Unpacking the NIST 800-53 Rev 5 FedRAMP Update

Updating FedRAMP packages based on the intricate maze of NIST 800-53 Rev 5 changes could be a formidable task for many organizations. However, adopting Risk Solutions on an efficient platform like Paramify can simplify this journey, facilitating compliance with the new standards and offering a smoother passage through the revision's complexities.

Sleek v2.0 public release is here

Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi at ante massa mattis.

  1. Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
  2. Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent i
  3. Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
  4. Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

What has changed in our latest release?

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut aliquam, purus sit amet luctus venenatis, lectus magna fringilla urna, porttitor rhoncus dolor purus non enim praesent elementum facilisis leo, vel fringilla est ullamcorper eget nulla facilisi etiam dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus ultrices in iaculis nunc sed augue lacus

All new features available for all public channel users

At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.

  • Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
  • Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
  • Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
  • Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Coding collaboration with over 200 users at once

Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.

“Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum”
Real-time code save every 0.1 seconds

Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget dolor cosnectur drolo.

Ah, the joys of updates in federal compliance standards! The release of NIST 800-53 Rev 5 is a bit like that time I thought I'd impressed my mom by tidying up my room. All I did was shuffle my laundry heap from the floor to the closet. She glanced around and cheered, "Voila! Spotless!" But we both knew it was the same mess in a different place – much like Rev 5’s Moved Requirements.

Then there's the charm of Split Requirements, akin to ordering a pizza and getting it delivered slice by slice. Still a whole pizza, sure, but it means answering the door eight times.

Don't forget Removed Requirements – I know you worked hard on that VOiP control, but no one cares.

And then, as if out of a bad horror movie sequel, here come the New Requirements, with fourth-party vendors emerging from the shadows like unexpected beasts. 

While the control count appears to have shrunk, much like my eagerness to clean my room, the actual workload has mounted, jumping by 13% for high-risk categories. Akin to the spike in my stress levels every tax season. Fun times! But fear not, we've got this. Let's dive in.

FedRAMP Control Counts

The burden of the transition relates mostly to documentation.

Alright, so if we're looking at the tables that came right out of the FedRAMP cookbook, we've got the control changes in the High, Moderate, Low, and Li-SaaS categories from NIST 800-53 Rev 4 to Rev 5:

Rev4 to Rev5: Changes to FedRAMP Controls

At first glance, you'd think, "Woohoo! Downhill run! Fewer controls in High and Moderate, sounds like an easy cruise, right?" It's like when you start a diet and the first day, you lose 2 pounds. You think, "Hey, this isn't so bad!"

But then you notice the Low and Li-SaaS categories had to go and spoil the party. They've bulked up like they're preparing for a hibernation, going up by 25% and 127%, respectively.

But then, like a surprise twist in a sitcom, we get the Actual Requirements:

Actual FedRAMP Requirements 

Just like realizing your preferred 'low-calorie' meal is brimming with carbs, the layers within these controls have a surprise in store. These numbers have no intention of embarking on a weight-loss journey. High went up by 13%, Moderate by 16%, and Low and Li-SaaS? They're getting their winter coats ready, going up by a solid 34% and 86%, respectively.

Rev4 to Rev5: Actual Changes in Requirements[1]

Closer Look at Control Families

Then, we move onto the Control Families. It's kind of like getting your whole extended family together for a reunion and realizing Aunt Mildred had triplets since the last gathering. Looking at these numbers, it's clear that some families have definitely been busier than others. Things like Access Control, Configuration Management, Contingency Planning, and System and Services Acquisition have not been lazing around.

But wait, there's more! To really spice up the compliance soup, we have a new category to consider – "Supply Chain Risk Management".

Big shoutout to Chris Hughes, a leader in this space, for his pioneering work. Dive into his illuminating book here or his insightful podcast episode here. Hats off to Chris for lighting the path!

FedRAMP (NIST 800-53 Rev 4) Requirements Breakdown
FedRAMP (NIST 800-53 Rev 5) Requirements Breakdown[1]

Changes in the SSP

Crafting a quality System Security Plan (SSP) while keeping up with regulatory changes is like building a complex sandcastle on the beach, just to have the wave come in and scatter everything.

SSP Change Summary

But, let's not get too dramatic. Fortunately, for those using Risk Solutions, you've got 14 shiny new solutions at your disposal. They're like magic tricks for your security controls.


Just when you thought it was over, we need to update the new PARAMETERS. It's like finding another hidden level in your favorite video game, but way less fun.

Rev 4 to Rev 5 parameters

As you can see, the parameters have decided to jump up on the bandwagon as well, with increases in all categories. It's like adding extra toppings on an already overstuffed pizza. You thought the supreme was enough? Nope, here come the anchovies, olives, mushrooms, and extra cheese!

Steering through the twists and turns of the new NIST 800-53 Rev 5 can feel like attempting to navigate a labyrinth while blindfolded and juggling flaming torches. It's no leisurely stroll, but this is where Paramify comes to the rescue. With our help, tackling these parameters becomes as breezy as a walk in the park on a sunny Sunday afternoon.

How Do Risk Solutions help?

Navigating the twists and turns of NIST 800-53 Rev 5 doesn't need to feel like an uphill battle. Armed with Paramify's Risk Solutions, you'll find a streamlined strategy for tackling the new requirements and changes. Think of it as reducing a complicated riddle into a set of simple, solvable puzzles.

As we explained in our previous article, these solutions act as your real-time compliance compass, providing clear visibility into your risk posture and allowing for swift, mid-course corrections. With Risk Solutions, you're not just prepared to weather the compliance storm, but to steer confidently through it.

For a refresher on building your own Risk Solutions, revisit our previous article. You'll find helpful insights and practical advice to set you on the right path within the NIST 800-53 Rev 5 landscape.

View our Free Webinar to see for yourself!

Check out our webinar showing you in detail how you can instantly, completely, and accurately upgrade your FedRAMP Package from Rev. 4 to Rev. 5 without hiring a tech writer.

The PMO would like your plans in their hands soon. The time to act is now.

[1] These numbers have been updated based upon the newest control templates released by the FedRAMP PMO. Previous numbers were estimates.

About the author

Kenny is an accomplished leader with a 16-year tenure in Information Security and IT Audit. He's widely acknowledged in the industry and has a profound dedication to it. In addition to his technical expertise, Kenny's portfolio includes substantial experience in business strategy, investment, and programming.‍ On the personal side, Kenny is a devoted husband to Angie Scott and a proud father of five. A music enthusiast, he relishes playing the guitar and enjoys surfing when a beach is within reach.