FedRAMP launches its Tailored baseline

The Federal Risk and Authorization Management Program unveiled the finalized baseline for its FedRAMP Tailored service Thursday, offering agencies more cloud computing options.

FedRAMP Tailored spotlights low-impact Software-as-a-Service systems offered by cloud services providers to help give agencies options for flexible cloud adoption.

The cloud authorization office introduced the Tailored baseline in February, seeking public comment on how best to deliver low-risk services needing minimum security requirements that agencies could adopt more quickly.

“We are really excited to finally get this out on the street,” said FedRAMP Director Matt Goodrich said on a conference call Thursday.

The new baseline is set to provide guidance for CSPs that would offer agencies cloud solutions “for use like collaboration tools, project management applications and tools that help develop open-source code.”

Officials said in February that the FedRAMP Tailored encompasses 36 controls that CSPs must meet for authorization, with an estimated timeframe of four to eight weeks to achieve authority to operate.

By comparison, Goodrich said that cyber risk management advisers Coalfire estimated the average ATO approval time for moderate impact systems as a four-to-six-month wait. That also costs between $300,000 and $700,000.

“Those systems have about 325 control requirements. This only has 36,” he said. “In terms of an estimate of what it’s going to cost, we haven’t done that yet. But I would venture to argue that’s probably going to be much, much cheaper for vendors, because you are only looking at 10 percent of the controls compared to moderate and 20 percent of the time to complete.”

FedRAMP has been actively developing options to speed up the authorization process for cloud service providers looking to sell to federal agencies, including releasing a request for information in July on how to automate a portion of the ATO process.

The initial FedRAMP Tailored release drew more than 330 comments and was followed by another public comment period in July, which was reviewed by its program management office and Joint Authorization Board.

“In terms of what we heard from vendors was really that they just wanted more direct guidance on how these controls apply to them and what the process would look like,” Goodrich said. “So you will see in the documentation that what we did is combine a bunch of templates down into one template.”

Goodrich added that Thursday’s release is expected the be the first of several eventual FedRAMP Tailored baselines.

“There could be things that as we look at a broad group of agencies that want to have a baseline that would cover somewhere between a moderate and high impact system, depending on certain needs,” he said. “We might do something around [human resources] and payroll systems coming up too. So this is our first foray into creating these Tailored baselines for unique use cases.”