The Federal Risk and Authorization Management Program is seeking public comment on the initial draft of its baseline security measures that align with the National Institute of Standards and Technology’s updated cloud security guidance.
In a blog post published Tuesday, FedRAMP said its Program Management Office worked with the Joint Authorization Board to develop draft high, moderate and low baseline security requirements for cloud services providers.
In September 2020, NIST released the final version of Revision 5 of Special Publication 800-53, which provides a catalog of security and privacy controls to protect federal information systems and organizations from cybersecurity threats.
NIST also unveiled a companion document, SP 800-53B, to outline control baselines for identifying the risk level of organizations and their information systems.
FedRAMP used the threat-based methodology for scoring each NIST SP 800-53, Rev. 5, control against the MITRE ATT&CK Framework version 8.2. By applying the threat scoring methodology, FedRAMP included one additional control in the low baseline, 17 in the moderate baseline and 22 in the high baseline. The public can submit feedback until April 1, 2022.