The Federal Risk and Authorization Management Program is soliciting comments on an updated white paper that reflects changes to threat-based scoring methodology and informs stakeholders of its potential applications.
FedRAMP said Tuesday it expects the threat-based model to allow federal agencies and cloud service providers to prioritize security controls that are effective against the current threat environment and result in quantitative-based risk management decisions when it comes to authorizing cloud platforms for government use.
The Threat-Based Methodology White Paper reflects update to the scoring approach and alignment with the Mitre ATT&CK threat framework version 8.2.
FedRAMP previously used the NSA/CSS Technical Cyber Threat Framework or NTCTF in its threat-based scoring methodology.
The program aligned the threat-based model with the Mitre ATT&CK threat framework by analyzing each security control in the NIST SP 800-53, rev. 5 within the FedRAMP High baseline.
The threat-based risk profiling methodology has three phases: threat-based analysis; security controls assessment; and risk profiling.
