FedRAMP Tailored program for low-risk use cloud service offerings

Abel Sussman, Senior Project Manager, Commercial Services, Coalfire

On February 16, the FedRAMP Project Management Office (PMO) released the new FedRAMP Tailored security controls baseline for public comment (comment period closes March 17, 2017).  The new FedRAMP Tailored security controls baseline was created for Cloud Service Providers (CSPs) who have cloud service offerings (CSO) that do not require the more stringent process of FedRAMP Moderate or FedRAMP High security control baselines.

According to the PMO, this new baseline would be an ideal path for CSOs “that are for low-risk use—focusing on services like collaboration tools, project management, and open-source development”. This provides CSPs with low-risk CSOs a path forward without having to endure the significant financial and operational burden required to comply with FedRAMP Moderate or FedRAMP High, or even the existing FedRAMP Low security control baseline.

A CSO must meet the following conditions to be eligible to achieve an ATO in accordance with the FedRAMP Tailored security controls baseline:

  1. The CSO needs to operate in the cloud, hosted within an existing FedRAMP-authorized IaaS or PaaS ATO boundary.
  2. The CSO must be fully operational, not proposed.
  3. The CSO must meet the definition of a Software-as-a-Service (SaaS) application, rather than an Infrastructure-as-a-Service (IaaS) or a Platform-as-a-Service (PaaS) application.
  4. The CSO does not require the collection of personally identifiable information (PII) as part of default functionality.
  5. The CSO is categorized as low impact in accordance with FIPS 199.

The FedRAMP Tailored security controls baseline provides a minimum set of requirements for eligible CSOs consistent with NIST Special Publication 800-37, the NIST Risk Management Framework (RMF). The FedRAMP Tailored security controls baseline includes 112 security controls, as outlined here:

  • 29 security controls that are always required and must be tested by an approved assessor.
  • 7 security controls that are conditionally required and must be tested by an approved assessor (an accredited 3PAO).
  • 14 security controls that must be implemented by the underlying FedRAMP-authorized IaaS or PaaS ATO boundary.
  • 62 security controls that the CSP is required to attest to being in place, but do not have to be tested by an approved assessor.

By introducing FedRAMP Tailored, the PMO continues to meet its goal for providing federal agencies more choices of CSP services. In turn, this allows agencies to continue their modernization process, enhance ties with cloud firms, and advance mandated cloud migrations. CSPs benefit by having an accelerated and low-cost path to meet federal security requirements.

Coalfire is the leading FedRAMP Third Party Assessment Organization (3PAO) for cloud service providers in pursuit of FedRAMP authorization. Contact Coalfire to learn how to get your low-risk cloud offering authorized for the government marketplace or to answer questions about the new FedRAMP Tailored program.

Abel Sussman


Abel Sussman — Senior Project Manager, Commercial Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS