FedRAMP Rev. 4 vs. Rev. 5: Summary of Changes

By Chor-Ching Fan

Summary: Major change between FedRAMP Rev. 4. vs. Rev. 5: security controls, privacy, supply chain risk management

The transition from FedRAMP Rev. 4 to Rev. 5 brings an update to security controls, aligning with NIST SP 800-53 Rev. 5 and introducing a new focus on privacy and supply chain risk management. This alignment ensures that the security controls are up-to-date with the latest standards and practices, providing a more integrated approach to managing federal information systems and organizations.

New Privacy-Related Controls

 FedRAMP Rev. 5 includes privacy-related changes:

• AT-3 (Role-Based Training) adds privacy training to previous requirements for security training, ensuring that personnel are aware of both security and privacy risks and protocols.
• CM-3 (Configuration Change Control) and CM-4 (Impact Analysis) mandate privacy impact analysis for configuration changes. This requires CSPs to evaluate how changes might affect the privacy of individuals and the handling of personal information.

New Supply Chain Risk Management (SCRM) Controls

The new SCRM controls introduced in Rev. 5 are designed to protect the integrity of the supply chain and mitigate associated risks:

• SR-1 (Supply Chain Risk Management Plan): Requires CSPs to establish a comprehensive SCRM plan.
• SR-2 (Supply Chain Risk Management Plan): Mandates the development of a SCRM plan across all baselines of FedRAMP.
• SR-3 (Supply Chain Controls and Processes): Establishes supply chain controls and processes that CSPs must implement.
• SR-5 (Asset Acquisition Methods and Tools): Develops methods and tools for secure asset acquisition.

These additions underscore the dual focus on security and privacy, ensuring that CSPs not only protect federal systems from security threats but also safeguard the privacy rights of individuals and comply with relevant privacy regulations.

Control Counts: Baseline Breakdown for Rev. 5

The adjustments to security controls for Rev. 5 reflects FedRAMP’s efforts to streamline and simplify controls where possible, aligning more closely with NIST and focusing on the most impactful controls for each baseline. Across all baselines, the most significant addition is the Supply Chain Risk Management (SCRM) family of controls, which addresses the increasing concerns over supply chain security in a globalized market. Here’s how the numbers break down:

• High Baseline: The number of controls has been decreased from the previous version, even though NIST SP 800-53 Rev. 5 overall increased the number of controls. The High baseline now includes 410 controls.
• Moderate Baseline: The Moderate baseline has also seen a reduction in the number of controls, now totaling 323 controls.
• Low Baseline: The Low baseline has seen an increase in the number of controls, going from 125 to 156 controls. This increase is due to the addition of controls from the NIST baseline, which included 149 controls, to which FedRAMP added 7 more.

Rizkly Simplifies the FedRAMP Rev. 4 to Rev. 5 Transition

While the FedRAMP PMO emphasizes that the Rev. 5 changes should not require major system changes for CSPs to come into alignment with the new baselines, the fact remains that FedRAMP authorization will continue to be a complex process. Maintaining robust security measures that adapt to evolving threats while meeting compliance requirements often feels like a daunting task that requires resources that are already stretched thin.

Rizkly was designed to address today’s FedRAMP compliance challenges as well as upcoming requirements such as OSCAL. We provide our compliance management platform with Guided Compliance as a Service (GCaaS) options that offer the appropriate amount of expert guidance to achieve the FedRAMP Rev. 5 requirements faster. With Rizkly, CSPs do not have to choose between going solo or hiring a team of expensive consultants. With Rizkly, you get security expertise combined with time and cost savings that our compliance platform delivers—technology combined with human insight—all designed to simplify your FedRAMP compliance journey.  Contact us today.