Whether you’re a techie or not, we all have a shortlist of software applications we’d like to use at work — if only our friends in the IT department would allow it.
Many of those applications are easily accessible over the internet, and they’re often low- or no-cost. But they can cause major headaches for IT staff when employees use them under the radar, earning the reputation of being shadow IT because agencies don’t know they own them, or where those applications reside, or who’s using them and how they are paying for the resources.
One of the challenges for agencies is that the federal program created to secure these and other cloud services, FedRAMP, forced agencies to use a one-size-fits-all approach to secure a wide range of applications. Sure, there are already three different levels of FedRAMP requirements for securing low-, moderate- and high-impact cloud systems, but what about apps that are super low-risk?
In fact, agencies are already using a variety of low-cost, low-risk Software-as-a-Service applications to meet their business needs, such as collaboration, project management, open source code development and system performance monitoring.
But they need the appropriate set of security measures to secure those low-risk apps, according to federal cloud security standards. Think of it this way, would you use the same money, energy and effort to secure your brand new Cadillac Escalade as you would an inexpensive bike? I think not.
To help agencies meet their evolving security needs, FedRAMP (Federal Risk and Authorization Management Program) is working to launch a new baseline to secure these low-risk, SaaS apps in a standard way. Called FedRAMP Tailored, this new baseline is based on a subset of the security requirements already used for securing the government’s higher-risk systems.
The new baseline is currently in draft form, but the goal is to release a final version by the beginning of August. There will be another shorter round of public comments before then.
“We talked to the government agencies and constituents and even our vendors, realizing that there was a lot of usage already across the U.S. government of these types of services, and so we wanted to make sure that we created a framework by which FedRAMP was enabling the correct usage of these services and sort of drive out shadow IT into actually compliant use of services,” FedRAMP Director Matt Goodrich said during a recent webinar.
The FedRAMP program office believes that the FedRAMP Tailored process can take as little as four weeks to complete, ensuring that vendors meet the requirements and complete the appropriate documentation. Because FedRAMP Tailored ensures the level of security aligns with the level of risk that SaaS applications pose to the government, there are fewer security measures that vendors have to meet, which means time and cost savings.
Goodrich expects this new FedRAMP offering will open new opportunities for a portion of the cloud service provider market that was underserved and unable to securely provide their services to the federal government.
A draft of the FedRAMP Tailored baseline is available for public comment until April 24. The program office is also hosting a comment-a-thon on April 18 in Washington, D.C., where attendees can provide feedback and participate in small group discussions. There will be accommodations for virtual attendees.
Goodrich stressed that the program office wants to hear positive comments about what works and feedback on areas where the draft baseline falls short. His team is using GitHub, an open source development platform, to create a dialogue where feedback can be discussed.
Here are some of the drafted criteria that will enable agencies to determine which cloud services may qualify for FedRAMP Tailored. They must answer “yes” to these questions:
1. Does the service operate in the cloud?
2. Is the cloud service fully operational (e.g. not under development)?
3. Is the cloud service a Software application (SaaS), rather than Infrastructure (IaaS) or a Platform (PaaS)?
4. Can the cloud service provide services without requiring the collection of personally identifiable information (PII)?
5. Is the cloud service low-security-impact, according to the FIPS 199 definition?
6. Is the cloud service hosted within an existing FedRAMP authorized infrastructure?
Some vendors have already shared concerns about requirements under the draft FedRAMP Tailored guidelines that SaaS solutions be hosted on FedRAMP-approved infrastructure. The intent, Goodrich said, was to ensure that the underlying infrastructure is secure and not vulnerable to attackers. But his team is open to hearing alternative ways to achieve the same outcome. That’s why feedback is needed, Goodrich said.
“The intent is not that we are pushing all providers into FedRAMP-authorized infrastructures or platforms,” he said. “The intent is that it’s being hosted within a secure infrastructure and not being hosted in Bob’s basement out in Herndon.”