for 2026. That set of rules will be valid until December 31, 2028. FedRAMP will provide a transition plan for adopting any new guidance that will enable cloud service providers to update their approach as part of their annual assessment as appropriate.
These changes are designed to lower the burden for cloud service providers and eliminate previous pain points.
Additionally, NIST released 800-53 Rev 5.2.0 in August of 2025. While this update was minor, control updates from NIST will require updates to FedRAMP Security Control Baseline in order to reflect this update. These changes will happen without public comment through FedRAMP since these are direct reflections of NIST changes. As subsequent iterations of the FedRAMP Security Control Baseline are published, it is FedRAMP’s intent only to carry over the following information from NIST 800-53; Control Family, Control Name, and Control ID. Following this will be FedRAMP-Defined Assignment / Selection Parameters and additional FedRAMP Requirements and Guidance.
Proposed Changes to Contingency Planning Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
CP-02: Contingency Plan
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CP-2 Requirement: CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available at: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).
Proposed Change: CP-2 Requirement: CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available at:
https://www.fedramp.gov/resources/templates/SSP-Appendix-G-Information-System-Contingency-Plan-(ISCP)-Template.docx).
Rationale: Update existing link to active link.
CP-02(8): Contingency Plan | Identify Critical Assets
Tabs Affected: High Baseline, Moderate Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: NEW
Proposed Change: CP-2 (8) - [essential]
Rationale: Parameter previously undefined.
CP-03: Contingency Training
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: CP-3 (a) Requirement: Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.
Proposed Change: CP-3 (a) Requirement: Privileged admins (to include TLAs) and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.
Rationale: Adjustment due to verbiage updates within SCG.
Proposed Changes to Identification and Authentication Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
IA-02: Identification and Authentication
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: IA-2 Requirement: For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.
IA-2 Requirement: Multi-factor authentication must be phishing-resistant.
IA-2 Requirement: All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.
IA-2 Guidance: “Phishing-resistant” authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.
Proposed Change: IA-2 Requirement: For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.
Multi-factor authentication must be phishing-resistant. Per CISA, One-time password (OTP), Mobile push notification with number matching and Token-based OTP are NOT phishing resistant.
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
IA-2 Requirement: Authentication Factors and their applicable protocols must be explicitly identified within applicable control documentation to include the System Security Plan. When following traditional Rev 5 processes, the Architecture Boundary Diagram must show every instance of MFA to include protocol, where applicable. This should, at a minimum, be at every ingress point into the boundary.
IA-2 Requirement: All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.
Rationale: This update was added to address a common issue seen during the authorization/certification process.
IA-02(1): Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: Multi-factor authentication must be phishing-resistant.
Proposed Change: Multi-factor authentication must be phishing-resistant. Per CISA, One-time password (OTP), Mobile push notification with number matching
and Token-based OTP are NOT phishing resistant.
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
Rationale: This update was added to address a common issue seen during the authorization/certification process.
IA-02(2): Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: Multi-factor authentication must be phishing-resistant.
Proposed Change: Multi-factor authentication must be phishing-resistant. Per CISA, One-time password (OTP), Mobile push notification with number matching
and Token-based OTP are NOT phishing resistant.
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
Rationale: This update was added to address a common issue seen during the authorization/certification process.
IA-11: Reauthentication
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: The fixed time period cannot exceed the limits set in SP 800-63.
Proposed Change: The fixed time period cannot exceed the limits set in SP 800-63B.
Rationale: Updated to accurately reflect the correct Publication.
Proposed Changes to Incident Response Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
IR-02: Incident Response Training
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: IR-2 (a) (1) [ten (10) days for privileged users, thirty (30) days for Incident Response roles]
Proposed Change: IR-2 (a) (1) [ten (10) days for privileged users (to include TLA), thirty (30) days for Incident Response roles]
Rationale: Alignment with the FedRAMP Secure Configuration Guidance (SCG).
IR-06: Incident Reporting
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: IR-6 Requirement: Reports security incident information according to the guidance in the FedRAMP Continuous Monitoring Playbook.
Proposed Change: IR-6 Requirement: Reports security incident information according to the guidance in the FedRAMP Continuous Monitoring Playbook or Vulnerability Detection and Response (VDR) guidance (as applicable).
Rationale: Alignment with the FedRAMP Vulnerability Detection and Response (VDR) guidance.
IR-07: Incident Response Assistance
Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: NEW
Proposed Change: CSPs must maintain a centralized point of contact and appropriate response rates to FedRAMP incidents as identified within FedRAMP Secure Inbox Guidance.
Rationale: Alignment with the FedRAMP Secure Inbox (FSI) guidance.
Proposed Changes to Maintenance Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
MA-05: Maintenance Personnel
Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: NEW
Proposed Change: CSPs should clearly document nationality requirements for maintenance personnel, where applicable.
Rationale: Added due to recent events
Proposed Changes to Media Protection Family
This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.
MP-06(1): Media Sanitization | Review, Approve, Track, Document, and Verify
Tabs Affected: High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: MP-6 (1) Requirement: Must comply with NIST SP 800-88
Proposed Change: MP-6 (1) Requirement: Must comply with NIST SP 800-88 Rev 2
Rationale: Administrative update.
MP-06(3): Media Sanitization | Nondestructive Techniques
Tabs Affected: High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: MP-6 (3) Requirement: Must comply with NIST SP 800-88
Proposed Change: MP-6 (3) Requirement: Must comply with NIST SP 800-88 Rev 2
Rationale: Administrative update.