FedRAMP Tailored Public Comment
We are excited to announce that the FedRAMP Tailored baseline is available for public comment. The public comment period ends on April 24, 2017 -- we welcome your feedback by email or on GitHub. All comments received will be posted publicly.
FedRAMP was originally built around enterprise-wide solutions that would cover the broadest range of data types for cloud architectures moving into the Federal space. FedRAMP currently has three sets of baseline security requirements: Low, Moderate, and High impact based on FIPS 199 categorization.
However, in recent discussions with government digital service teams, CxOs, as well as vendors working with the US government, it has become clear that there is a business and mission need to increase FedRAMP’s flexibility to rapidly authorize and use low-risk applications. This approach adds to FedRAMP’s existing “one-size-fits-all” baselines to support industry solutions that are low risk and, many times, low cost for agencies to deploy and use.
With an ever growing need for a more efficient and effective way to address security for cloud environments, FedRAMP, through collaboration with OMB, NIST, and the Joint Authorization Board (JAB), has developed a draft “tailored” approach for these types of solutions, and is now engaging with industry for feedback. We think the goals for FedRAMP Tailored address these cases that are low risk for use—focusing on services like collaboration tools, project management, and open-source development.
The FedRAMP Tailored baseline provides a minimum set of security control requirements. As always and required by law, Agency Authorizing Officials have the ultimate responsibility of determining if additional security controls are required to remain in compliance with agency-specific policies, procedures, and their own risk tolerance. However, we believe the FedRAMP program, including our goals for Tailored, is a key part of issuing an informed, risk-based authority to operate.
Based on initial feedback from agency stakeholders, FedRAMP Tailored seeks to address an increasingly growing market. Our hope is that by working with industry to develop this new baseline, we can continue to provide the government with the agility to leverage valuable industry services while maintaining the appropriate level of security.
We look forward to hearing your feedback on FedRAMP Tailored!