U.S. flag

An official website of the United States government

Requests for Comment

RFC-0030 FedRAMP Rev5 Security Controls Baseline Update for RA, SA, SC, SI, and SR Control Families

Summary

This is a technical RFC that proposes updates to the Additional FedRAMP Security Technical Controls Requirements and Guidance for FedRAMP Rev5 baselines.

To save space and to limit the breadth of a single RFC, this technical document shows only the proposed changes to the current baseline document and is restricted to a few control families. If verbiage is being updated, only the specific wording that is to be changed is identified in the old verbiage section. If the verbiage to be added is not replacing previous verbiage, but being added, it will be identified as “NEW” in the old verbiage section.

Since this spreadsheet covers hundreds of controls across multiple tabs and sections, only those specific controls, sections, and tabs identified are being proposed for updates. If it is not mentioned below, changes are not being proposed.

Commenters are advised to please mention specific controls in their comments!

This RFC addresses controls in the following families:

  • Risk Assessment (RA)
  • System and Service Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Supply Chain Risk Management (SR)

Motivation

Many Rev5 FedRAMP Requirements and Guidance statements are based on outdated approaches that predated the release of the FedRAMP Authorization Act and M-24-15. This set of Requirements and Guidance needs a refresh to match FedRAMP’s current rules and approach.

The updates formalized after this RFC will be included in the FedRAMP Consolidated Rules for 2026. That set of rules will be valid until December 31, 2028. FedRAMP will provide a transition plan for adopting any new guidance that will enable cloud service providers to update their approach as part of their annual assessment as appropriate.

These changes are designed to lower the burden for cloud service providers and eliminate previous pain points.

Additionally, NIST released 800-53 Rev 5.2.0 in August of 2025. While this update was minor, control updates from NIST will require updates to FedRAMP Security Control Baseline in order to reflect this update. These changes will happen without public comment through FedRAMP since these are direct reflections of NIST changes. As subsequent iterations of the FedRAMP Security Control Baseline are published, it is FedRAMP’s intent only to carry over the following information from NIST 800-53: Control Family, Control Name, and Control ID. Following this will be FedRAMP-Defined Assignment / Selection Parameters and additional FedRAMP Requirements and Guidance.

Proposed Changes to Risk Assessment Family

This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.

RA-05: Vulnerability Monitoring and Scanning

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: RA-5 (a) [monthly operating system/infrastructure; monthly web applications (including APIs) and databases]
RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low-risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery]
Proposed Change: RA-5 (a) [monthly operating system/infrastructure; monthly web applications (including APIs) and databases for traditional Rev 5 processes]For those opting into the Vulnerability Detection and Response:

Low Systems
Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 7 days.
Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month.
Providers SHOULD evaluate ALL vulnerabilities as required by VDR-TFR-EVU (Evaluation) within 7 days of detection.

Moderate
Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days.
Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days.
Providers SHOULD evaluate ALL vulnerabilities as required by VDR-TFR-EVU (Evaluation) within 5 days of detection.

High
Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day.
Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days.
Providers SHOULD evaluate ALL vulnerabilities as required by VDR-TFR-EVU (Evaluation) within 2 days of detection.]

RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low-risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery for traditional Rev 5 processes][For those opting into the Vulnerability Detection and Response mitigation timelines requirements are laid out in section VDR-TFR-PVR and are based on a combination of impact categorization, potential for impact, internet reachability, and likely exploitability].
Rationale: Updated based on BIRs.

RA-05: Vulnerability Monitoring and Scanning

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: RA-5 Guidance: See the vulnerability scanning requirements defined in the FedRAMP Continuous Monitoring Playbook.
RA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
RA-5 (d) Requirement: If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.
RA-5 (e) Requirement: to include all Authorizing Officials.
RA-5 Guidance: Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity, and for FedRAMP, does not require an entry onto the POA&M or entry onto the RET during any assessment phase.
Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any Significant Change Request or SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, the false positive is captured as a deviation request in the POA&M.
Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.
Proposed Change: RA-5 Guidance: See the vulnerability scanning requirements defined in the FedRAMP Continuous Monitoring Playbook for traditional Rev5 pathway. For those who have opted into the Vulnerability Detection and Response BIR, please see Vulnerability Detection and Response Guidance. Evaluation criteria is drastically different for Service Providers who opted into the BIR and should pay close attention to evaluation factors listed in section VDR-EVA-EFA of the Vulnerability Detection and Response Guidance.
RA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
RA-5 (d) Requirement: If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.
RA-5 (e) Requirement: to include all Authorizing Officials.
RA-5 Guidance: Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.
Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, the false positive is captured as a deviation request in the POA&M.
Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.
Rationale: Updated based on BIRs.

RA-05: Vulnerability Monitoring and Scanning

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Continuous Monitoring Periodicity
Current Verbiage: RA-5 (a) [monthly operating system/infrastructure; monthly web applications (including APIs) and databases]
RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low-risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery].
Proposed Change: RA-5 (a) [monthly operating system/infrastructure; monthly web applications (including APIs) and databases for traditional Rev 5 processes]For those opting into the Vulnerability Detection and Response:

Low Systems
Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 7 days.
Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month.
Providers SHOULD evaluate ALL vulnerabilities as required by VDR-TFR-EVU (Evaluation) within 7 days of detection.

Moderate Systems
Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days.
Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days.
Providers SHOULD evaluate ALL vulnerabilities as required by VDR-TFR-EVU (Evaluation) within 5 days of detection.

High Systems
Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day.
Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days.
Providers SHOULD evaluate ALL vulnerabilities as required by VDR-TFR-EVU (Evaluation) within 2 days of detection.]

RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery for traditional Rev 5 processes][For those opting into the Vulnerability Detection and Response mitigation timelines requirements are laid out in section VDR-TFR-PVR and are based on a combination of impact categorization, potential for impact, internet reachability, and likely exploitability].
Rationale: Updated based on BIRs.

Proposed Changes to Systems and Services Acquisition Family

This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.

SA-04(5): Acquisition Process | System, Component, and Service Configurations

Tabs Affected: High Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: SA-4 (5) (a) The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.
Proposed Change: SA-4 (5) (a) The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available and must be documented and validated during independent assessment.
Rationale: Updated to ensure custom baselines are documented and reviewed.

SA-05: System Documentation

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: NEW
Proposed Change: a. (1) in conjunction with the FedRAMP Security Configuration Guidance
Rationale: Updated based on SCG requirements.

SA-15: Development Process, Standards, and Tools

Tabs Affected: High Baseline, Moderate Baseline
Sections Affected: High Baseline, Moderate Baseline
Current Verbiage: SA-15 (b)-2 [FedRAMP Security Authorization requirements]
Proposed Change: SA-15 (b)-2 [FedRAMP Security Authorization/Certification requirements]
Rationale: Updated to reflection transition to a certification authority.

Proposed Changes to Systems and Communications Protection Family

This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.

SC-07(5): Boundary Protection | Deny by Default — Allow by Exception

Tabs Affected: High Baseline, Moderate Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: SC-7 (5) [any systems]
Proposed Change: SC-7 (5) [all systems/services]
Rationale: More inclusive of cloud design.

SC-07(8): Boundary Protection | Route Traffic to Authenticated Proxy Servers

Tabs Affected: High Baseline, Moderate Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: SC-7 (8)-2 [any network outside of organizational control and any network outside the authorization boundary].
Proposed Change: SC-7 (8)-2 [any network outside of organizational control and any network outside of assessment scope (for those following MAS BIR), or established boundary (for those following traditional Rev 5).
Rationale: Take into account MAS.

SC-13: Cryptographic Protections

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: New
Proposed Change: For Cryptographic Modules list as “historical” in the CMVP database, please ensure Service Providers follow FedRAMP instructions here: https://www.fedramp.gov/archive/2022-12-22-crypto-modules-historical-status/
Rationale: This update was added to address a common issue seen during the authorization/certification process.

Proposed Changes to Systems and Information Integrity Family

This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.

SI-02(2): Flaw Remediation | Automated Flaw Remediation Status

Tabs Affected: High Baseline, Moderate Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: SI-2 (2)-2 [at least monthly]
Proposed Change: SI-2 (2)-2 [at least monthly for those CSPs following traditional Rev 5 processes][persistently for those CSPs participating in VDR BIR].
Rationale: Updated based on VDR requirements.

SI-03: Malicious Code Protection

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: FedRAMP-Defined Assignment / Selection Parameters
Current Verbiage: SI-3 (c) (1)-1 [at least weekly]
Proposed Change: SI-3 (c) (1)-1 [at least weekly for those CSPs following traditional Rev 5 processes][persistently for those CSPs participating in VDR BIR].
Rationale: Updated based on VDR requirements.

SI-05: Security Alerts, Advisories, and Directives

Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: SI-5 Requirement: Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance.This includes listing the applicable directives and stating compliance status.
Proposed Change: SI-5 Requirement: Service Providers must address the CISA Emergency Directives (EDs) and Binding Operational Directives (BODs) applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status. EDs and BODs can be found here: https://www.cisa.gov/news-events/directives
EDs and BODs responses will be coordinated through the FedRAMP Secure Inbox (FSI) process. Service Providers are required to follow all response timelines in accordance with FSI guidance.
Rationale: Updated to reflect FSI process.

SI-08: Spam Protection

Tabs Affected: Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: SI-8 Guidance:
When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.
https://cyber.dhs.gov/bod/18-01/
SI-8 Guidance: CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.
Proposed Change: SI-8 Guidance:
When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.
https://www.cisa.gov/news-events/directives/bod-18-01-enhance-email-and-web-security
SI-8 Guidance: CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.
Rationale: Updated old link.

Proposed Changes to Supply Chain Risk Management Family

No changes are being proposed