The General Services Administration (GSA) announced Sept. 28 the launch of the FedRAMP Tailored Baseline for Cloud Service Providers (CSPs) with Low-Impact Software-as-a-Service (LI-SaaS) Systems.
FedRAMP Tailored supports solutions that are low risk and low cost for agencies to use. FedRAMP Tailored creates a streamlined process for applications like collaboration tools, project management applications, and tools that help develop open-source code. FedRAMP Tailored also creates a standardized approach to determining the risks associated with authorizing cloud applications, and uses industry input to provide the government with the agility to deploy services while maintaining appropriate security controls.
FedRAMP Tailored was available for public comment in February and again in July.
FedRAMP Tailored provides a minimum set of security control requirements for industry to meet. The agency authorizing officials have the responsibility to add security controls if they’re required to comply with agency-specific policies.
“However, we believe the FedRAMP program, including our goals for Tailored, is a key part of issuing an informed, risk-based authority to operate,” GSA said in a statement.
To be considered a FedRAMP Tailored LI-SaaS cloud service, the answer to all of the following questions must be “yes”:
- Does the service operate in a cloud environment?
- Is the cloud service fully operational?
- Is the cloud service a Software-as-a-Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?
- The cloud service does not contain personally identifiable information (PII), except as needed to provide a login capability?
- Is the cloud service low-security-impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?
- Is the cloud service hosted within a FedRAMP authorized infrastructure?