We are excited to announce that the next iteration of the FedRAMP Tailored baseline is available for public comment! This second round of public comment will end on July 28th, 2017 and we look forward to your feedback as we finalize this new policy.
FedRAMP Tailored was originally released for public comment earlier this year and we received over 330 comments and reactions. Each were reviewed by the FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB) teams and a response to each high-level conversion topic (or “issue” as GitHub labels them) has been provided. You can view FedRAMP’s responses by visiting the GitHub comment repository. You can also download the initial documents of the FedRAMP Tailored baseline from the GitHub Repository.
In reviewing the comments, there were several topics that generated significant discussion and have been updated accordingly.
Personally Identifiable Information (PII)
There were many comments around the threshold for PII and how merely having a login can disqualify systems from Tailored.
FedRAMP has updated the policy to allow PII only at the minimum necessary for login purposes and is encouraging providers to use pre-existing government directory services or an external authentication directory when requiring a log in.
Continuous Monitoring (ConMon)
The ConMon section of the policy was still under development during the last round of public comment and we received a lot of questions and comments on how ConMon will work for FedRAMP Tailored.
An Appendix on ConMon has now been developed and will clearly lay out the policy.
We received a lot of questions that indicated we could have been more clear about the attestation process.
The updated baseline includes more information around when and how the attestation is delivered and a template with specific statements so it is clear what the Cloud Service Provider is attesting to for each control.
We received a lot of comments regarding the current scope of FedRAMP Tailored.
Through this round of updates, the scope of the baseline has remained low impact, Saas Systems, with the exception of the provision for PII in logins/authentications, which will be provided.
If you have additional comments about these updates or other elements of the FedRAMP Tailored baseline, please review the updated policy here and share your thoughts with us through our GitHub site. We have pre-created topic areas for you to comment on, but feel free to create a new “issue” if your feedback doesn’t fit into one of these areas.
After we have collected and reviewed this final round of public comments, the FedRAMP PMO will finalize the baseline in conjunction with the JAB. We plan to release the final version of FedRAMP Tailored by the end of the summer.
Thank you for your participation as we continue to improve FedRAMP and our partnership with the cloud community. We look forward to hearing your thoughts!