Since FedRAMP introduced the Tailored baseline for Low-Impact Software-as-a-Service (Li-SaaS) in 2017, 11 cloud services at 10 Federal agencies – accounting for 25 percent of all services authorized in 2018 – have achieved Tailored authorizations which has allowed the project management office (PMO) to identify best practices for Cloud Service Providers (CSP) and agencies who may consider a FedRAMP Tailored authorization.
According to a FedRAMP blog post, the Tailored services “were authorized in a median of 90 days – a 50 percent reduction relative to FedRAMP’s other baselines.”
Among the best practices gleaned in the time since its introduction:
- Form public and private partnerships;
- Define the authorization boundary;
- Provide transparency into SaaS’ security;
- Describe how security requirements are met;
- Develop mature processes;
- Enroll the right stakeholders; and
- Engage the PMO.
The Tailored baseline for Li-SaaS allows agencies to define the use case for SaaS services, evaluate risk, and tailor security requirements, according to the blog post. FedRAMP Tailored emphasizes risk management, consolidates documentation, meets demand for low-risk SaaS, and enables faster timelines.