U.S. General Services Administration
Launching a FedRAMP Tailored Baseline
Editor's Note: This blog was originally published on the FedRAMP Blog.
We are excited to announce that the FedRAMP Tailored baseline is available for public comment. The public comment period ends on March 17, 2017–we welcome your feedback.
FedRAMP was originally built around enterprise-wide solutions that would cover the broadest range of data types for cloud architectures moving into the Federal space. FedRAMP currently has three sets of baseline security requirements: Low, Moderate, and High impact based on FIPS 199 categorization.
However, in recent discussions with government digital service teams, CxOs, as well as vendors working with the US government, it has become clear that there is a business and mission need to increase FedRAMP's flexibility to rapidly authorize and use low-risk applications. This approach adds to FedRAMP's existing "one-size-fits-all" baselines to support industry solutions that are low risk, and many times, low cost for agencies to deploy and use. With an ever growing need for a more efficient and effective way to address security for cloud environments, FedRAMP, through collaboration with OMB, NIST, and the Joint Authorization Board, has developed a draft "tailored" approach for these types of solutions, and is now engaging with industry for feedback. We think the goals for FedRAMP Tailored address these cases that are low risk for use—focusing on services like collaboration tools, project management, and open-source development.
To give more context for what we're trying to achieve with FedRAMP Tailored, let's think of how we protect physical property. If you want to secure your 2017 Cadillac Escalade, you are going to use a more rigorous and expansive mechanism for securing your new, expensive vehicle that can take you anywhere and do anything. Whereas, when securing your handy-dandy bike, a simple U-lock will suffice, given the replacement value and limited nature in which it can transport you. In this example, you are tailoring the security method to be commensurate with the risk of breach or hack. This is how we are thinking about the High, Moderate, Low baseline vs. the FedRAMP Tailored baseline, and this is exactly the sort of "risk based" decision making that NIST's cybersecurity guidance and frameworks encourage.
We hope FedRAMP Tailored will provide a way in which FedRAMP can support the need government Authorizing Officials have for a standardized approach to determining the risks associated with authorizing specific low-impact cloud applications -for example, small scale cloud applications that assist the government in doing business, but that do not directly impact the government's mission needs.
We have drafted specific criteria to enable agencies to determine which types of cloud services may qualify for FedRAMP Tailored. The answer to all of the following questions must be "yes" in order for Tailored to apply:
- Does the service operate in the cloud?
- Is the cloud service fully operational (e.g. not under development)?
- Is the cloud service a Software application (SaaS), rather than Infrastructure (IaaS) or a Platform (PaaS)?
- Can the cloud service provide services without requiring the collection of personally identifiable information (PII)?
- Is the cloud service low-security-impact, according to the FIPS 199 definition?
- Is the cloud service hosted within an existing FedRAMP authorized infrastructure, where pre-existing controls and validations can be inherited?
If the answers are "yes" and the agency authorizing official agrees, then such low-impact cloud services are the targets for FedRAMP Tailored!
The FedRAMP Tailored baseline provides a minimum set of security control requirements. As always and required by law, Authorizing Officials have the ultimate responsibility of determining if additional security controls are required to remain in compliance with agency-specific policies, procedures, and their own risk tolerance. However, we believe the FedRAMP program, including our goals for Tailored, is a key part of issuing an informed, risk-based authority to operate.
Based on initial feedback from agency stakeholders, FedRAMP Tailored seeks to address an increasingly growing market. Our hope is that by working with industry to develop this new baseline, we can continue to provide the government with the agility to leverage valuable industry services while maintaining the appropriate level of security.
We look forward to hearing your feedback on FedRAMP Tailored here.