New FedRAMP Tailored bringing ‘shadow IT’ out of the dark

Private sector companies frustrated with the sluggish Federal Risk Authorization and Management Program (FedRAMP), and freshmen vendors overwhelmed by cloud security requirements, have a new resource when it comes to doing business with the government.

FedRAMP Tailored is geared toward cloud service providers with low-impact software-as-a-service (LI-SaaS) systems, and brings “shadow IT out of the shadows,” said Matt Goodrich, the director of the FedRAMP program management office, during a Thursday phone call with reporters.

Goodrich said FedRAMP Tailored has roughly 36 controls, and an average authorization time of 4-8 weeks.

“We think this is going to enable us to bring in new and innovative providers with that easier entry point,” Goodrich said. “Coming in to federal business and federal government does have a burden that we all know about in terms of acquisitions or security and having that upfront cost with making sure that you do meet all of the federal mandates and laws and things the federal government has to follow. We think this is definitely going to ease some of that barrier to entry for these new and innovative providers to be able to actually work with the government and the government can use them in a secure way.”

Advertisement

The use cases in mind include communications, project management and open source code development, Goodrich said.

“There were a lot of low-risk systems that were being used across government by digital service teams,” Goodrich said. “Many CIOs talked about using them and that the current baselines that FedRAMP had, as well as some of the baselines that NIST has in their recommended baselines, were overly burdensome. They really had too many requirements for the type of security that the government CIOs and agencies felt were needed to protect the federal information that was going into them.”

At the heart of it all, Goodrich said, is making sure the security for these systems is commensurate with the data’s sensitivity.

“What we’re hearing is vendors are more than happy to provide the security that they have, and agencies want to do an ATO [Authority to Operate] for those systems, but the current structure and current requirements were just overly burdensome,” Goodrich said. “So we wanted to make sure we were meeting government agency needs through the security they felt was needed as well as what vendors felt like they could provide that would be reasonable and not overly costly for them to do.”

What customers need

FedRAMP teased its plans for FedRAMP Tailored in November 2016. The program originally went out for public comment in February and then for a second round of comments in July.

Goodrich said most of the feedback related to helping vendors understand the meaning of the requirements. Goodrich’s office responded in kind by doing things like combining multiple templates into one management document, and also provided detailed guidance within each security control.

There’s also six questions vendors can ask themselves which will quickly tell them whether or not FedRAMP tailored is right for them.

Those questions are:

  1. Does the service operate in a cloud environment?
  2. Is the cloud service fully operational?
  3. Is the cloud service a software-as-a-service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?
  4. Does the cloud service contain no personally identifiable information (PII), except as needed to provide a login capability (username, password and email address)?
  5. Is the cloud service low-security impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?
  6. Is the cloud service hosted within a FedRAMP-authorized platform-as-a-service (PaaS) or -infrastructure-as-a-service (IaaS), or is the CSP providing the underlying cloud infrastructure?

FedRAMP Tailored is not to be confused with FedRAMP Accelerated. Goodrich said Tailored is more of a category of introducing new baselines, and being able to tailor security controls for systems depending on the type of information that’s going through them.

Goodrich said he could see additional baselines being introduced in the future to handle things like email systems, HR or payroll.

“This is our first hurrah into creating a tailored baseline for unique use cases,” Goodrich said. “The first one is for low-impact software-as-a-service. Right now this is our fourth baseline. Who knows, in another five years, maybe we’ll have 10 baselines, or 15 baselines. It really is going to depend on what our vendors as well as hearing from our agency customers and what they need.”