On February 16, the FedRAMP Project Management Office (PMO) released the new FedRAMP Tailored security controls baseline for public comment (comment period closes March 17, 2017). The new FedRAMP Tailored security controls baseline was created for Cloud Service Providers (CSPs) who have cloud service offerings (CSO) that do not require the more stringent process of FedRAMP Moderate or FedRAMP High security control baselines.
According to the PMO, this new baseline would be an ideal path for CSOs “that are for low-risk use—focusing on services like collaboration tools, project management, and open-source development”. This provides CSPs with low-risk CSOs a path forward without having to endure the significant financial and operational burden required to comply with FedRAMP Moderate or FedRAMP High, or even the existing FedRAMP Low security control baseline.
A CSO must meet the following conditions to be eligible to achieve an ATO in accordance with the FedRAMP Tailored security controls baseline:
- The CSO needs to operate in the cloud, hosted within an existing FedRAMP-authorized IaaS or PaaS ATO boundary.
- The CSO must be fully operational, not proposed.
- The CSO must meet the definition of a Software-as-a-Service (SaaS) application, rather than an Infrastructure-as-a-Service (IaaS) or a Platform-as-a-Service (PaaS) application.
- The CSO does not require the collection of personally identifiable information (PII) as part of default functionality.
- The CSO is categorized as low impact in accordance with FIPS 199.
The FedRAMP Tailored security controls baseline provides a minimum set of requirements for eligible CSOs consistent with NIST Special Publication 800-37, the NIST Risk Management Framework (RMF). The FedRAMP Tailored security controls baseline includes 112 security controls, as outlined here:
- 29 security controls that are always required and must be tested by an approved assessor.
- 7 security controls that are conditionally required and must be tested by an approved assessor (an accredited 3PAO).
- 14 security controls that must be implemented by the underlying FedRAMP-authorized IaaS or PaaS ATO boundary.
- 62 security controls that the CSP is required to attest to being in place, but do not have to be tested by an approved assessor.
By introducing FedRAMP Tailored, the PMO continues to meet its goal for providing federal agencies more choices of CSP services. In turn, this allows agencies to continue their modernization process, enhance ties with cloud firms, and advance mandated cloud migrations. CSPs benefit by having an accelerated and low-cost path to meet federal security requirements.
Coalfire is the leading FedRAMP Third Party Assessment Organization (3PAO) for cloud service providers in pursuit of FedRAMP authorization. Contact Coalfire to learn how to get your low-risk cloud offering authorized for the government marketplace or to answer questions about the new FedRAMP Tailored program.