Will a LI-SaaS CSP fail their 3PAO assessment if the cloud system doesn’t fully address all “document and assess” controls from the FedRAMP Tailored baseline?

Not at all. In accordance with FISMA, the FedRAMP program is about identifying outstanding risks to allow the Federal agencies to make informed risk-based decisions about whether to use a system or not. For this reason, a CSP that doesn’t fully meet all of the requirements in the FedRAMP baseline does not per se “fail” the assessment. Any deficiencies in the controls are simply reported to Federal agencies for their evaluation.

The FedRAMP Tailored program for Low Impact SaaS CSPs is less rigid. For all other assessments, FedRAMP requires the 3PAO assessor recommend to the Federal agency (or the JAB) that the system be granted an authorization. That means that the 3PAO cannot submit the final assessment report unless they are comfortable recommending that the cloud system be authorized. In contrast, the FedRAMP template for Tailored LI-SaaS systems does not require the 3PAO assessor to recommend authorization. For LI-SaaS systems, the assessor merely reports their findings and outstanding risk for consideration by the agency’s authorizing official.

Furthermore, because the systems are low impact and don’t involve PII, agencies have more flexibility to accept risk. LI-SaaS CSPs are not required to fully implement the controls in the template and can implement alternative controls, as long as any gaps in control and the associated risks are fully disclosed by the CSP. The FedRAMP Tailored LI-SaaS Baseline Worksheet itself clarifies what the requirement to “Document and Assess” actually entails. “This does not mean that a vendor will necessarily have each control fully implemented or implemented as stated.” However, CSPs “must address how they meet (or don’t meet) the intent of the control” so that the assessor can more effectively perform an assessment. Furthermore, CSPs must also “detail any risks associated with the implementation” when documenting the controls in the template. The additional flexibility in the FedRAMP Tailored program for LI-SaaS systems means that there are no absolute requirements. However, as a practical matter, there are some controls that most agencies will insist need to be implemented, even for LI-SaaS. LI-SaaS CSPs should consider engaging a 3PAO or FedRAMP SME as an advisor to ensure that they have a solid control implementation for at least these controls.

For more information on FedRAMP Tailored, see SecureIT’s FedRAMP Tailored LI-SaaS Success Planning Guide