In its public comments about NIST Special Publication 800-53, Revision 5, FedRAMP said the move from Revision 4 to Revision 5 could cost millions of dollars across the cloud service providers, third-party certifiers and the federal Joint Authorization Board (JAB) to update the approved cloud services and related standards.
“We wanted to understand the financial impacts of this update for both government and vendors in order to understand what sort of return on investment implementing these changes would provide,” said Matt Goodrich, FedRAMP program manager, in an email to Federal News Radio. “Our cost estimates are based on our experience with the transition from Revision 4 to Revision 5, and were a high-level estimate based on documentation updates alone and not any costs associated with implementing and assessing new security requirements.”
NIST released the Revision 5 in August and comments were due Sept. 12. NIST says it expects to issue a final draft in October and the final version of 800-53 Revision 5 by December.
But it’s more than just cost — a recent report by Coalfire found the average cloud service provider (CSP) spent between $350,000 and $865,000 to get FedRAMP certified — that worries the program office.
Goodrich detailed in the comments three areas of concern, and made two recommendations to NIST.
A NIST spokeswoman said the agency doesn’t comment on another agency’s comments about a draft publication.
One area is around the priority of the new controls versus updated controls.
“Are all new and updated controls considered to have the same positive impacts on security and should be treated equally? Based on FedRAMP’s review, this is not the case,” the comments stated.
The second area is around what NIST calls “new security concepts.” FedRAMP stated these new security concepts need to be defined more clearly and better explained why these concepts are important to Revision 5.
A third concern is around the security objectives for each new or updated control. FedRAMP stated NIST should “clearly articulate the intent of each control so alternate implementations and mitigating controls can be properly analyzed.”
“Without understanding what the objectives are, how are agencies and vendors going to be sure they meet the intent of security controls if not meeting a security control explicitly as stated? Without the objectives, it is difficult to understand if alternate implementations or mitigating security controls are sufficient,” FedRAMP stated in its comments.
NIST also hasn’t discussed the test cases for the new controls, which vendor experts say are key to implementing any revision.
“They put out test cases for 800-53A under Rev 3, but didn’t update them for Rev 4. Since Rev 5 is a big change, I would expect NIST is looking at test cases. And they need to because I think moving to Rev 5 will need a long on-ramp,” said Maria Horton, CEO of EmeSec, a third-party assessment organization (3PAO), in an interview with Federal News Radio. “FedRAMP, 3PAOs, the PMO and the cloud service providers will have to evaluate the test cases to see how they are implemented. There will be some challenges because the changes to Rev 5 reflect the new digital economy.”
Horton said FedRAMP, 3PAOs and CSPs will need to architect, design and adopt the new controls for cloud services.
“I would recommend to NIST and FedRAMP give certified-CSPs and anyone FedRAMP-ready a year beyond when they settle on the test cases to allow for investment and adaptation to the digital economy, and privacy and security requirements,” she said.
Horton and other executives at 3PAOs say the security and privacy changes in Rev 5 are the most significant updates to the controls.
NIST says among the changes it’s proposing are to:
Make the security and privacy controls more outcome-based by changing the structure of the controls;
Fully integrated the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
Separate the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners.
Doug Barbin, a principal and cybersecurity leader for Shellman and Company, a 3PAO, said in an interview with Federal News Radio that while privacy was always a part of Rev 4 and previous revisions, Rev 5 brings in more of the generally accepted privacy requirements, policies and guidelines for information sharing.
“Every single area of the control set around data or information has privacy controls,” Barbin said. “For cloud providers, it gets interesting and starts going toward the delivery model such as infrastructure- or software-as-a-service, which may be data agnostic so some of those controls may get pushed down to the agency to implement.”
Barbin said for SaaS, both the cloud provider and the agency customer must consider what data is being collected and which users are potentially interacting with that information, especially if it’s personally identifiable information (PII).
“This will take time to roll into FedRAMP because you will have to update all the core templates for authorization,” he said. “We also will have to do control tailoring, and come up with the criteria for testing and analysis that the 3PAOs will perform.”
Abel Sussman, director of the cyber risk advisory group for Coalfire, said the integration of the privacy controls with the rest of the security controls is the biggest change.
But Sussman said he believes about 40 percent of the controls at the moderate level will need to be changed.
“I don’t think any of the new controls will require a major uplift,” he said. “It’s about documenting how things are already implemented with appropriate tweaks.”
Sussman added for cloud service providers, the Rev 5 changes also means ensuring the security changes are ingrained in the training, planning and reporting functions.
“As organizations develop good risk compliance programs, they will be able to meet many of these controls,” he said. “One of the things that came up is the wording from JAB. They want security controls that are outcome-based. It means there is more direct language of what is expected. For example, multi-factor authentication for privileged accounts in Rev 5 versus Rev 4 is more direct. and that may be confusing because CSPs may not be sure what outcome-based means. This is where test cases could help.”
There seems to be a lot of uncertainty around what Rev 5 will mean for CSPs, 3PAOs and agencies, and that’s why the test cases will be critical.
“Technology Transformation Services (TTS) has a spirit of transparency, and our FedRAMP team spends a lot of time engaging with our industry partners to better understand their concerns and thoughts on major programmatic updates. The comments note common questions we’ve heard from our stakeholders related to this update,” Goodrich said. “FedRAMP continues to have a thoughtful dialogue with NIST and OMB about the issues raised in our comments and how to best address the concerns noted.”