RFC-0029 FedRAMP Rev5 Security Controls Baseline Update for PE, PL, PM, PS, and PT Control Families

[rhoesing]

RFC-0029 FedRAMP Rev5 Security Controls Baseline Update for PE, PL, PM, PS, and PT Control Families

❓ Please note that FedRAMP will not answer questions in this thread as it is reserved for public comment. If you would like to ask a question or generally discuss this RFC informally, please use the General discussion and Q&A for RFCs related to Rev5 Updates (RFCs 0026, 0027, 0028, 0029, & 0030) thread. Thank you!

Status: Open
Start Date: March 19, 2026
Closing Date: April 22, 2026

Summary

This is a technical RFC that proposes updates to the Additional FedRAMP Security Technical Controls Requirements and Guidance for FedRAMP Rev5 baselines.

To save space and to limit the breadth of a single RFC, this technical document shows only the proposed changes to the current baseline document and is restricted to a few control families. If verbiage is being updated, only the specific wording that is to be changed is identified in the old verbiage section. If the verbiage to be added is not replacing previous verbiage, but being added, it will be identified as “NEW” in the old verbiage section.

Since this spreadsheet covers hundreds of controls across multiple tabs and sections, only those specific controls, sections, and tabs identified are being proposed for updates. If it is not mentioned below, changes are not being proposed.

Commenters are advised to please mention specific controls in their comments!

This RFC addresses controls in the following families:

• Physical and Environmental Protection (PE)
• Planning (PL)
• Program Management (PM)
• Personnel Security (PS)
• PII Processing and Technology (PT)

Motivation

Many Rev5 FedRAMP Requirements and Guidance statements are based on outdated approaches that predated the release of the FedRAMP Authorization Act and M-24-15. This set of Requirements and Guidance needs a refresh to match FedRAMP’s current rules and approach.

The updates formalized after this RFC will be included in the FedRAMP Consolidated Rules for 2026. That set of rules will be valid until December 31, 2028. FedRAMP will provide a transition plan for adopting any new guidance that will enable cloud service providers to update their approach as part of their annual assessment as appropriate.

These changes are designed to lower the burden for cloud service providers and eliminate previous pain points.

Additionally, NIST released 800-53 Rev 5.2.0 in August of 2025. While this update was minor, control updates from NIST will require updates to FedRAMP Security Control Baseline in order to reflect this update. These changes will happen without public comment through FedRAMP since these are direct reflections of NIST changes. As subsequent iterations of the FedRAMP Security Control Baseline are published, it is FedRAMP’s intent only to carry over the following information from NIST 800-53; Control Family, Control Name, and Control ID. Following this will be FedRAMP-Defined Assignment / Selection Parameters and additional FedRAMP Requirements and Guidance.

Proposed Changes to Physical and Environmental Protection Family

No changes are being proposed

Proposed Changes to Planning Family

No changes are being proposed

Proposed Changes to Program Management Family

No changes are being proposed

Proposed Changes to Personnel Security Family

This section contains proposed changes to the FedRAMP Requirements and Guidance section for each of these controls.

PS-03: Personnel Screening

Tabs Affected: High Baseline, Moderate Baseline, Low Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: PS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.
For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]
Proposed Change: PS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance and the tenth (10th) year for secret security clearance. Some agencies have moved to Continuous Vetting as part of Trusted Workforce 2.0. In these cases, personnel move into a continuous stage of monitoring and are relieved of the 5 or 10 year renewal requirements.
For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]
Rationale: Updated to reflect the deletion of confidential clearance and the introduction of TW2.0

PS-07: External Personnel Security

Tabs Affected: Low Baseline, Moderate Baseline, High Baseline
Sections Affected: Additional FedRAMP Requirements and Guidance
Current Verbiage: NEW
Proposed Change: CSPs should clearly document nationality requirements for external personnel, where applicable.
Rationale: Added due to recent events.

Proposed Changes to PII Processing and Technology Family

No changes are being proposed

[JeffWillis-MIS]

Any thoughts about incorporating PS-3(4) into FedRAMP? DISA just added it as a core control

RMTO 26-01
New DoD Core Control for Annual Assessments (PS-3(4))

Due to significant updates to the Cloud Service Provider Security Requirements Guide, and criticality of US Persons/Citizen requirements for DoD authorized Cloud Service Offerings, DoD has established that the PS-3(4) control is to be considered a Core Control to be included in every Annual Assessment with FedRAMP defined Core Controls.

Any CSO that has not had their Annual Assessment Security Assessment Plan (SAP) reviewed and approved by their assigned DISA Security Control Assessor Representative (SCA-R) as of the posting of this control, 17 March 2026, must include the PS-3(4) control as part of their next Annual Assessment, and every subsequent Annual Assessment.

[austinsonger]

PS-03 Personnel Screening (Trusted Workforce 2.0 / Continuous Vetting)

Suggested tweaks

• The phrase “relieved of the 5 or 10 year renewal requirements” could be interpreted as universally applicable. Recommend tightening to avoid over-generalizing across agency implementations, e.g.:
  • “Where an agency has enrolled personnel into Continuous Vetting under Trusted Workforce 2.0, periodic reinvestigation intervals may be replaced by continuous monitoring in accordance with agency policy and role designation.”
• Add a short testability note (even one sentence) describing acceptable evidence that personnel are in CV (e.g., agency confirmation, contractual requirement, or system-of-record output), so 3PAOs can assess consistently.

PS-07 External Personnel Security (nationality requirements)

Concept is understandable but needs clarity to avoid ambiguity and privacy risk. As written (“should… where applicable”), it’s hard to implement consistently and could be interpreted in ways that create unnecessary data collection.

Recommendations

• Decide whether this is mandatory or guidance:
  • If mandatory, replace “should” with “shall” and define compliance evidence.
  • If guidance, keep “should” but explicitly state it is non-mandatory and how (if at all) it will be evaluated.
• Define “external personnel” and “where applicable” with concrete triggers, such as:
  • customer/agency contractual requirements,
  • export control or data residency constraints,
  • access to privileged functions (e.g., key management, incident response, system administration).
• Add a privacy guardrail: documentation should focus on requirements and controls, not collecting/storing nationality information unless contractually required and handled under applicable privacy requirements.

[vedigaurav]

Gap #1 – Insufficient clarity on prioritization of control changes
Issue: RFC-0029 proposes updates across multiple control families (PE, PL, PM, PS, PT), but does not clearly indicate which changes are most critical versus optional or incremental. This may lead to inconsistent prioritization across CSP implementations and assessments.
Recommendation: Introduce a prioritization framework (e.g., “high-impact,” “foundational,” “enhancement”) to help CSPs and assessors focus on the most security-relevant updates first.

Gap #2 – Limited guidance on integration with enterprise security programs
Issue: The updated controls (particularly in PM and PL families) assume mature organizational security programs but do not address how smaller or less mature CSPs should operationalize these expectations.
Recommendation: Provide implementation maturity models or phased adoption guidance to help organizations align enterprise-level controls with FedRAMP expectations.

Gap #3 – Lack of measurable success criteria for updated controls
Issue: While control language is modernized, there is limited definition of what “good” implementation looks like in measurable or outcome-based terms, increasing subjectivity during assessments.
Recommendation: Define measurable outcomes or key performance indicators (KPIs) for updated controls to support consistent evaluation and reduce assessor variability.

Gap #4 – Overlap with existing federal and organizational policies
Issue: Certain updates in personnel (PS) and program management (PM) controls may overlap with existing federal agency requirements or internal corporate policies, creating potential duplication or conflicting expectations.
Recommendation: Clarify where FedRAMP requirements are intended to supersede, complement, or defer to existing policies, and provide guidance on leveraging policy inheritance.

Gap #5 – Minimal consideration for multi-tenant and global cloud environments
Issue: The RFC does not explicitly address how updated controls apply in globally distributed, multi-tenant cloud architectures, particularly for personnel and physical/environmental controls.
Recommendation: Include guidance or examples for implementing controls in multi-tenant and geographically dispersed environments, including jurisdictional and data residency considerations.

Gap #6 – Absence of guidance for documentation standardization
Issue: Updates to planning (PL) and program management (PM) controls may require significant documentation updates, but there is no standardization guidance to ensure consistency across CSP submissions.
Recommendation: Provide templates or standardized documentation expectations (potentially aligned with OSCAL or structured formats) to reduce variability and improve review efficiency.

Gap #7 – Limited linkage to continuous authorization model (FedRAMP 20x)
Issue: The RFC modernizes control content but does not clearly connect updates to the broader shift toward continuous authorization and automation emphasized in recent FedRAMP initiatives.
Recommendation: Explicitly map how updated controls support continuous monitoring, automated validation, and ongoing authorization to ensure alignment with FedRAMP’s evolving operating model.

Gap #8 – No explicit impact analysis on assessment scope and cost
Issue: The RFC introduces changes that could affect assessment scope and level of effort, but does not analyze potential cost or timeline impacts for CSPs and 3PAOs.
Recommendation: Include an impact assessment outlining expected changes to assessment effort, helping stakeholders plan and allocate resources more effectively.

[OG-of-the-realms]

No recommended changes, would accept these as is