FedRAMP launches streamlined approvals for low-impact services
Connecting state and local government leaders
FedRAMP Tailored aims to get applications to agencies in as little as four weeks and reduce the burden on cloud providers.
The Federal Risk and Authorization Management Program is now offering FedRAMP Tailored, a faster approval process for cloud service providers with low-impact software-as-a-service offerings.
The new baseline is based on a minimum set of security controls and designed to get applications to federal agencies in as little as four weeks. In an effort to ease the barrier to entry for CSPs, the baseline provides guidance on each of the security controls to help new vendors bring their technology into the government space.
“We want to make sure that the security for these systems is commensurate with the sensitivity of data in these systems,” said FedRAMP Director Matt Goodrich. “We are looking at low-impact and low-risk use cases to help with things like communication, project management and open-source code development.”
FedRAMP Tailored trims number of security controls from 125 to 36, which Goodrich hopes will lower the front-end costs for vendors who want to do business with the federal government. Goodrich said he sees the most interest in the new baseline coming from companies currently doing business with individual agencies but not an enterprise-level scale.
The controls are based on requirements from the National Institute of Standards and Technology’s Federal Information Processing Standards Publication 199 that are already in use by FedRAMP for low-, moderate- and high-impact cloud service provider baselines.
To be considered for FedRAMP Tailored, vendors must qualify for the baseline based positive answers to six questions:
- Does the service operate in a cloud environment?
- Is the cloud service fully operational?
- Is the cloud service a SaaS offering, as defined by NIST Special Publication 800-145?
- Does the cloud service steer clear of any personally identifiable information, except data needed for login credentials including username, password and email address?
- Is the cloud service a low security impact based on FIPS 199?
- Is the cloud service hosted within a FedRAMP-authorized platform as a service or infrastructure as a service, where pre-existing controls and validations can be inherited?
The FedRAMP Tailored baseline for low-impact services is only the first of the program’s efforts to adapt NIST’s security controls for different types of systems based on use cases.
“The NIST framework allows us to tailor the security controls for systems based on the type of information going into them,” Goodrich said. “We envision that there will be more tailored baselines coming out in the future."
More information on the FedRAMP Tailored baseline requirements can be found here.