In the past, we’ve talked a lot about the various FedRAMP guidelines required to reach either a single Authority to Operate or a generalized Provisional Authority to Operate.
One thing that can be said to be common to all of these is that, in general, you’re talking about FedRAMP Moderate Impact Levels when you discuss these kinds of standards and certification processes. This is because around 80% of cloud service providers and offerings are classified as Moderate impact.
High-impact services have even more stringent requirements. But, since services classified as high impact are generally well aware of these additional requirements and are often working closely with the government to develop their security standards in the first place, there isn’t much extra that needs to be said.
So, what about the other side of the coin? If there’s a high impact and a moderate impact, that implies the existence of a low impact. Indeed, low impact is a thing, but there are actually two versions: the standard Low Baseline and the Tailored LI-SaaS baseline. Today, we want to discuss the Tailored baseline.
The overall goal of FedRAMP is to provide a framework for security for any cloud service offering that the federal government or any of its agencies or contractors want to use. This standardizes security such that everyone involved can be relatively confident that they’re living up to a minimum baseline and that attempts to breach their security will fail.
The government recognizes, however, that different kinds of cloud service providers post different levels of risk. A bank vault full of gold has a different level of security than a home safe, which has a different level of security than the mailbox out front.
At the high impact level, a service is providing some deep, root-level access to government systems, or hosting data that is critical to government operations, where a compromise can devastate large regions of a state or the country. If you check the FedRAMP Marketplace, CSPs with a high certification level include entities like Palatir’s cloud services, Google’s VMWare Engine and Workspace for Government, IBM’s Government Cloud, and Slack’s GovSlack government service.
As mentioned above, some 80% of certified CSPs fall into the Moderate baseline and include pretty much anything that can touch controlled unclassified information but don’t have deeper access or full data.
For obvious reasons, all of these higher baseline entities need to fulfill the full list of security controls to gain certification and the ability to work with the government.
There’s one problem here.
What happens when a government agency wants to use a cloud service for something with virtually no risk or impact? Something like a customer service portal that can access and return public knowledge base information to customers, a SaaS platform that manages record-keeping for government electric vehicle charging, or a CMS for blogging? The compromise of these systems could be irritating and inconvenient, but there are no serious impacts on state-wide or national security, critical government information, or anything else.
These companies providing these services could be perfectly secure for their impact level, but they don’t want to go through the full auditing, penetration testing, and documentation process needed for certification. It’s a lot of work for comparatively little reward, and when the risk is so low, many of these entities simply don’t want to worry about it.
In response to the realization that a one-size-fits-all process wasn’t working at the lower baseline levels and that government agencies often found it hard to find certified and accessible businesses to handle these projects, FedRAMP created a new baseline: Tailored LI-SaaS.
This does not replace Low baseline. However, Low baseline still requires the full certification process. Tailored LI-SaaS, or just Tailored for short, is a shorter and less detailed process to obtain certification.
“FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use. Tailored policy and requirements provide a more efficient path for Low Impact-Software as a Service (LI-SaaS) providers. The LI-SaaS Baseline accounts for Low-Impact SaaS applications that do not store personal identifiable information (PII) beyond that is generally required for login capability (i.e. username, password, and email address). Required security documentation is consolidated and the requisite number of security controls needing testing and verification are lowered relative to a standard Low Baseline authorization. While all requirements identified in the FedRAMP Low Baseline are required, FedRAMP Tailored identifies those requirements typically satisfied by a LI-SaaS customer, or underlying service provider, allowing the provider to focus only on relevant requirements. Further, FedRAMP Tailored allows agencies to independently validate only the most important of these requirements.”
In other words, LI-SaaS exists as a way to streamline and prune back the certification process for cloud services that otherwise don’t deal with much or any protected information but are still useful to the government.
The examples above, such as WordPress, the electric vehicle charging system, and the customer service portal, are all real examples of LI-SaaS-authorized services on the FedRAMP Marketplace. Collaboration tools, project management apps, open-source development tools, media editing tools, public-facing CMS platforms, and training/education platforms are all commonly eligible for tailored LI-SaaS certification.
We’ve danced around it, but what are the specific benefits of seeking Tailored LI-SaaS certification over something like plain Low or Moderate impact certification?
The biggest benefit is a huge savings in time, compliance, certification, and security.
Tailored essentially means that your CSP can go through the full list of security controls and categorize them as to whether or not they’re relevant to your SaaS application. Controls that are not relevant can be ignored.
Moreover, most of the security controls you still need to implement can be self-attested. Only 37 of the security controls are required or conditionally required and thus need third-party testing; the rest can be self-attested as implemented. There may be more than that number, but 37 is the general minimum. A realistic expectation between assessed and self-attested controls is closer to 50.
Compare this to FedRAMP Low, which has 125 controls; Medium, which has 325 controls; and High, which has 421 controls, and you can see how much faster and easier certification can be.
There are also a variety of ways that the entire process is streamlined.
It’s better for the government because the government can encourage small-scale and lower-than-low-impact SaaS offerings to certify and be used with the government, rather than trying to force them through a lengthier and more costly process.
In order for a service to be considered eligible for Tailored status, it needs to meet six criteria.
Most of these are typical, low bars to clear. The only tricky ones are being a valid SaaS rather than PaaS or IaaS and being hosted on a FedRAMP Authorized infrastructure. Fortunately, major cloud hosts like Azure, AWS, and Google all have FedRAMP Authorized versions, so it’s often a simple matter to upgrade to the relevant version of the platform.
The biggest stumbling block is typically harvesting PII as part of operations. Many CSPs harvest PII as a matter of course, even though they don’t really need it for operations. Removing it can allow them to qualify for Tailored LI-SaaS certification, but leaving it in means they’re more likely going to need to aim for Moderate, even if they otherwise wouldn’t need to. Remember, PII doesn’t have to be things like social security numbers; it can even be as simple as addresses, names of pets, and other things that are commonly used as security questions.
All of this comes with the caveat that the CSP must have an agency sponsor, like most FedRAMP authorizations. The agency must be comfortable working with a low-impact service and sponsoring them for an ATO.
For a full rundown of FIPS 199 and what it means to be Low Impact according to its definitions, you can check our resource guide here.
Once the CSP is determined to be eligible for LI-SaaS tailoring, they can go through and identify the security controls that are required, the ones that are conditionally required and if they apply, and the ones that can be ignored entirely. There are then three steps to the process.
First, the CSP must implement the security controls. Documentation in FedRAMP Tailored templates details how to do this for individual controls. For the most part, this will all be relatively simple, especially if the CSP is already following industry best practices for security, identity verification, and other protective processes.
One quirk of this step is that some security controls will not be the responsibility of the CSP but rather of the agency they would be working with. These controls must be clearly delineated and outlined.
Second, an independent third-party assessment organization, or 3PAO, will need to perform an assessment of the necessary security controls. Unlike Low/Moderate/High impact, where all security controls need to be audited and assessed, only around 36 controls are in the Required categories, and not all of them are likely to apply. This means the job of the 3PAO is much faster and easier, because there’s less to check.
If the CSP passes, the 3PAO can authorize them. The remaining relevant security controls can be self-attested by the CSP. Note that this is definitely taken seriously; if the CSP self-attests and is found to be lying, it can result in fines and even criminal penalties. Tailored Low-Impact may be lower than Moderate impact, but it’s still higher than the free-for-all that is non-governmental private sector work.
The final step of the process is continuous monitoring. ConMon is a key part of all FedRAMP authorization, from High Impact to LI-SaaS impact. The CSP’s continuous monitoring must be reported to their authorizing official for continued validation.
If a CSP is looking to upgrade from Tailored LI-SaaS to Low or even Moderate certification, there’s a process in place to allow it. First, your sponsoring agency must approve it. If your current sponsor won’t approve it, you will need to find a new sponsor.
Second, you will need to fill out an SCR or Significant Change Request form. In this, you will need to outline the additional security controls and requirements you’d need to upgrade. You then undergo the full assessment process as you would if you were getting the certification in the first place.
Certainly! Achieving any ability to work with the government is good in two ways. First, it grants you access to a potential variety of possibly lucrative government contracts. Second, it serves as a “foot in the door” for a gradual increase in security posture and capability over time if that’s something you desire. Operating under a defined security framework, even at the lowest possible impact level, is often a good thing for any service provider.
If you’re interested in a robust way to track your relevant security controls, the Ignyte Platform can help. We developed it as a way to streamline and speed up collaborative auditing and analysis processes, and it’s available for you to try. Book a demo today to see what it can do for you!
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/what-is-fedramp-tailored/