FedRAMP Tailored: Fast approvals for low-impact services
- By Sara Friedman
The Federal Risk and Authorization Management Program is now offering FedRAMP Tailored, a program to get software-as-a-services applications to agencies in as little as four weeks and reduce the burden on cloud providers.
The new baseline is based on a minimum set of security controls and offers guidance on each of those controls to ease the barrier to entry for vendors looking to bring their technology into the government space.
“We are looking at low-impact and low-risk use cases to help with things like communication, project management and open-source code development,” FedRAMP Director Matt Goodrich said. “We want to make sure that the security for these systems is commensurate with the sensitivity of data in these systems.”
FedRAMP Tailored trims number of security controls from 125 to 36, which will lower the front-end costs for vendors currently doing business with individual agencies but not an enterprise-level scale, Goodrich said.
The controls are based on requirements from the National Institute of Standards and Technology’s Federal Information Processing Standards Publication 199 that are already in use by FedRAMP for low-, moderate- and high-impact cloud service provider baselines.
To be considered for FedRAMP Tailored, vendors must qualify for the baseline based positive answers to six questions:
- Does the service operate in a cloud environment?
- Is the cloud service fully operational?
- Is the cloud service a SaaS offering, as defined by NIST Special Publication 800-145?
- Does the cloud service steer clear of any personally identifiable information, except data needed for login credentials including username, password and email address?
- Is the cloud service a low security impact based on FIPS 199?
- Is the cloud service hosted within a FedRAMP-authorized platform as a service or infrastructure as a service, where pre-existing controls and validations can be inherited?
The FedRAMP Tailored baseline for low-impact services is only the first of the program’s efforts to adapt NIST’s security controls for different types of systems based on use cases.
“The NIST framework allows us to tailor the security controls for systems based on the type of information going into them,” Goodrich said. “We envision that there will be more tailored baselines coming out in the future."
More information on the FedRAMP Tailored baseline requirements can be found here.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.