Streamlining the FedRAMP approval process
- By Sara Friedman
Federal Risk and Authorization Management Program, the cloud-security framework run out of the General Services Administration, currently has three sets of baseline requirements under the National Institute of Standards and Technology’s Federal Information Processing Standards Publication 199 for low-, moderate- and high-impact cloud service providers. The authorization process can take months, however, even for low-impact services.
Under FedRAMP Tailored, a new process currently under review, certain low-impact applications can get reviewed and approved for agency use in as little as four weeks.
“It became clear that our traditional one-size-fits-all security baseline has not worked particularly well … for many of our government constituents,” FedRAMP director Matt Goodrich said during an April 11 webinar. “It meant that a large portion of the CSP market was underserved, and [CSPs were] unable to provide their services to the federal government.”
CSPs that want to qualify for FedRAMP Tailored must be able to answer “yes” to the following questions about the cloud service in question:
- Does the service operate in the cloud?
- Is the cloud service fully operational (e.g. not under development)?
- Is the cloud service a SaaS, rather than infrastructure or platform as a service?
- Can it provide services without requiring the collection of personally identifiable information?
- Is the cloud service low-security impact, according to the FIPS 199 definition?
- Is the cloud service hosted within an existing FedRAMP-authorized infrastructure, where pre-existing controls and validations can be inherited?
The FedRAMP Tailored draft policy also provides a minimum set of security controls for low-risk applications based on NIST-recommended baselines requirements. Agencies, however, may decide what controls they need to make the process easier for low-impact CSPs based on the types of services that they use.
“Agencies will be doing a good percentage more of the work during the assessments to reduce the cost -- not only for vendors but also to reduce cost for agencies to begin to use a service,” Goodrich said. “I think that many agencies will take on the assessment work because it will help them not only speed up their timeframe but also for vendors as well.”
FedRAMP is holding a virtual and in-person “FedRAMP Tailored Comment-a-thon” event on April 18 in Washington, D.C., to get input from agencies and vendors on the proposed baseline requirements.
The program is also accepting public comment by email or on GitHub. The public comment period will end on April 24.
Guidelines for FedRAMP Tailored are expected to be revised based on this feedback and made available for public comment for two weeks in early June. The program is targeting late summer for putting the regulations into effect for low-impact cloud services.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.