How can a CSP ensure that their cloud system can leverage the FedRAMP Tailored process for Low impact SaaS systems?

The FedRAMP tailored program is a great option for a SaaS provider to investigate because it involves a much smaller set of security requirements for cloud systems that meet certain criteria. Eligible SaaS systems must not contain personally identifiable information (PII) other than login information, cannot be hosted in an IaaS/PaaS that is not FedRAMP authorized, and must be categorized as Low impact. It’s this last criterion that is often challenging for CSPs.

When FedRAMP refers to Low impact, it has a very specific, technical meaning. That meaning is defined by a set of documents, in particular FIPS Publication 199 and NIST SP 800-60. The process that CSPs must follow is described in a SecureIT blog on “The FIPS 199 Categorization of Cloud Systems for FedRAMP.”

Ultimately, it is the Federal agency customer that determines the impact level or categorization of the system based on the data that is stored, processed, or transmitted within it. Because the data belongs to the Federal agency customer, their assessment of the impact is the only one that matters. Transparency between CSPs and their customer agencies is critical for ensuring the system is properly categorized to meet the need of those agencies. Therefore, we recommend that a CSP considering the FedRAMP Tailored LI-SaaS program discuss the system categorization level with prospective customer agencies to ensure that there is consensus regarding Low impact.

Some SaaS systems provide generic services that can accommodate a wide range of data types. For example, cloud-based content management systems like Box, Dropbox, etc. are data agnostic and could conceivably be used to store any type of data. Some CSPs might wish to obtain a Tailored authorization to get their foot in the door of FedRAMP in order to make it easier to market their products. CSPs should keep in mind that systems with LI-SaaS authorizations can only be used by agencies for low-risk use cases. The vast majority of Government data is categorized as Moderate impact, which means that this data cannot be stored within a system that only has a Low impact SaaS authorization. For this reason, CSPs that take this approach will likely need eventually to obtain a Moderate impact FedRAMP authorization to significantly expand their market within the Federal Government.

For more information on FedRAMP Tailored in general, see SecureIT’s FedRAMP Tailored LI-SaaS Success Planning Guide.