What are the impacts of FedRAMP® Rev. 5?

After much anticipation, the final selection of NIST SP 800-53 Revision 5 security controls was released by the FedRAMP Program Management Office (PMO) on May 30, 2023. The PMO provided a handful of key documents, including the Rev. 5 Baselines, the Cloud Service Provider (CSP) Transition Plan, and a Rev. 4 to Rev. 5 Baseline Comparison Summary.

Timeline for adoption

Specific details on the process for CSPs to migrate from the Rev. 4 baseline to Rev. 5 have been provided by FedRAMP within the CSP Transition Plan. The exact path forward will depend on where the CSP is in their FedRAMP journey:

• CSPs who do not have an ATO and do not meet one of the following criteria will have to proceed through their initial assessment using Rev. 5:
  • JAB path: If the CSP has had their business case accepted by the JAB and has a 3PAO under contract, is currently undergoing a 3PAO assessment, or just finished a 3PAO assessment, and is working on final package submission, they may continue their authorization journey under Rev. 4.
  • Agency path: If the CSP has an agency sponsor and has a 3PAO under contract, is currently undergoing a 3PAO assessment, or just finished a 3PAO assessment, and has submitted the package for agency review, they may continue with their Rev. 4 authorization.
• CSPs who already have an ATO must meet Rev. 5 by the date of their annual assessment but must start planning now and update their documents by September 1, 2023.

Key control updates

While some may have noticed that there are now fewer controls in each baseline, it’s important to recognize that the control reduction does not necessarily indicate that the path to FedRAMP has been made easier. Many of the removed controls seemed minor in importance, while some of the added or changed controls may involve a substantial amount of work for CSPs. Even cloud providers who have successfully navigated a FedRAMP assessment under Rev. 4 may be challenged to meet the new security bar.

To provide a sense of the overall scope of the update, approximately one-third of the controls in the High and Moderate baselines are new or have been modified, and many controls that were in the High baseline have been adopted for the Moderate baseline.

If this seems daunting, don’t be discouraged, many of the changes are small and only require tweaks to processes or documents. Examples of some minor changes include notifying account managers within eight hours of personnel terminations and transfers, updating training content annually, analyzing proposed changes for privacy impacts, requiring re-authentication after 12 hours of activity, and performing vulnerability scans on APIs. Coalfire also noted that there were several other updates that simply provided clarifications on the scope or nature of the control.

However, some of the changes will be impactful in terms of the amount of work and cost required to implement them. Examples of these include:

1. CM-6: CSPs will be required to harden components against DoD STIGs or CIS Level 2 Benchmarks. CSPs have historically been required to comply with CIS Level 1 Benchmarks for baselining operating systems, databases, and popular web service software, but now they must use the more restrictive DoD Security Technical Implementation Guides (STIGs).
2. SR Family: Implementing a supply chain risk management process that involves scrutinizing vendors and sources of hardware, software, and firmware to ensure that counterfeits and adulterated products are not used in the CSP’s cloud system.
3. IA-5: Password rules are more closely aligned with NIST 800-63 and include requirements for checking new passwords against a list of commonly used, expected, or compromised values; storing passwords using an approved salted key derivation function, preferably using a keyed hash such as PBKDF2 or Balloon; allowing user selection of long passwords; and for emergency accounts and cases where MFA cannot be used, 14 characters minimum and complexity rules.
4. IA-2 (1): MFA authenticators must be phishing-resistant, which generally means FIDO2 compliance.
5. CM-12: Determining what types of data are stored where, and then using an automated mechanism to identify that data on system components.
6. SC-5: Using advanced firewall services and techniques to prevent specific denial-of-service (DoS), including ICMP (ping) flood, SYN flood, slowloris, buffer overflow attacks, and volume attacks.
7. SC-7: Performing more aggressive network monitoring, particularly of outbound control plane traffic, as well as providing the capability to prevent the exfiltration of data.
8. SC-20: Using only authoritative DNS servers that comply with the geographic requirements established in SA-9 (5). This will include restricting authoritative DNS servers to the United States for FedRAMP High systems.
9. Additional Requirements: CSPs will also now be required to meet all DHS Binding Operational Directives (BODs). While some of the BODs have already been incorporated into the new controls for Rev. 5, a few require additional actions, such as performing automated asset discovery every week, running vulnerability scans every two weeks, and providing an email address so the public can report security bugs and vulnerabilities to the CSP.

The introduction of the new FedRAMP baselines presents a clear security uplift to strengthen the posture of cloud services participating in the FedRAMP program. While adopting the new requirements will take effort, many of these additions have been implemented to directly mitigate the risks facing the cyber threat landscape and modern-day cloud.

Assessment considerations

In addition to the updated control standard being adopted by CSPs, the level of effort for a 3PAO assessment has also increased. If a cloud has already been authorized, the CSP and 3PAO must begin planning to evaluate all new or modified controls introduced in the Rev. 5 baseline. To facilitate this process, the PMO plans to release a Rev. 4 to Rev. 5 Assessment Controls Selection Template as a guide. This template will include a series of worksheets that cloud providers must populate in order to understand the true audit level of effort (LOE) required. These worksheets include:

1. Rev. 5 List of Controls: This sheet will include the final set of controls the CSP will have evaluated as part of their transition assessment.
2. Conditional Controls: The Conditional Controls worksheet will include the modified controls that CSPs must evaluate to determine if testing conducted as part of their Rev. 4 assessment is sufficient to cover the new requirements. If they determine that testing has already met the objective, the 3PAO will provide a description of what analysis took place and reference artifacts that supported their conclusion. If testing hasn’t covered the new requirement, the control will be added to the transition testing cycle.
3. CSP-Specific Controls: Since transition evaluations will likely occur at the same time as the CSP’s next annual assessment, this tab has been created to document the standard third of controls selected for continuous monitoring of the system.
4. Inherited Controls: As its name implies, the inherited controls worksheet will identify all the controls the cloud service offering (CSO) inherits from a leveraged cloud provider.

While this control selection template hasn’t been released yet, both CSPs and 3PAOs will be dependent on its contents to identify the true uplift associated with moving from Rev. 4 to Rev. 5.

CSPs should also expect to see a higher number of detected vulnerabilities during their upcoming annual assessments due to the new requirements associated with the CM-6, Configuration Settings, security control. The new requirements for CM-6 document that DISA Security Technical Implementation Guides (STIGs) be used for system hardening as opposed to the lighter-weight CIS Level 1 benchmarks that were previously acceptable. Updated FedRAMP guidance will require that 3PAOs evaluate each individual benchmark deviation and issue a unique finding when the deviation aligns with another control in the FedRAMP baseline. For larger systems, this can be several dozen additional findings added to the assessment report.

The path ahead

Coalfire advisory and assessment teams have been monitoring the Rev. 5 updates since last year and are ready to help CSPs analyze the impacts on their systems and then plan their transition. While the templates and test workbooks have not yet been published, the PMO's final control baselines and transition plan guidance will enable CSPs to start now to meet the new Rev. 5 requirements this year.