U.S. flag

An official website of the United States government

Requests for Comment

RFC-0029 FedRAMP Rev5 Security Controls Baseline Update for PE, PL, PM, PS, and PT Control Families

Summary

This is a technical RFC that proposes updates to the Additional FedRAMP Security Technical Controls Requirements and Guidance for FedRAMP Rev5 baselines.

To save space and to limit the breadth of a single RFC, this technical document shows only the proposed changes to the current baseline document and is restricted to a few control families. If verbiage is being updated, only the specific wording that is to be changed is identified in the old verbiage section. If the verbiage to be added is not replacing previous verbiage, but being added, it will be identified as “NEW” in the old verbiage section.

Since this spreadsheet covers hundreds of controls across multiple tabs and sections, only those specific controls, sections, and tabs identified are being proposed for updates. If it is not mentioned below, changes are not being proposed.

Commenters are advised to please mention specific controls in their comments!

This RFC addresses controls in the following families:

  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Program Management (PM)
  • Personnel Security (PS)
  • PII Processing and Technology (PT)

Motivation

Many Rev5 FedRAMP Requirements and Guidance statements are based on outdated approaches that predated the release of the FedRAMP Authorization Act and M-24-15. This set of Requirements and Guidance needs a refresh to match FedRAMP’s current rules and approach.

The updates formalized after this RFC will be included in the FedRAMP Consolidated Rules for 2026. That set of rules will be valid until December 31, 2028. FedRAMP will provide a transition plan for adopting any new guidance that will enable cloud service providers to update their approach as part of their annual assessment as appropriate.

These changes are designed to lower the burden for cloud service providers and eliminate previous pain points.

Additionally, NIST released 800-53 Rev 5.2.0 in August of 2025. While this update was minor, control updates from NIST will require updates to FedRAMP Security Control Baseline in order to reflect this update. These changes will happen without public comment through FedRAMP since these are direct reflections of NIST changes. As subsequent iterations of the FedRAMP Security Control Baseline are published, it is FedRAMP’s intent only to carry over the following information from NIST 800-53; Control Family, Control Name, and Control ID. Following this will be FedRAMP-Defined Assignment / Selection Parameters and additional FedRAMP Requirements and Guidance.

Proposed Changes to Physical and Environmental Protection Family

No changes are being proposed

Proposed Changes to Planning Family

No changes are being proposed

Proposed Changes to Program Management Family

No changes are being proposed

Proposed Changes to Personnel Security Family

This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.

PS-03: Personnel Screening

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: PS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]
Proposed Change: PS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance and the tenth (10th) year for secret security clearance. Some agencies have moved to Continuous Vetting as part of Trusted Workforce 2.0. In these cases, personnel move into a continuous stage of monitoring and are relieved of the 5 or 10 year renewal requirements. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions] Rationale: Updated to reflect the deletion of confidential clearance and the introduction of TW2.0

PS-07: External Personnel Security

Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: NEW
Proposed Change: CSPs should clearly document nationality requirements for external personnel, where applicable.
Rationale: Added due to recent events.

Proposed Changes to PII Processing and Technology Family

No changes are being proposed