GSA Releases FedRAMP Tailored for Low-Risk Solutions

(Photo: Shutterstock)

The General Services Administration (GSA) announced Sept. 28 the launch of the FedRAMP Tailored Baseline for Cloud Service Providers (CSPs) with Low-Impact Software-as-a-Service (LI-SaaS) Systems.

Join MeriTalk on Nov. 8 for a half-day forum to get the inside track from data visionaries on how to accelerate agency digital transformation, and learn how hybrid cloud is powering digital transformation. Click here to learn more and register.

FedRAMP Tailored supports solutions that are low risk and low cost for agencies to use. FedRAMP Tailored creates a streamlined process for applications like collaboration tools, project management applications, and tools that help develop open-source code. FedRAMP Tailored also creates a standardized approach to determining the risks associated with authorizing cloud applications, and uses industry input to provide the government with the agility to deploy services while maintaining appropriate security controls.

FedRAMP Tailored was available for public comment in February and again in July.

FedRAMP Tailored provides a minimum set of security control requirements for industry to meet. The agency authorizing officials have the responsibility to add security controls if they’re required to comply with agency-specific policies.

“However, we believe the FedRAMP program, including our goals for Tailored, is a key part of issuing an informed, risk-based authority to operate,” GSA said in a statement.

To be considered a FedRAMP Tailored LI-SaaS cloud service, the answer to all of the following questions must be “yes”:

  1. Does the service operate in a cloud environment?
  2. Is the cloud service fully operational?
  3. Is the cloud service a Software-as-a-Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?
  4. The cloud service does not contain personally identifiable information (PII), except as needed to provide a login capability?
  5. Is the cloud service low-security-impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?
  6. Is the cloud service hosted within a FedRAMP authorized infrastructure?
No Comments

    Leave a Reply

    Recent