Understanding the FedRAMP Rev 5 PS-4 Update: A 4-Hr Limit for Access Revocation
Adam Johnson
Sep 2023
Significant changes to FedRAMP and StateRAMP compliance regulations now mandate that organizations revoke a terminated employee's access to sensitive systems within just four hours. The new rule highlights the urgency of closing security loopholes and poses execution challenges, especially for organizations lacking integrated systems. However, technology like integrated Single Sign-On and Human Resources Information Systems can automate the process, aiding compliance.
Sleek v2.0 public release is here
Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi at ante massa mattis.
- Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent i
- Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
What has changed in our latest release?
Lorem ipsum dolor sit amet, consectetur adipiscing elit ut aliquam, purus sit amet luctus venenatis, lectus magna fringilla urna, porttitor rhoncus dolor purus non enim praesent elementum facilisis leo, vel fringilla est ullamcorper eget nulla facilisi etiam dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus ultrices in iaculis nunc sed augue lacus
All new features available for all public channel users
At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.
- Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
- Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Coding collaboration with over 200 users at once
Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.
“Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum”
Real-time code save every 0.1 seconds
Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget dolor cosnectur drolo.
Stricter Deadline for Revoking Terminated Employee Access
One of the more intriguing shifts in FedRAMP and StateRAMP compliance regulations revolves around the timeliness required to revoke a terminated employee's access to sensitive systems. Not too long ago, the requirement was that an organization had to revoke this access within one day of termination. However, the rule has been tightened considerably, now mandating that access be revoked within four hours.
Why the Change?
This stringent timeline serves as a testament to the escalating risks and vulnerabilities that organizations face, especially those dealing with federal data and regulated environments. The shift from 24 hours to just four underscores the urgency that governing bodies are placing on closing potential security loopholes as swiftly as possible.
The Pitfalls of Procedure
While the rule itself might seem straightforward, its execution is often fraught with challenges, often due to internal communication issues. Our expert guest points out that he has observed failures in this aspect time and again during his auditing career. This is particularly true for organizations that don't have their systems streamlined and integrated, such as those lacking an integration between their Single Sign-On (SSO) tool and their Human Resources Information System (HRIS).
The Role of Technology
Fortunately, technology has come to the rescue, offering easier ways to adhere to this new requirement. Organizations that have an SSO tool integrated with their HRIS can automate the revocation process, ensuring that the 4-hour timeline is met effortlessly. When the HRIS system is updated to reflect an employee's termination, a single click can cascade the change across all platforms, effectively locking out the employee.
The Consequences of Non-Compliance
Though failing to meet this requirement won't necessarily lead to the loss of your federal credentials or accreditation, it's not something to be taken lightly. As our expert guest noted, this issue might seem minor but could actually be a complicated problem to solve, especially for organizations without modern, integrated systems.
This four-hour requirement is not just a rule but a reflection of the overall shift towards more stringent security protocols. Organizations that aim to stay compliant must take heed and adapt accordingly, implementing the technologies and practices that can help them meet this new standard.
Adam Johnson
Adam Johnson boasts 15 years in information systems, with special expertise in product marketing and management. He's always had an interest in Cybersecurity. A family man at heart, Adam enjoys biking, soccer, and traveling with his wife and three kids.
