FedRAMP Updates the Threat-Based Methodology to Authorizations
February 15 | 2022
FedRAMP updated the Threat-Based Methodology White Paper to reflect changes to our methodology behind the threat-based scoring approach and its potential applications. FedRAMP is also excited to share the accompanying dataset, located on our GitHub repository. We encourage you to read the white paper and dataset and provide feedback and/or questions to info@fedramp.gov. The FedRAMP PMO looks forward to receiving your comments and sharing progress.
Recap of Threat-Based White Paper
In February 2021, FedRAMP released the Threat-Based Methodology White Paper to solicit feedback and promote the adoption of a threat-based model. The goal of this model is to enable agencies, Cloud Service Providers (CSPs), and other industry partners to prioritize security controls that are most relevant and effective against the current threat environment. FedRAMP anticipates this model will lead to informed, quantitative-based risk management decisions in authorizing information systems for government use.
Update to Methodology: FedRAMP Scores Against the MITRE ATT&CK Framework Version 8.2
Later in 2021, FedRAMP conducted a second round of scoring efforts in order to align the Threat-Based Approach to the MITRE ATT&CK threat framework version 8.2. FedRAMP’s previous scoring was done using the NSA/CSS Technical Cyber Threat Framework (NTCTF), which was recently discontinued. To align with MITRE ATT&CK threat framework, FedRAMP analyzed each NIST SP 800-53, rev. 5 control within the FedRAMP High baseline on their ability to protect, detect, and/or respond to each of the techniques outlined in the MITRE ATT&CK Framework version 8.2. The Threat-Based White Paper reflects this update to scoring methodologies.
Our Ask of You: Provide Feedback on the Threat-Based Methodology White Paper
We encourage you to provide feedback and/or questions to info@fedramp.gov. The FedRAMP PMO looks forward to receiving your comments and sharing progress.