Advertisement

FedRAMP launches its Tailored baseline

The new cloud adoption baseline spotlights low-impact Software-as-a-Service systems to make the ATO process faster and more flexible.
(Getty Images)

The Federal Risk and Authorization Management Program unveiled the finalized baseline for its FedRAMP Tailored service Thursday, offering agencies more cloud computing options.

FedRAMP Tailored spotlights low-impact Software-as-a-Service systems offered by cloud services providers to help give agencies options for flexible cloud adoption.

The cloud authorization office introduced the Tailored baseline in February, seeking public comment on how best to deliver low-risk services needing minimum security requirements that agencies could adopt more quickly.

“We are really excited to finally get this out on the street,” said FedRAMP Director Matt Goodrich said on a conference call Thursday.

Advertisement

The new baseline is set to provide guidance for CSPs that would offer agencies cloud solutions “for use like collaboration tools, project management applications and tools that help develop open-source code.”

Officials said in February that the FedRAMP Tailored encompasses 36 controls that CSPs must meet for authorization, with an estimated timeframe of four to eight weeks to achieve authority to operate.

By comparison, Goodrich said that cyber risk management advisers Coalfire estimated the average ATO approval time for moderate impact systems as a four-to-six-month wait. That also costs between $300,000 and $700,000.

“Those systems have about 325 control requirements. This only has 36,” he said. “In terms of an estimate of what it’s going to cost, we haven’t done that yet. But I would venture to argue that’s probably going to be much, much cheaper for vendors, because you are only looking at 10 percent of the controls compared to moderate and 20 percent of the time to complete.”

FedRAMP has been actively developing options to speed up the authorization process for cloud service providers looking to sell to federal agencies, including releasing a request for information in July on how to automate a portion of the ATO process.

Advertisement

The initial FedRAMP Tailored release drew more than 330 comments and was followed by another public comment period in July, which was reviewed by its program management office and Joint Authorization Board.

“In terms of what we heard from vendors was really that they just wanted more direct guidance on how these controls apply to them and what the process would look like,” Goodrich said. “So you will see in the documentation that what we did is combine a bunch of templates down into one template.”

Goodrich added that Thursday’s release is expected the be the first of several eventual FedRAMP Tailored baselines.

“There could be things that as we look at a broad group of agencies that want to have a baseline that would cover somewhere between a moderate and high impact system, depending on certain needs,” he said. “We might do something around [human resources] and payroll systems coming up too. So this is our first foray into creating these Tailored baselines for unique use cases.”

Carten Cordell

Written by Carten Cordell

Carten Cordell is a Senior Technology Reporter for FedScoop. He is a former workforce and acquisition reporter at Federal Times, having previously served as online editor for Northern Virginia Magazine and Investigative Reporter for Watchdog.org, Virginia Bureau. Carten was a 2014 National Press Foundation Paul Miller Fellow and has a Master’s degree from the Medill School of Journalism at Northwestern University. He is also a graduate of Auburn University and promises to temper his passions for college football while in the office.

Latest Podcasts