FedRAMP uses the National Institute of Standards and Technology's (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST's Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, including the baselines and test cases.
NIST recently released SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 (Rev5) catalog of security and privacy controls, and SP 800-53B, Control Baselines for Information Systems and Organizations. FedRAMP is in the process of revising all applicable FedRAMP materials to align with NIST's updates. Additionally, when NIST releases the final version of SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, FedRAMP will update the FedRAMP test cases as well.
Below provides more details regarding FedRAMP's approach to making these updates:
Step 1: Develop draft FedRAMP Baselines from NIST SP 800-53 Rev5 Updates (Current State)
FedRAMP will review Rev5 and update the FedRAMP baselines, parameters, FedRAMP control guidance, and develop an implementation guide for CSPs.
Step 2: Release draft FedRAMP Baselines for Public Comment
FedRAMP will share draft updates for our government partners and stakeholder community to review and provide comments and feedback.
FedRAMP will review and adjudicate public comments and update the FedRAMP baselines (including OSCAL versions) and associated documents, templates, and guidance accordingly.
FedRAMP will publish the final version of FedRAMP's updated baselines (including OSCAL versions), associated documentation and templates, an implementation guide, and compliance timeline. Additionally, FedRAMP will provide training and educational forums on the updates and transition process, and will be available to answer questions.