Acquisition

FedRAMP drafts ‘Tailored’ approach to authorizing low-risk applications

The Federal Risk and Authorization Management Program (FedRAMP) unveiled Thursday the first draft of another tool it will add to its kit — a way to more efficiently authorize low-risk cloud services.

By Samantha Ehlinger

February 17, 2017

(Getty Images)

The Federal Risk and Authorization Management Program unveiled Thursday the first draft of another tool it will add to its kit — a way to more efficiently authorize low-risk cloud services.

FedRAMP was designed to serve as a “do once, use many times” framework for assessing the security of cloud providers. And the program announced Thursday it is seeking public comment on its draft of a fourth proposed baseline, called FedRAMP Tailored, which would be used to more easily authorize software applications that, among several criteria, don’t require collecting personally identifiable information.

Right now, cloud service providers can be authorized under one the program’s baselines for security requirements: Low, Moderate, or High impact, designed around enterprise-wide solutions. This new baseline would focus, however, on rapidly-authorizing low-risk “services like collaboration tools, project management, and open-source development,” according to a Thursday FedRAMP blog post.

According to the draft policy posted for public comment, FedRAMP Tailored “will reduce the time, money, and effort for agencies to approve low-impact systems for use, while maintaining compliance with applicable federal laws, policies, and mandates.”

After this round, the policy will go out for another round of comments. FedRAMP officials expect it to be finalized in the summer, Director Matt Goodrich told FedScoop via email.

“In discussions with digital services teams, Chief Technology Officers and Chief Information Officers across the U.S. Government, it is clear that there are many low-impact cloud services for low-risk use cases, for which a traditional enterprise-wide baseline with a one-size-fits-all approach does not work well,” the policy reads. “The FedRAMP Low Impact Baseline requires some Cloud Service Providers to implement more security controls than needed based on the type of use and the type of information being placed in the system by agencies.”

The new Tailored approach is seeking to alleviate that problem.

When Goodrich first said in Nov. 2016 the program would work to launch Tailored, he said his team had noticed that “one-size-fits-all models work well for” infrastructure-as-a-service and platform-as-a-service offerings. But software-as-a-service offerings could be used for something as simple as a project management tool or something more complicated like an enterprisewide email and communications, and unified messaging solutions, Goodrich noted.

“We want to make sure that we have an authorization process that matches how agencies are using services and the type of data that is going in there,” he said. “Our baselines that we have now will continue to be appropriate for all of those enterprisewide solutions that agencies can use for a multitude of reasons. But we’re going to start rolling out tailored baselines for specific use cases.”

FedRAMP’s blog post announcing Tailored outlines five specific questions that must be answered “yes” for a solution to qualify for the new baseline:

Does the service operate in the cloud?
Is the cloud service fully operational (e.g. not under development)?
Is the cloud service a Software application (SaaS), rather than Infrastructure (IaaS) or a Platform (PaaS)?
Can the cloud service provide services without requiring the collection of personally identifiable information (PII)?
Is the cloud service low-security-impact, according to the FIPS 199 definition?
Is the cloud service hosted within an existing FedRAMP authorized infrastructure, where pre-existing controls and validations can be inherited?

The public can comment on FedRAMP Tailored until March 17, 2017.