Getting Started with Your FedRAMP Rev. 4 to Rev. 5 Transition

On May 30, 2023, FedRAMP released the FedRAMP Revision 5 Baselines and Transition Plan. Since that release, the FedRAMP Program Management Office (PMO) has provided continued support and guidance through regular blog updates and weekly FedRAMP PMO Rev. 5 Office Hours.

While the question on how to approach the new FedRAMP baseline requirements is simpler for those without an existing FedRAMP authorization, it becomes more involved for those Cloud Service Providers (CSPs) that have an existing FedRAMP Authorized offering. The main question for most FedRAMP Authorized CSPs is what that transition plan looks like for them and what is their first step.

The FedRAMP Baseline Revision 5 Transition Guide provides a specific timeline on when this transition needs to be completed. The first due date in the Transition Guide is September 1, 2023. By this date, a CSP is expected to have identified the delta between their current FedRAMP Revision 4 implementation and the new FedRAMP Revision 5 requirements, and the transition must be completed based on when their current annual assessment has either been performed or is due:

‍

To complete the Rev. 4 to Rev. 5 transition, FedRAMP breaks down the transition into a series of 5 overarching tasks:

1. Develop a schedule that shows a CSP’s planned transition from Rev. 4 to Rev. 5.
2. Update documentation to FedRAMP Rev. 5 Templates.
3. Determine Scope of Assessment to include all new or modified requirements introduced in Rev. 5 as well as other control testing needed based on CSP-specific implementation and continuous monitoring activities.
4. Complete Security Assessment with a Third-Party Assessment Organization (3PAO) using the same processes and procedures as a normal FedRAMP assessment.
5. Complete a Plan of Actions and Milestones (POA&M) and submit it using the FedRAMP POA&M Template Completion Guide that documents all residual risks identified in the Security Assessment Report (SAR) and defines the plan for remediation of those risks. This POA&M will include known risks identified by the 3PAO that are associated with leveraging Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) systems in the POA&M.

While the Transition Guide outlines 5 tasks to complete the transition, the first step a CSP must take is to determine what gaps exist between their current Rev. 4 implementation and the new Rev. 5 requirements by September 1, 2023. The CSP is expected to develop plans (including implementation and testing schedule(s)) to address the delta and document those plans in the SSP and POA&M before posting them in the CSP’s package repository.

FedRAMP has been providing clarification within their weekly Office Hours and updates to their Rev 5 FAQ.  Based on the weekly Office Hours and FAQ, the following are some important things to consider when developing your delta analysis:  

• The format of the delta analysis is up to the CSP as FedRAMP will not be providing a template for this document.
• Deviations, including transition extension requests, must be documented in the CSP’s transition plan (due on 9/1/2023) AND approved by the Authorizing Official (AO).
• CSPs can use their Rev. 4 SSP to identify the gaps between their Rev. 4 control implementations and the Rev. 5 requirements.
• CSPs will document those gaps within the POA&M and the Rev. 5 CIS/CRM template.
• The Rev. 5 CIS/CRM template is the only new Rev. 5 template that must be used by September 1, 2023.
• The Rev. 5 CIS/CRM template provides stakeholders visibility into the Rev. 4 controls that have changed and what the CSP will do to implement the Rev. 5 requirements while also documenting the entire Rev. 5 gap.
• CSPs must manage the POA&Ms from the transition in the same way they manage POA&Ms during continuous monitoring: assigning severity, tracking remediation, and retaining all tracked control changes items for the transition to Rev. 5 through the transition assessment.
• All transition implementations tracked within PO&AMs should be complete and ready for testing activities during the next Annual Assessment.
• Each control that the CSP is documenting a gap for should be a unique POA&M entry, tracked and managed separately.
• CSPs should not group individual controls together so that the AO and leveraging systems have the necessary fidelity to understand each Rev. 5 control status.
• Once these plans have been developed, the CSP will track the implementation of the new changes during the POA&M management process and/or next Annual Assessment.
• While a Work Breakdown Structure (WBS) is not required for how a CSP will address any deltas, it may be requested by your AO so be sure to confirm your AO's expectations. The POA&M, however, should have sufficient detail so that the AO can track the activities and progress made.

8 of the 19 FAQ entries on the FedRAMP website are focused on the Rev. 4 to Rev. 5 delta analysis which shows how important it is to a CSP’s ability to successfully complete the Rev. 4 to Rev. 5 transition. This analysis is the first step for any CSP transitioning to Rev. 5 and is critical in developing a strong foundation for the transition and continued success of a CSP’s FedRAMP authorization, requiring the same dedicated resources and due diligence as any other phase in the FedRAMP authorization process.

RISCPoint is here to provide expert guidance and support as CSPs maneuver the complex transition of their systems to meet the new FedRAMP Revision 5 baselines. CSPs should not hesitate to reach out to trusted advisors and 3PAOs to make sure they understand the ramifications and impacts to strategic goals in pursuing or maintaining FedRAMP Authorization under Rev. 5.

RISCPoint is a partner-owned, industry leading cybersecurity and compliance consultancy. We are a tight-knit team of experienced professionals that focus on integrating seamlessly with our clients to harmonize their security and compliance obligations with their business success. RISCPoint’s team of experienced advisors deliver a comprehensive suite of FedRAMP services designed to guide your unique cloud solution through a successful initial and continued authorization. To learn more, visit riscpoint.com/contact or call 1-888-320-1327.