FedRAMP’s Tailored Baseline is Here
The program offers a faster, cheaper path for certifying low-risk cloud services for agencies.
In as little as four weeks, the federal government will be able to vet certain cloud service offerings and approve them for agency use.
On Thursday, the Federal Risk and Authorization Management program office revealed its new Tailored Baseline, designed to accommodate low-impact software-as-a-service solutions agencies are increasingly seeking to manage low-risk information.
FedRAMP has spent nearly a year developing its Tailored Baseline, incorporating feedback from agencies, vendors and stakeholders, and the final product is “as efficient and cost-effective as possible” for companies and government customers, said FedRAMP Director Matt Goodrich.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
“The security of systems is commensurate with the level of sensitivity of the systems,” Goodrich said on a conference call with reporters.
Goodrich said the Tailored Baseline is applicable to low-risk data—data that would not significantly impact the mission of an agency if it were breached or hacked—which accounts for as much as 15 percent of all data on federal networks. This low-risk data includes things like open-source code development or communications software, Goodrich said.
Prior to the Tailored Baseline, cloud vendors offering solutions around this low-risk data would still have to have their solutions vetted through a “one-size fits all” process that could take months and cost hundreds of thousands of dollars. Goodrich referenced a recent industry report that suggested companies spent up to six months and between $300,000 and $700,000 to have a solution vetted at the FedRAMP Moderate Baseline, which includes some 325 security controls.
Conversely, FedRAMP’s Tailored Baseline has 36 controls, and Goodrich said vetting should take between four and eight weeks. No companies have used the new baseline yet, but Goodrich expects vendors to appreciate the rapid timeline. Early last year, industry criticized FedRAMP when accreditations began taking in excess of a year, and in one case, cost a company $1 million to complete.
“I would venture to argue [Tailored] will be much, much cheaper,” Goodrich said. “You’re only looking at roughly 10 percent of the controls than FedRAMP Moderate and 20 percent of the time to complete. We’re hoping it’s going to be very reasonable for vendors and government customers.”
Goodrich said the Tailored Baseline is FedRAMP’s first foray into creating standards for unique cases but necessity could dictate future baselines.
“It really will depend on what we hear from our vendors and customers,” Goodrich said.