FedRAMP launches streamlined approvals for low-impact services

The Federal Risk and Authorization Management Program is now offering FedRAMP Tailored, a faster approval process for cloud service providers with low-impact software-as-a-service offerings.

The new baseline is based on a minimum set of security controls and designed to get applications to federal agencies in as little as four weeks. In an effort to ease the barrier to entry for CSPs, the baseline provides guidance on each of the security controls to help new vendors bring their technology into the government space.

"We want to make sure that the security for these systems is commensurate with the sensitivity of data in these systems," said FedRAMP Director Matt Goodrich. "We are looking at low-impact and low-risk use cases to help with things like communication, project management and open-source code development."

FedRAMP Tailored trims number of security controls from 125 to 36, which Goodrich hopes will lower the front-end costs for vendors who want to do business with the federal government. Goodrich said he sees the most interest in the new baseline coming from companies currently doing business with individual agencies but not an enterprise-level scale. 

The controls are based on requirements from the National Institute of Standards and Technology's Federal Information Processing Standards Publication 199 that are already in use by FedRAMP for low-, moderate- and high-impact cloud service provider baselines. 

The FedRAMP Tailored baseline for low-impact services is only the first of the program's efforts to adapt NIST's security controls for different types of systems based on use cases.

"The NIST framework allows us to tailor the security controls for systems based on the type of information going into them," Goodrich said. "We envision that there will be more tailored baselines coming out in the future." 

More information on the FedRAMP Tailored baseline requirements can be found here.

This article originally appeared in GCN.