FedRAMP cloud security requirements under revision

The program management offices is aligning security impact levels with new NIST guidance on security and privacy controls.
(Getty Images)

Security requirements for cloud services are getting an update from the Federal Risk and Authorization Management Program to align with recent guidance from the National Institute of Standards and Technology.

The FedRAMP program management office (PMO) is currently drafting new baselines for the low-, moderate- and high-impact security levels based on NIST‘s fifth revision (Rev5) to Special Publication 800-53, which catalogs security and privacy controls. Those levels determine security based on whether the data being secured is publicly available, contains personally identifiable information, or would be detrimental to agencies and operation should it be exposed.

NIST released Rev4 more than six years ago, and Rev5’s extensive changes are intended to ensure the next generation of cloud products and the systems reliant upon them can be trusted to protect data appropriately.

“Based on the extensiveness of the updates on the baselines, the public comment period could range from 90 to 120 days,” said Andrew Lins, a principal at Noblis and FedRAMP cybersecurity expert, in the announcement. “But the PMO will ensure there is adequate time for all interested parties to provide comments.”


Once the FedRAMP PMO and the Joint Acquisition Board have released the new draft baselines, they will seek feedback from agencies and cloud service providers (CSPs).

Baselines and documentation will be updated based on their comments and Open Security Controls Assessment Language versions developed, so OSCAL-enabled applications can import them.

The updates will be released along with a CSP implementation plan, though the timing is dependent on NIST’s release of the final version of SP 800-53A, which addresses assessment plans. Only then can the FedRAMP PMO update test cases, so they can be properly conducted by CSPs.

“We will provide sufficient time to implement and test these updates and provide guidance on many of the new controls, many of which are focused on supply chain,” Lins said.

Latest Podcasts