This year we joined other organizations in going through the FedRAMP Revision 5 transition project. If you’re unfamiliar, the Federal Risk and Authorization Management Program (FedRAMP) transitioned from using NIST 800-53 Revision 4 to NIST 800-53 Revision 5. This project involves reviewing the updated NIST controls, examining guidance from the FedRAMP PMO, and coordinating with our external audit partner and our authorizing agency, along with our internal project work.
As we progress through this project, we want to share the lessons we’ve learned. We hope that by sharing these insights, we can assist you navigate your own journey whether it’s the Revision 5 transition or other security framework updates.
Understand the change
The FedRAMP Moderate baseline includes over 300 controls, so becoming an expert on the nuances of all these control changes is a considerable task. This is where resources from the FedRAMP Transition website proved to be useful to help distinguish more significant control changes from those that were minor wording adjustments. I found that navigating through the FedRAMP site and examining the NIST 800-53 Revision 5 resources really helped me find resources that were already built to support my project.
Plan and prepare
In almost every project I’ve worked on, I walk away recognizing the importance of planning and preparation. Spend time establishing how you will track tasks, monitor progress and effectively communicate with stakeholders. This project requires a collective effort, so make sure that you’re collaborating with the process/control owners and give them time to ask questions to understand the changes. Some changes may have significant impacts to people, process, and/or technology, potentially altering work priorities or methods dramatically. The FedRAMP Revision 5 project we conducted began with a gap assessment for each control which ended up being a very helpful exercise. This really helps to convey the impact of changes to leadership so they can support the project (financially if necessary) and assist in prioritizing required work in their organizational areas.
Lead with learning
Seek out those in other organizations also navigating the transition. We found a lot of value participating in the FedRAMP PMO office hours. During these calls, we connected with groups to ask questions and share information. We also utilized our relationships with our auditor and our sponsoring organization to clarify our understanding of new controls or wording updates. Keep in mind that your internal process owners may not be as familiar with compliance requirements, so they may need some help interpreting the language. Don’t be afraid to say that you don’t know – we are all trying to figure out these changes so take those questions to your network.
The Revision 5 change, specifically, has a lot of privacy implications. To help understand those changes, I engaged with our in house privacy lead as well as started asking questions to our auditor and my network to understand how they were interpreting the changes. By discussing these changes with a broader audience, we were able to evaluate if we could add a privacy component to already existing processes or if we needed to reevaluate if a new process or resource would better fit our needs.
Embrace change
This change, while challenging, can also be an opportunity for organizations to review and strengthen our security programs. Embracing change, rather than resisting it, can lead to enhanced security postures. We used this opportunity to review all of our security controls and evaluate gaps even beyond the required FedRAMP transition work. We examined our policies, controls, and other supporting documents and evaluated why each item existed and what could be consolidated.
No transition is without its challenges, and we expect bumps along the way. It’s important to see these obstacles as learning opportunities. Our goal is not to achieve perfection but to use this as a chance to strengthen our overall program.