Skip to main content

Blog

Rev. 5 Baselines Have Been Approved and Released!

May 30 | 2023

Rev. 5 Baselines Have Been Approved and Released!

The FedRAMP Joint Authorization Board has approved the FedRAMP Rev. 5 baselines! The FedRAMP baselines were updated to correspond with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations.

Outlined below are the released documents with a supporting high level summary:

Cloud Service Provider (CSP) Transition Plan

  • Provides guidance to assist Cloud Service Providers (CSP), Third Party Assessment Organizations (3PAOs), Federal Agencies in transitioning to NIST SP 800-53 Rev. 5, and to the new FedRAMP requirements
  • Categorizes CSPs based on their stage in the FedRAMP authorization process and defines date-based transition periods for each category
  • Assists CSPs with identifying the scope of the Rev. 5 controls that require testing by an assessor

Rev. 5 Baselines

  • Aligns security controls more closely with NIST
  • Adds significant guidance for many controls
  • Privacy controls, and any other control outside of the FedRAMP baselines, remain at the agency’s discretion
  • Program Management (PM) controls remain an agency responsibility and are therefore not included in the baselines

To provide more insight to the updates, please see our Rev. 4 To Rev. 5 Baseline Comparison Summary

What's Next?

During the approval process, FedRAMP has been working diligently to complete updates based on public comments to the Rev. 5 baselines and supporting documentation. The FedRAMP Open Security Controls Assessment Language (OSCAL) baseline profiles and resolve profile catalogs will be released within the next few weeks along with:

  • System Security Plan (SSP)
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestones (POA&M) for High, Moderate, Low, and Li-SaaS baselines
  • Corresponding FedRAMP OSCAL SSP, SAP, SAR, and POA&M guides

FedRAMP will also provide training and educational forums specific to the Rev. 5 updates and the transition process this summer.

In the meantime, we ask that CSPs and other stakeholders review the CSP Transition Plan and make plans to address the updated templates in the coming weeks.

Keep Up To Date!

Join the FedRAMP subscriber list here to receive program updates, important reminders, blog announcements, and the monthly PMO Newsletter. If you have any questions, please contact info@fedramp.gov.

We thank you for your patience!

Back to Blogs