Kaus Phaltankar, co-founder and CEO of Caveonix, said the Federal Risk and Authorization Management Program Revision 5 baseline adds new controls, including a family of controls related to supply chain risk management.
Phaltankar said in a Help Net Security video published Thursday that when it comes to changes to control parameters under the new baseline, changes stand at less than 5 percent for low and moderate systems, over 25 percent for high-impact systems and 24 percent for light-impact software-as-a-service offerings.
He noted that there are new 25 controls associated with supply chain and the privacy control family.
Phaltankar said there are several requirements about documentation that have been introduced under the FedRAMP Rev. 5 baseline, including the need for an identification and documentation official.
“This is like the first time this requirement has come up. You need to categorize it as policies and procedures, but you also need to categorize them by organization policies and procedures. You need to organize them by mission, or the business as well as system specific,” he noted.
The chief executive also mentioned the introduction of a baseline for the open security controls assessment language designed to digitize the authorization package by making it machine-readable as well as an update to the system security plan document.
“As you’re aware in the system ATO or the authorization to operate documentation package, there are a number of other documents that need to be provided in addition to the system security plan, such as your security assessment plan, security assessment report, plan of action and milestone, initial risk assessment document and so on,” he said. “The number of these documents will be provided in the future as new set of templates from the FedRAMP program management office.”
In an accompanying article, Phaltankar cites the implications of the new baseline for cloud service providers and third-party assessment organizations in the areas of continuous monitoring, authorization boundary, threat model and integrated inventory.