As the General Service Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) program looks to transition to Revision 5 (Rev. 5) baselines – in accordance with the National Institute of Standards and Technology’s (NIST) Rev. 5 security and privacy controls – Acting Director of FedRAMP Brian Conrad said the agency has been able to decrease the number of controls for improved usability.
The FedRAMP program certifies the security of cloud technologies for Federal government use.
Conrad explained that NIST published its own Rev. 5 baselines at the end of 2020, which serve as a foundation for the FedRAMP team to then develop its own baselines. Typically, Conrad said the Joint Authorization Board (JAB) – the primary governing body for FedRAMP – will add controls on top of those baselines to “make them more focused for cloud service providers.”
“With the Rev. 5, we’re able to take this threat-based methodology and use it against those additional controls that are usually added on top of the NIST published baselines and see which controls actually added value or were very effective in terms of their protect, detect, response capability,” Conrad explained May 12 at a virtual event organized by GovForward.
With the draft baselines that were published, there was a “net reduction in the number of controls,” according to Conrad. Currently, the FedRAMP High Baseline has 421 controls and the Moderate Baseline has 325 controls, he explained.
“We were able to reduce those, I want to say off the top of my head by a couple of dozen each, and obviously there’s a ripple effect to that,” Conrad said. “You know, making things just a little bit easier without sacrificing cybersecurity.”
Currently, the FedRAMP team is updating its baselines and documentation based on public comments and feedback. However, Conrad said that once GSA releases the final Rev. 5 FedRAMP baseline documentation updates and implementation plan, it does not expect the transition to happen overnight.
“We understand that transitioning from one baseline to another is not an easy task,” Conrad said. “We’re not expecting cloud service providers to switch next week or the week after the baselines are published. Again, we’re very much aware of the complexity and the scope of this change… the general guideline is at your next annual assessment.”