FedRAMP is a relatively stable framework. Built on NIST Special Publication 800-53, the requirements that Cloud Service Providers (CSPs) and Managed Service Providers (MSPs) are clear and straightforward, depending on their services. NIST SP 800-53 is subject to revision, however, and the most recent version (Revision 5) was finally published in September of 2020. This revision signals changes that could impact providers under FedRAMP authorization.
Here, we’ll cover NIST 800-53 and how it relates to FedRAMP, as well as some of the information we currently have regarding the new revision and how FedRAMP adoption might roll out.
What is Revision 5 of NIST 800-53?
NIST Special Publication (SP) 800-53 is the foundation for federal cybersecurity requirements. Multiple frameworks like FedRAMP and FISMA draw from it to help ground compliance demands in a unified landscape of security controls and practices.
Perhaps most importantly, NIST SP 800-53 defines a series of control families that contain physical, technical and administrative practices and safeguards to protect protected or controlled data. These control families cover several broad requirements that the federal government has deemed necessary to maintain cybersecurity for government systems.
- Access and Authorization Control
- Authentication and User Identification
- Personnel Security, Training and Physical Protections
- System Maintenance, Assessment, Integrity and Protection
- Risk Management
- Incident Response and Contingency Planning
- Audit Logging and Documentation
These are not comprehensive mapping of controls but rather broad areas of focus. To see a full category breakdown on the NIST website.
NIST 800-53 is important for two reasons:
- All federal agencies must comply with NIST 800-53. Additionally, certain contractors working with specific agencies or handling certain kinds of data must also adhere to NIST 800-53, depending on their compliance requirements. For example, Cloud providers in the federal space must receive FedRAMP Authorization to Operate (ATO), which is based on NIST 800-53.
- Non-federal commercial or industrial businesses can look to NIST 800-53 as a roadmap for rigorous governance, security and risk assessment practices. Many of these organizations, particularly those that work with private data, seek compliance to help them field effective security.
As you can see, NIST 800-53 covers more than just security like encryption or data backup. It covers comprehensive security requirements that include assessment and planning as well as documentation and authorization.
Currently, NIST 800-53 has undergone 5 revisions. The first two revisions were additions to control families and updates due to unfolding technological changes in the early 2000s. Revisions 3, 4, and 5 introduced more recognizable changes for modern businesses:
- Revision 3 actually reduced the total number of controls for Low Impact classification and provided a framework for agencies and contractors to grandfather older but compliant security systems into service. This revision also worked to connect non-classified government agencies and those handling national security systems. Finally, this publication introduced a six-step risk management framework (RMF) and strategies to correlate FISMA security with ISO/IEC 27001.
- Revision 4 offered enhanced controls for specific areas like insider threats, supply chain security, social networking and mobile devices. This revision also introduced the 18 modern control families in existence today.
- Revision 5 changed a significant amount of language to open up regulations and compliance to a broader spectrum of agencies, contractors and systems. It also integrates several new risk management frameworks and assessments to aid agencies with assessing threats from evolving areas.
Why is NIST 800-53 Important for FedRAMP?
FedRAMP bases its entire cybersecurity structure, including control requirements and definitions, on NIST 800-53. Specifically, FedRAMP breaks different levels of compliance into three categories:
- Low Impact, which requires compliance with 125 NIST 800-53 controls
- Moderate Impact, which requires 325 controls, and
- High Impact, which requires 421 controls
These numbers can change, or be tailored, depending on the agency or data worked with.
As is expected, any revision to NIST 800-53 impacts FedRAMP requirements, especially how your organization fits within a given Impact Level.
This can play out in two ways:
- New contractors or vendors working with federal agencies must adopt different standards. This isn’t a huge deal as a new business may not have any concept of previous requirements.
- Existing contractors or vendors must migrate their systems to the new version once FedRAMP authorities adopt the requirements.
The second could have a major impact on businesses in the federal space. Cloud providers working with agencies at a given level may have significant changes to make regarding any security, risk assessment or infrastructural system that they have in place. Managed Service Providers with complex services and offerings may have to trace these changes across multiple platforms and interlocking systems.
Then, although audits and assessments will eventually streamline behind the newly adopted requirements, there will be a short time where providers will face some new audits and challenges.
Currently, however, FedRAMP authorities have not completely adopted Revision 5 yet. The timeline has been a little ill-defined but considering that the FedRAMP website announced a transition timeline in November 2020, it seems like there are still some months before adoption and guidance are forthcoming.
Currently, FedRAMP authorities have outlined the following steps:
- Developing new FedRAMP baselines along with Revision 5 standards (this is the current state as of November 2020).
- Releasing a draft of these new baselines for review and comment.
- Updating FedRAMP baselines based on that feedback.
- Releasing a final Revision 5 baseline implementation plan.
While FedRAMP is not currently turning to Revision 5 as yet, they are signaling that the time is coming when they will, possibly in 2021 or early 2022.
CSPs and MSPs ride a fine line between focusing on compliance and ensuring that security meets the needs of their customers. That makes compliance and security full-time jobs that some organizations field out to third-party support.
For those working within the FedRAMP framework, the upside is that they are certainly working with a Third-party Assessment Organization (3PAO) that knows specifications and what is coming down the pipeline. These organizations can also help to automate and organizing any changes as they come so that shifting to any new controls or configurations can be smooth, easy and fast.
If you are an enterprise business or an SMB providing cloud or SaaS services for federal agencies, or if you are a company that needs support for continuous monitoring and security management partner with an organization that can automate compliance and security to protect your valuable infrastructure, meet your regulatory obligations and ensure high-level security. Call Continuum GRC at 1-888-896-6207 or contact us with the form below to learn about our ITAMs auditing and compliance tools.