Skip to main content

Blog

FedRAMP’s NIST Rev5 Transition Plan

November 24 | 2020

FedRAMP’s NIST Rev5 Transition Plan

FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, including the baselines and test cases.

NIST recently released SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 (Rev5) catalog of security and privacy controls and SP 800-53B, Control Baselines for Information Systems and Organizations. FedRAMP is in the process of revising all applicable FedRAMP materials to align with NIST’s updates. Additionally, when NIST releases the final version of SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, FedRAMP will update the FedRAMP test cases as well.

Below provides more details regarding FedRAMP’s approach to making these updates:

Step 1: Develop draft FedRAMP Baselines from NIST SP 800-53 Rev5 Updates (Current State)

FedRAMP will review Rev5 and update the FedRAMP baselines, parameters, FedRAMP control guidance, and develop an implementation guide for CSPs.

Step 2: Release draft FedRAMP Baselines for Public Comment

FedRAMP will share draft updates for our government partners and stakeholder community to review and provide comments and feedback.

Step 3: Update FedRAMP Baselines and Documentation Based on Public Comments

FedRAMP will review and adjudicate public comments and update the FedRAMP baselines (including OSCAL versions) and associated documents, templates, and guidance accordingly.

Step 4: Release Final Rev5 FedRAMP Baseline Documentation Updates, and CSP Implementation Plan

FedRAMP will publish the final version of FedRAMP’s updated baselines (including OSCAL versions), associated documentation and templates, an implementation guide, and compliance timeline. Additionally, FedRAMP will provide training and educational forums on the updates and transition process, and will be available to answer questions.

Additionally, the PMO has developed a brief video that covers the Rev5 transition process.

You can view this video and others on our FedRAMP YouTube channel.

We will continue to keep the FedRAMP community informed and if there are any questions, please reach out to info@fedramp.gov.

Back to Blogs