FedRAMP Tailored for Low-Impact Software- as-a-Service (LI-SaaS)
We are excited to announce our release of the FedRAMP Tailored baseline for Cloud Service Providers (CSPs) with Low-Impact Software- as-a-Service (LI-SaaS) Systems! FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use. Additionally, FedRAMP Tailored:
- Creates a faster, streamlined process for systems that are low risk for use like collaboration tools, project management applications, and tools that help develop open-source code
- Supports government Authorizing Officials’ need for a standardized approach to determining the risks associated with authorizing specific low-impact cloud applications
- Incorporates industry input in order to provide the government with the agility to leverage valuable industry services while maintaining appropriate security levels
We originally released FedRAMP Tailored for public comment in February 2017. After making significant updates and incorporating your feedback, which included over 330 comments and reactions, we released it for a second public comment period in July 2017. You can view all the comments and FedRAMP’s responses by visiting the GitHub comment repository.
We’ve published the final documents below and they can also be found in the Documents and Templates pages of our website, which can be located under the “Resources” section of our navigation menu.
- FedRAMP Tailored Policy
- APPENDIX A - Security Controls Baseline
- APPENDIX B - Mandatory Templates
- APPENDIX C - ATO Letter Template
- APPENDIX D - Continuous Monitoring Requirements
- APPENDIX E - Self-Attestation Requirements
FedRAMP was originally built around enterprise-wide solutions that would cover the broadest range of data types for cloud architectures moving into the Federal space. FedRAMP currently has three sets of baseline security requirements: Low, Moderate, and High impact based on FIPS 199 categorization.
However, in recent discussions with government digital service teams, CxOs, as well as vendors working with the US government, it has become clear that there is a business and mission need to increase FedRAMP’s flexibility to rapidly authorize and use low-risk applications. This approach adds to FedRAMP’s existing “one-size-fits-all” baselines to support industry solutions that are low risk and, many times, low cost for agencies to deploy and use.
With an ever growing need for a more efficient and effective way to address security for cloud environments, FedRAMP, through collaboration with OMB, NIST, and the Joint Authorization Board (JAB), has developed a draft “tailored” approach for these types of solutions, and is now engaging with industry for feedback. We think the goals for FedRAMP Tailored address these cases that are low risk for use—focusing on services like collaboration tools, project management, and open-source development.
The FedRAMP Tailored baseline provides a minimum set of security control requirements. As always and required by law, Agency Authorizing Officials have the ultimate responsibility of determining if additional security controls are required to remain in compliance with agency-specific policies, procedures, and their own risk tolerance. However, we believe the FedRAMP program, including our goals for Tailored, is a key part of issuing an informed, risk-based authority to operate.
Based on initial feedback from agency stakeholders, FedRAMP Tailored seeks to address an increasingly growing market. Our hope is that by working with industry to develop this new baseline, we can continue to provide the government with the agility to leverage valuable industry services while maintaining the appropriate level of security.
We look forward to hearing your feedback on FedRAMP Tailored!