While the primary difference is the introduction of a threat-based methodology, which will reduce the total number of controls, Rev 5 does add a series of new control families to its roster.
FedRAMP Revision 5 introduces three new control families: Supply Chain Risk Management, Personally Identifiable Information Processing and Transparency, and Program Management.
The new SR family under FedRAMP Rev 5 is essentially an expansion of Rev 4’s high baseline control SA-12, or Supply Chain Protection. Once adopted, this will require Cloud Service Providers (CSPs) to have a Supply Chain Risk Management Plan, and corresponding procedures and personnel, in place.
Privacy and amplified efforts to protect it are a hallmark of Revision 5. As such, the PT control family addresses privacy risk management, which is currently included in Revision 4’s Privacy Control Catalog, Appendix J.
Like the two previous families, the PM control family expands upon current FedRAMP provisions. In this case, it builds upon the Information Security Program Management controls included in Appendix G of Revision 4.
FedRAMP, like many other compliance bodies, utilizes NIST guidelines as a baseline standard. Accordingly, when NIST 800-53 Revision 5 was released in fall 2020, compliance frameworks following NIST standards, like FedRAMP, quickly announced pending revisions of their own to ensure compliance with the new guidelines.
In addition to these new control families, FedRAMP Rev 5 also introduces a threat-based methodology and increased requirements dedicated to protecting privacy. Organizations bound to comply with FedRAMP (or any framework following NIST standards, for that matter) will need to review their current programs and all documentation will need to be updated to account for the new requirements presented. This is essential because once the revision is fully adopted, all parties subject to it will need to obtain compliance shortly thereafter.
FedRAMP Rev 5 closed for public feedback on April 1st, which means FedRAMP is currently reviewing all comments and making any corresponding edits. Our team expects the final portion will be released in summer 2023, giving organizations a year to adjust to their compliance programs.
Need help reviewing or getting ready for Rev 5? Get in touch with a member of our team below.
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
Get ready to harmonize your cybersecurity goals with our team of industry-leading consultants.
