FedRAMP’s Changes: What Exactly Does It Mean? Everything changes, which means nothing stays the same. The Federal Risk and Authorization Management Program (FedRAMP) has encountered changes, and those changes mean that requirements are not the same for Cloud Service Providers (CSPs) who provide or plan to provide cloud service offerings (CSOs) to U.S. Government agencies. Effective FY 2023, the FedRAMP Joint Authorization Board (JAB) approved the FedRAMP Rev. 5 baselines, which makes U.S. contractors responsible for paying strict attention to the services they offer to government entities; this applies to CSPs because the services they offer codify the FedRAMP Authorization Act (the “Act”). The newly implemented changes include several new security measures such as changes to control totals, the integration of new privacy considerations, notable control families, and guidance not featured in Rev 4; all of which reinforce cloud protective protocols.
What is Rev. 5? Rev. 5 refers to the fifth revision of the security and privacy controls catalog of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.
What are the New Changes? FedRAMP’s newest changes consist of transitioning from NIST 800-53 Rev. 4 to Rev. 5 baselines. NIST changed the requirement in Rev. 5, which now utilizes a Threat-based Methodology to assess each control’s ability to prevent, detect, and respond to the adversary techniques found in the MITRE ATT&CK Framework. “Within Rev. 5, FedRAMP has modified the requirement to implement a Controlled Access Area (CAA). The changes in Rev. 5 make compliance with the physical protection requirements considerably easier to attain.” Another change lies with the Federal Secure Cloud Advisory Committee (FSCAC). This committee now provides general recommendations regarding FedRAMP and cloud services procurement.
Understanding the New Changes Sometimes change can be confusing, but this change for FedRAMP is important to the overall enhancement of security measures of data and information systems; it makes for a sound