NIST 800-53 Rev. 5 Updates to Security Baselines

by Liz Huston

In collaboration with its members from the public and private sectors, StateRAMP has made significant strides in enhancing its security measures. After several months of joint committee work sessions, the Standards and Technical Committee has approved updates to the StateRAMP Baseline Controls, incorporating a subset of the latest update to NIST 800-53 (a special publication by the National Institute of Standards & Technology).  This update aligns StateRAMP with the most current and comprehensive security guidelines for cloud cybersecurity. 

NIST 800-53 Rev. 5 is widely recognized as a catalog of best practice controls and sub-controls. These baselines serve as the foundation for StateRAMP’s Security Snapshot Program and StateRAMP Authorizations, ensuring robust security measures are in place. 

According to Noah Brown, StateRAMP PMO Director, “Updating our control baselines was crucial for protecting government data as NIST 800-53 Rev. 5 is the next evolution in cloud security controls and allows Service Providers to implement controls that are relevant to the current threat landscape.”

The StateRAMP Standards & Technical Committee and Appeals Committee reviewed the baselines this winter and StateRAMP members had an opportunity to provide their feedback on the proposed baseline controls.  

Sean Hughes, Assistant Secretary for Technology, Security, and Operations/Chief Operating Officer of Massachusetts Executive Office of Technology Services and Security and Chair of the Standards & Technical Committee said,“The integration of NIST 800-53 Rev 5 into the baseline controls by StateRAMP’s Standards & Technical Committee is a testament to their commitment to upholding the highest standards of cybersecurity. Together, they have established a robust foundation for organizations seeking StateRAMP Authorization, setting the stage for enhanced protection and trust in the digital realm.”  

The Standards & Technical Committee has asked for public input again to guide the implementation of Rev. 5 and the timing of the new requirements, which will be rolled out later this year. Please provide your feedback here 

Dan Lohrmann, Field Chief Information Security Officer, Public Sector at Presidio & Vice Chair of the StateRAMP Standards & Technical Committee, noted “The incorporation of NIST 800-53 Rev 5 into StateRAMP’s baseline controls marks a significant milestone in elevating the cybersecurity standards for government entities. By embracing the latest advancements in security practices, StateRAMP reinforces its commitment to staying at the forefront of cyber defense.” 

“The adoption of NIST 800-53 Rev. 5 is an important step toward the harmonization of other federal requirements that flow down to state and local governments, such as requirements related to Criminal Justice Information Services, Healthcare and Medicaid Management Information Systems, Tax Information and Cloud Security Guidelines and more,” said Leah McGrath, Executive Director, StateRAMP. “We are very thankful for the time and leadership our PMO Team and Committee Members dedicated to help guide this process.” 

View Rev. 5 Baseline Controls here. If you have control-specific questions, please attend Office Hours every Wednesday from 2:30-3:30 pm EST.