FedRAMP Rev 5: The 80 New Controls Your Code Has to Pass

FedRAMP Rev 5 Baseline: What Changed for Development Teams

The FedRAMP Program Management Office (PMO) released updated baselines aligned with NIST SP 800-53 Revision 5 in December 2023. The Rev 5 transition introduced roughly 80 new controls and restructured the control catalog in ways that directly affect software development.

For organizations pursuing FedRAMP Moderate or High authorization, a meaningful portion of the control set is satisfied (or violated) in code, not in network architecture or policy documents.

The SA Family: System and Services Acquisition

SA-11 (Developer Testing and Evaluation) is the most developer-specific control in FedRAMP. SA-11 requires:

• SA-11(1): Static code analysis before release. Explicitly named as a required technique
• SA-11(2): Threat and vulnerability analysis during development
• SA-11(8): Dynamic code analysis. DAST as a required technique for Moderate/High

These are not "encouraged" practices. They are required controls with evidence requirements. Your ATO package must demonstrate that static and dynamic analysis occurred and that findings were addressed.

The SI Family: System and Information Integrity

SI-10 (Information Input Validation) requires applications to verify the accuracy, completeness, validity, and authenticity of inputs. CWE-20 (Improper Input Validation) is the direct code-level mapping.

SI-16 (Memory Protection) is new in Rev 5. It requires the system to implement mechanisms to prevent memory tampering. For interpreted languages (Python, JavaScript, Java), this manifests as deserialization protections (CWE-502) and heap inspection prevention. For compiled languages (Go, Rust, C), it maps to memory safety CWEs directly.

SI-3 (Malicious Code Protection) at FedRAMP Moderate requires checking for malicious code at entry and exit points. In a cloud service context, this includes API endpoints (input validation) and outbound data flows (data exfiltration prevention).

The AC Family: Access Control

AC-4 (Information Flow Enforcement) is the control that injection vulnerabilities violate. SQL injection, command injection, and SSRF all involve an attacker controlling information flow in ways the system should prevent. Every injection-type CWE (CWE-78, CWE-89, CWE-918) is a potential AC-4 finding.

AC-17 (Remote Access) and AC-18 (Wireless Access) carry new Rev 5 emphasis. Both require authentication and encryption for remote access to be enforced in application code, not just at the infrastructure layer. API authentication bugs are AC-17 findings.

The CM Family: Configuration Management

CM-7(2) (Least Functionality. Prevent Program Execution) requires application components to be configured to the minimum needed. In code terms: no unused endpoints, no debug interfaces in production, no admin routes accessible without additional authentication.

Evidence Artifacts for the ATO Package

FedRAMP assessors (3PAOs) accept SARIF output as control evidence for SA-11. A scan report showing:

• Date and version of the scan
• Findings identified
• Remediation status
• Compliance control mapping

constitutes an artifact for SA-11(1). The mapping from finding to control must be explicit. "we ran a scanner" is not sufficient; the report must show which Rev 5 control each finding relates to.

How Deva Addresses FedRAMP Rev 5

Deva's FedRAMP preset covers all code-relevant Rev 5 controls across the SA, SI, AC, and CM families. SARIF export includes control metadata so the evidence artifact contains the information 3PAOs expect. Scans run locally. For FedRAMP High systems handling federal data, no code leaves the boundary.