FedRAMP’s NIST SP 800-53 Rev 5 is one of the most foundational documents in modern cybersecurity. 

The Justice Department recently announced a $9 million settlement in a case against a federal contractor accused of misrepresenting their compliance with cybersecurity requirements under the False Claims Act. Deputy Attorney General, Lisa Monaco, says that most contractors “follow all of the contract terms,” but if they fail to follow required standards or misrepresent their efforts, the new Civil Cyber-Fraud Initiative will use the False Claims Act to enforce civil fines on government contractors and grant recipients.

This settlement puts contractors and cloud service providers on notice to cross their t’s and dot their i’s regarding FedRAMP, FISMA/RMS, or CMMC accreditation. It’s important to know the difference between these mandates.

Is FedRAMP required for CMMC? And how does FedRAMP fit into the DIB supply chain? In short, cloud providers that provide security need to meet CMMC requirements, but they do NOT need FedRAMP authorization. Only clouds that store processes or transmit CUI need FedRAMP. So how do you get there?

NIST SP 800-53 makes the “how” a priority.

NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is easily one of the most foundational documents in modern cybersecurity. And it provides a good start for cloud services providers to become FedRAMP compliant. While many frameworks define goals and requirements, SP 800-53 defines the specific controls to deliver on those goals. And while many standards focus on “what” organizations should do, SP 800-53 defines the “how.”

The document emphasis firmware—monitoring firmware integrity, controlling over firmware configurations and vulnerabilities, and actively managing their supply chain and technology vendors to ensure they are compliant.

Prepare for your FedRAMP accreditation.

FedRAMP accreditation is not only required for cloud providers who handle CUI, but customers inside the government and out are more inclined to trust a provider who has complied with FedRAMP guidelines and is viewed as secure enough to conduct business with organizations the DoD. So FedRAMP is a good decision for your cloud services, regardless of the information you handle.

The most recent revision, Rev 5, has changed the number of controls to meet for accreditation. The High baseline will go from 421 controls to 392 controls, the Moderate baseline will go from 325 controls to 304 controls, and the Low and Li-SaaS baselines will increase to 150 controls.

Protect your infrastructure—and pocketbook—with FedRAMP compliance.

Cybersecurity and supply chain attacks are increasing every year. As you’ve seen, fines are steep for misrepresenting your compliance. And CMMC Level 2 certification relies on self-assessments. So, don’t give the government reason to cite you.

If you are you are pursuing FedRAMP, FISMA/RMF, or CMMC compliance, SteelCloud can help. Our ConfigOS solution will automate the system hardening process for better cyber hygiene and mitigate risks from software vulnerabilities by ensuring that your organization implements secure configurations. Plus, it will remove 90% of the effort and 70% of the costs from the process. Using STIGs and CIS benchmarks, your organizations can build more robust security. Automating these lower-level controls and documenting processes allows your organization  to prevent threat actors from exploiting software and firmware vulnerabilities.

NIST SP 800-53 revision 5 is underway. Let SteelCloud help you achieve FedRAMP accreditation and conduct a gap assessment to help accelerate your FedRAMP compliance journey for CMMC compliance. Schedule a demo today.