Last Updated on March 16, 2023
FedRAMP, the Federal Risk and Authorization Management Program, is the gateway to selling cloud services to US government agencies. To be awarded a FedRAMP Authority to Operate (ATO), most cloud service providers (CSPs) need to take either of two routes: agency sponsorship or a Joint Authorization Board (JAB) assessment. These exacting processes grant authorizations at one of three “impact levels,” Low, Moderate or High.
But for cloud services that qualify as “low-risk”—so-called Low-Impact Software- as-a-Service (LI-SaaS) offerings—there’s a quicker, more streamlined process: FedRAMP Tailored. This program was created to “…reduce the time, money and effort for agencies to approve low-impact systems for use, while maintaining compliance with applicable Federal laws, policies, and mandates.”
What exactly is FedRAMP Tailored? How does it work and who can take advantage of it?
To deep-dive into the realities of FedRAMP, we asked Stephen Halbrook, Partner and government compliance lead at Schellman & Co., to join a recent episode of The Virtual CISO Podcast.
Steve explains how FedRAMP Tailored works: “FedRAMP Tailored or Low-Impact SaaS are used interchangeably. There are roughly 35 controls that get assessed for that [authorization level]. There’s no penetration test and it is by far the fastest path to authorization. So if a CSP has an agency sponsor that’s willing to provide sponsorship at FedRAMP Tailored, they can move very quickly through the assessment process to authorization.”
“We [Schellman] have clients that have a very successful commercial offering and they want to deploy a federal dedicated instance at the Moderate baseline. But they have prospective agency clients that want to use that commercial offering, so they’ll take that commercial offering through FedRAMP Tailored while they’re spinning up their Moderate environment that’s dedicated. Get authorized, get people using and paying for that service, and then pivot over to the Moderate baseline.”
Steve most commonly sees the FedRAMP Tailored security categorization as a stepping stone that gets CSPs in the federal door while they work on a more secure offering that can pass a more stringent assessment. Examples of solutions that might qualify for FedRAMP Tailored/low-impact SaaS include collaboration tools, project management applications and open-source development tools.
“It’s worth noting that there are five or six criteria to be eligible for FedRAMP Tailored or low-impact SaaS, and that often weeds out providers from qualifying to go through the FedRAMP Tailored or low-impact SaaS path. And then, is the agency comfortable providing sponsorship at that [low-security] level?” Steve notes.
What are those FedRAMP Tailored criteria?
“They would have already met the NIST definition of cloud computing to be eligible for FedRAMP,” says Steve. “And then it’s things like are they leveraging a FedRAMP authorized IaaS provider? Is their system designed to ingest PII [personally identifiable information]? Can it operate without the requirement of ingesting PII? Often where we’ll see clients fall out of qualifying for low–impact SaaS is that PII qualifier.”
If your service contains PII (other than username, password and/or email address needed for authentication) it won’t qualify for FedRAMP Tailored. In this context, PII can refer to virtually any data element that would allow an individual or household to be directly identified—not just “privileged identifiers” like social security numbers or bank account numbers, but also things like address, names of children or pets, etc.
If your CSP would like to sell to federal agencies, this podcast show with Stephen Halbrook is an ideal “deep briefing” full of real-world details and insights.
To listen to the show all the way through, click here. If you don’t use Apple Podcasts, you can access all the shows in podcast series here.