Hello, Guest.!

FedRAMP Seeks Comments on Threat-Based Scoring Approach to Authorizations

1 min read

The Federal Risk and Authorization Management Program is soliciting comments on an updated white paper that reflects changes to threat-based scoring methodology and informs stakeholders of its potential applications.

FedRAMP said Tuesday it expects the threat-based model to allow federal agencies and cloud service providers to prioritize security controls that are effective against the current threat environment and result in quantitative-based risk management decisions when it comes to authorizing cloud platforms for government use.

The Threat-Based Methodology White Paper reflects update to the scoring approach and alignment with the Mitre ATT&CK threat framework version 8.2. 

FedRAMP previously used the NSA/CSS Technical Cyber Threat Framework or NTCTF in its threat-based scoring methodology. 

The program aligned the threat-based model with the Mitre ATT&CK threat framework by analyzing each security control in the NIST SP 800-53, rev. 5 within the FedRAMP High baseline.

The threat-based risk profiling methodology has three phases: threat-based analysis; security controls assessment; and risk profiling.