FedRAMP Tailored: New Program for Cloud Service Providers (CSPs)

Author: A-Lign Assurance

The Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, released FedRAMP Tailored on September 28, 2017. This new Baseline was designed and developed for Cloud Service Providers (CPS) with Low-Impact Software-as-a-Service (LI-SaaS) Systems, supporting emerging technology as low cost and low-risk industry solutions.

What is the Purpose of FedRAMP Tailored?

After collaboration with government digital service teams, the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), the Joint Authorization Board (JAB) and third-party vendors, FedRAMP recognized the need to increase the existing program’s flexibility for quicker authorization and implementation of low-risk solutions.

FedRAMP Tailored is a policy and set of requirements to create a more efficient process for LI-SaaS providers to achieve a FedRAMP Agency Authorization to Operate (ATO), by achieving these three objectives:

  1. Streamline the authorization process for low-risk solutions including collaboration tools, project management applications, and open-source coding tools

  2. Standardize officials’ approach for measuring risks affiliated with authorizing LI-SaaS cloud applications

  3. Leverage cloud solutions for government use while ensuring security and privacy

Which Organizations Qualify?

To determine if an organization can be considered for FedRAMP Tailored, the CSP must first qualify as an LI-SaaS provider.

As defined by Federal Information Processing Standards Publication (FIPS PUB) 199 – Standards for Security Categorization of Federal Information and Information Systems, the CSP must categorize as low impact. Agencies and CSPs can identify and verify the impact level based on the information type currently used within the cloud environment.

Low impact level cloud service systems are only permitted to have the minimum personally identifiable information (PII), which is needed for login capabilities. This PII includes username, email address, and password; any other information disqualifies the CSP as an LI-SaaS.

If a CSP offers login capabilities, FedRAMP recommends using an existing ATO-covered agency directory to ensure login-related PII is not contained in the LI-SaaS.

In addition, the LI-SaaS needs to either provide its own cloud infrastructure or host within a FedRAMP-authorized Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

What are the Baseline Controls and Associated Tailoring Criteria?

FedRAMP Tailored provides a minimum set of control requirements, however by law, the Agency Authorizing Officials have the final decision to require additional controls if deemed necessary to maintain compliance with policies and procedures.

FedRAMP currently utilizes the NIST Risk Management Framework (RMF) in determining security control baselines for organizations of all levels of impact. FedRAMP then uses NIST SP 800-37 to specify additional sets of security controls for LI-SaaS services based on the type of use and information placed within the system.

There are six categories of FedRAMP Tailored LI-SaaS Baseline controls based on the FedRAMP Low Impact Baseline that are required to be addressed by the CSP:

  1. FED – The control is typically the responsibility of the Federal Government, not the CSP.

  2. NSO – FedRAMP has determined the control does not impact the security of the Cloud SaaS.

  3. Document and Assess (Required) – The control must be documented in Appendix B (FedRAMP Tailored Mandatory Templates), and independently assessed. This does not mean that a vendor will necessarily have each control fully implemented or implemented as stated. A vendor must address how they meet (or do not meet) the intent of the control so that it can be independently assessed and detail any risks associated with the implementation.

  4. Document and Assess (Conditional) – If the condition exists, the control must be documented in Appendix B and independently assessed as above. If the condition does not exist, the CSP must attest to this in Appendix E (FedRAMP Tailored Self-Attestation Requirements).

  5. Inherited – Controls FedRAMP determined to be inherited from the underlying infrastructure provider (i.e., FedRAMP authorized IaaS/PaaS) for Low Impact Cloud SaaS).

  6. Attest – The control must exist; however, the CSP may attest to its existence in Appendix E. (No documentation or independent assessment is required).

Within those six categories, there are 128 FedRAMP tailoring criteria for the FedRAMP Low Impact Baseline controls, which is also listed with details in Appendix A (FedRAMP Tailored Security Controls Baseline) as noted above. The tailoring process of baseline controls is only permitted within NIST SP 800-53 Revision 4.

When agencies are selecting the appropriate set of controls, it’s important to keep in mind that there are only two criteria for eliminating a security control from the baseline. The control is either exclusively federal, meaning it is the responsibility of the Federal Government, or the control does not directly impact the security of the LI-SaaS, which is determined by FedRAMP.

FedRAMP may also accept other certifications, including ISO 27001 and SOC 2 if the LI-SaaS provider offers an entire cloud stack.

The release of FedRAMP Tailored is another step towards efficiently and effectively addressing the security of cloud environments and the increasingly growing market. Through FedRAMP Tailored, government agencies can leverage emerging industry services and improve agility while maintaining security compliance.

As an accredited 3PAO, A-LIGN can help CSPs understand, navigate, and implement FedRAMP assessments based on their organization’s type and initiatives regardless of their readiness.

Source