FedRAMP Revision 5 Introduces Threat-Based Methodology - Here's What to Expect

When NIST 800-53 Revision 5 was released in fall 2020, it didn’t take long for other compliance bodies to announce upcoming revisions of their own.

After all, NIST guidelines have been used as a baseline standard by governments and industries across the world for well over seven years – FedRAMP included. As such, vendors subject to FedRAMP requirements will need to adjust their compliance programs accordingly.

Here’s what to expect from FedRAMP Revision 5.

What’s Different About This Revision?

The primary difference between FedRAMP Rev 4 and 5 is the introduction of Threat-Based Methodology. Using this methodology, FedRAMP tested each NIST SP 800-53, Rev. 5 control within the FedRAMP High baseline’s ability to protect, detect, and/or respond to practices outlined in MITRE ATT&CK Framework version 8.2.

For organizations, the new threat-based approach means:

1. Strengthened security with the ability to better identify vulnerabilities in security programs
2. A reduction in the number of controls added by FedRAMP, in addition to the NIST Rev. 5 baselines.
3. Low Baseline — 1 additional control
4. Moderate Baseline — 17 additional controls
5. High Baseline — 22 additional controls

When Will the New Revision Take Effect?

The initial draft for FedRAMP Rev 5 was released late last year to the public for feedback, which officially closed on April 1st. From here, all commentary will be reviewed and any necessary edits to documentation will be made. Once that process has concluded, the revision will be published, and Rev 5 will officially be the new lay of the land. Our team anticipates this will take another year to conclude, giving organizations about a year and a half to adjust their compliance programs in anticipation of the new baselines.

Need help preparing for Rev 5? Get in touch with us below, and a member of our team will get you scheduled – at the most efficient pricing. Work smarter, not harder.