Criterion 2. Is the cloud service fully operational? -- elaborate a bit

GSA / fedramp-tailored

FedRAMP Tailored.

https://tailored.fedramp.gov

Other

43 stars 24 forks source link

Criterion 2. Is the cloud service fully operational? -- elaborate a bit #43

Closed MartinFSmith closed 7 years ago

MartinFSmith commented 7 years ago

SUGGEST: it may be worth while to add a few sentences that would clarify where FedRAMP expects applicants for FedRAMP Tailored to come from.

-- The criterion excludes newly developed but not "operational" (i.e., deployed) services -- If an application is a Federal-use service already operational in a Public Cloud, presumably it has somehow received a Federal Agency ATO. Why would they want to move to a (generally more expensive) FedRAMP environment? -- This appears to leave as FedRAMP Tailored candidates ONLY Federal-use systems currently deployed in Private Cloud environments. Many of these are, as we know, "CINO" -- Cloud In Name Only -- environments. And this seems a pretty limited market anyhow. What's the point of limiting FedRAMP Tailored candidates to this set only?

konklone commented 7 years ago

If an application is a Federal-use service already operational in a Public Cloud, presumably it has somehow received a Federal Agency ATO. ... This appears to leave as FedRAMP Tailored candidates ONLY Federal-use systems currently deployed in Private Cloud environments.

This isn't the intent -- FedRAMP Tailored candidates are commonly used commercial software-as-a-service applications. If the criterion aren't making that clear, suggestions are welcome.

MartinFSmith commented 7 years ago

Eric--thanks for the response! I think your own language ("FedRAMP Tailored candidates are commonly used commercial software-as-a-service applications. ") would be helpful. However, to me it raises another question: are these services "commonly used" now as (or as part of) Federal systems (meaning systems that maintain data that's collected by or maintained by Federal agencies)? If so, why would the commercial-services providers need to go through the FedRAMP Tailored process? If they are not being used by Federal agencies (for lack of security authorization), then maybe I'd suggest this slight modification:

"FedRAMP Tailored candidates are commonly used commercial software-as-a-service applications that are not yet authorized for use as (or as components of) Federal systems. "

FedRAMP commented 7 years ago

Thank you for your comments. The Federal Government has identified many systems that fit the LI- SaaS criteria of FedRAMP Tailored, where the cost of a traditional risk assessment is cost-prohibitive for government adoption. FedRAMP Tailored was designed to address this type of system and situation. Other systems may not fit this model. If we see a trend of similar systems that don't qualify for a single reason, we will evaluate a revision or variation of FedRAMP Tailored.

cbukovac commented 7 years ago

Closed in preparation for V2 release