Since we published our first guide to Zero Trust and FIPS, there have been significant changes in the regulatory landscape for cloud-native security in FedRAMP environments, so we’ve published a new version to cover these latest developments. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. And, most importantly, FedRAMP Revision 5—finalized in 2020—is now in force. FedRAMP Rev. 5 is a significant update to the security requirements for federal cloud services based on NIST SP 800-53 Rev. 5, which takes effect starting May 30, 2023 for new FedRAMP authorizations. Revision 5 is also targeted more broadly as guidance for all organizations in addition to its mandate for U.S. federal cloud information systems.
What’s New in FedRAMP Rev. 5?
Broadly, here’s what’s new in Rev. 5:
- Expansion to 20 control families (from 18 in Rev. 4), with some controls being restructured and renumbered. The control families are also realigned to better match current security threats and technology trends. (For more information, see Tetrate’s Guide to FedRAMP Rev. 5.)
- Expansion of scope to include privacy controls in addition to security controls to reflect the growing importance of privacy protection in information systems.
- Greater emphasis on supply chain risk management and includes controls related to software supply chain security, reflecting the increasing importance of securing the software development and distribution process.
- Better alignment with other cybersecurity and privacy frameworks such as NIST’s Cybersecurity Framework (CSF) and Privacy Framework.
- Increased emphasis on continuous monitoring and improvement of security and privacy controls, aligning with modern cybersecurity practices.
As of May 30, 2023, all new FedRAMP authorizations must comply with SP 800-23 Rev. 5. FedRAMP authorizations already in the initiation or continuous monitoring phase prior to May 30, 2023 may continue to use Rev. 4 baselines, but must identify the delta between their current Rev. 4 implementation and the Rev. 5 requirements plus develop plans to address that delta.
How Does Tetrate Istio Help Meet Rev. 5 Requirements?
FedRAMP Rev. 5 requires FIPS-validated encryption for data in transit. While Istio is the de facto standard security kernel for microservices applications, only Tetrate offers a FIPS-validated distribution of Istio suitable for FedRAMP environments. New in FedRAMP Rev. 5 is a requirement to document cryptographic modules in use to protect data in transit and at rest. Tetrate’s Istio distribution is built into the documentation template (SSP Appendix Q) required for all System Security Plans (SSPs)—so, you can be sure when it’s time to pass the Full Security Assessment in the FedRAMP Authorization phase , Tetrate has you covered. Tetrate Istio is also available via approved software factories like the AWS Marketplace for GovCloud and Platform One.
Read the Reports
- To learn more, read our new report on Zero Trust, FIPS and FedRAMP for Cloud Native Applications ›
- For an in-depth analysis of how Tetrate Istio meets NIST SP 800-53 and FedRAMP Rev. 5 security controls, contact us to receive our annotated guide to Istio for FedRAMP.
Get Started with Istio
If you’re new to service mesh and Kubernetes security, we have a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
If you’re looking for a fast way to get to production with Istio, check out Tetrate Istio
Distribution (TID), Tetrate’s hardened, fully upstream Istio distribution, with FIPS-verified builds and support available. It’s a great way to get started with Istio knowing you have a trusted distribution to begin with, an expert team supporting you, and also have the option to get to FIPS compliance quickly if you need to.
As you add more apps to the mesh, you’ll need a unified way to manage those deployments and to coordinate the mandates of the different teams involved. That’s where Tetrate Service Bridge comes in. Learn more about how Tetrate Service Bridge makes service mesh more secure, manageable, and resilient here, or contact us for a quick demo.