There are some privacy-related controls in the FedRAMP baselines; however, like with Rev. 4, FedRAMP did not include the privacy overlay (Privacy Control Baseline) that NIST has defined in SP 800-53B or any PT controls as part of the FedRAMP baselines. It is the responsibility of each agency to determine their own privacy-related requirements and work with the CSP to make sure those controls are implemented. Privacy controls can fluctuate greatly depending on the data types, which is why these are not included as part of the FedRAMP baselines. CSPs should work with their agency AO to determine if the agency has privacy requirements above and beyond what is specified in the Rev. 5 FedRAMP baselines. There are no current plans to provide a Rev. 5 PTA/PIA template for CSPs to complete. Agencies should execute a PTA/PIA to ensure that they are meeting their privacy requirements.
Comments
0 comments
Please sign in to leave a comment.