By David Trout
In a recent report published by the GAO, it was found that “from June 2017 to July 2019, the number of authorizations granted through FedRAMP by the 24 agencies increased from 390 to 926, a 137 percent increase.” Although it was found that some agencies did not consistently use FedRAMP-authorized cloud services, the data indicates increasing momentum in the government’s shift to cloud services.
In an effort to differentiate risk levels and corresponding rigor in the FedRAMP authorization process, CSPs providing Low-Impact Software-as-a-Service (LI-SaaS) products can take advantage of a FedRAMP Tailored authorization option. The FedRAMP Tailored authorization is for low-risk applications such as collaboration tools, project management applications, and tools that help develop open-source code. FedRAMP Tailored was designed to make low-risk applications available to US federal agencies using targeted compliance by tailoring the controls required for authorization, as explicitly allowed within NIST SP 800-53 Revision 4.
While FedRAMP Tailored offers time and cost savings for LI-SaaS product and service providers, the path to authorization still presents challenges for CSPs. Yes, the number of controls has been reduced and documentation requirements have been simplified into a single document, but CSPs must complete the required controls, write the documentation, and most importantly, be clear about how they implement inherited controls. After achieving authorization, CSPs must continuously monitor security, report any breaches to sponsoring agencies in a timely manner, and schedule and perform annual assessments. Like other compliance initiatives, FedRAMP Tailored represents a sustained security initiative requiring dedicated resources that CSPs may struggle to provide in-house.
To learn more about FedRAMP Tailored and how third-party advisory and assessment services can help CSPs achieve authorization more effectively, contact us today and look for SecureIT’s upcoming LI-SaaS Success Planning Guide for FedRAMP Tailored.