The Federal Risk and Authorization Management Program (FedRAMP) is using the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services.
Specifically, FedRAMP leverages NIST’s Special Publication [SP] 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations series, including the baselines and test cases.
NIST recently released SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 (Rev5) catalog of security and privacy controls and SP 800-53B, Control Baselines for Information Systems and Organizations.
FedRAMP said it is in the process of revising all applicable FedRAMP materials to align with NIST’s updates.
Additionally, when NIST releases the final version of SP 800-53A – Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, FedRAMP will update the FedRAMP test cases as well.
FedRAMP will publish the final version of FedRAMP’s updated baselines (including OSCAL versions), associated documentation and templates, an implementation guide, and compliance timeline.
Further, FedRAMP will provide training and educational forums on the updates and transition process, and will be available to answer questions.