FedRAMP
FedRAMP Revision 5 Changes
Adoption of outcome-based control definitions:
Provides clearer goals for each control and greater flexibility in implementation
Allows a broader range of organizations to meet baseline standards, including commercial entities
Removal of prioritization guidance also offers greater flexibility in control implementation and management
Integration of threat-based intelligence and methodologies into controls:
FedRAMP conducted a second round of scoring efforts to ensure alignment with MITRE ATT&CK framework
Meticulously examined each NIST SP 800-53, rev. 5 control to determine their ability to protect, detect, and/or respond to each technique outlined in version 8.2 of the MITRE ATT&CK Framework
Addition of Supply Chain Risk Management controls:
Reflects growing concern over supply chain security, particularly in critical infrastructure and government supply chains
Complements existing controls and highlights importance of addressing supply chain risks
Differences in finalized baselines compared to draft Revision 5:
Inclusion of information spillage response controls
Overall changes in Rev. 5:
Introduces many new and improved controls
Focus on smarter cybersecurity operations rather than simply adding more controls
Aims to help organizations implement controls that are effective in mitigating risk and achieving desired outcomes.
FedRAMP Facts
FedRAMP is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP requires cloud service providers to undergo a rigorous security assessment process before they can receive authorization to operate in the federal space.
The security assessment process for FedRAMP includes a review of the cloud service provider's policies, procedures, and technologies to ensure that they meet the security requirements of the federal government.
FedRAMP has three authorization levels: Low, Moderate, and High, with each level requiring a different level of security controls and testing to achieve authorization.
FedRAMP's control framework is based on the National Institute of Standards and Technology's (NIST) Special Publication 800-53, which outlines security controls for federal information systems.
FedRAMP cloud service providers are required to comply with the controls listed in the FedRAMP Security Controls Baseline, which includes over 420 controls organized into 18 families.
FedRAMP requires cloud service providers to undergo continuous monitoring to ensure they remain in compliance with security requirements.
FedRAMP has a Joint Authorization Board (JAB) that reviews and approves cloud service providers seeking authorization at the FedRAMP High level.
All federal agencies must use FedRAMP-authorized cloud services when moving to the cloud.
FedRAMP provides a centralized repository of security assessment reports and authorization packages, making it easier for federal agencies to select and authorize cloud service providers.
Last updated