\[BrieFing\]
FedRAMP tailors approval process for low-risk apps
BY SARA FRIEDMAN
The Federal Risk and Authorization Management Program is crafting new approval criteria for software- as-a-service vendors whose offerings are considered low-risk under a new process called FedRAMP Tailored.
FedRAMP, the cloud-security frame- work run by the General Services Administration, currently has three sets of baseline requirements for low-, moderate- and high-impact cloud services. The authorization process can take months, however, even for low-impact services.
“It became clear that our tradi- tional one-size-fits-all security baseline has not worked particularly well...
for many of our government con- stituents,” FedRAMP Director Matt Goodrich said.
Companies that seek qualification under FedRAMP Tailored must be able to answer “yes” to the following questions about the cloud service in question:
1. Does the service operate in the cloud?
2. Is the cloud service fully operational?
3. Is the cloud service a SaaS rather than infrastructure- or platform-as- a-service?
4. Can it provide services without requiring the collection of personally identifiable information?
5. Is the cloud service low-security impact?
6. Is the cloud service hosted within an existing FedRAMP-authorized infrastructure, where pre-existing controls and validations can be inherited?
The FedRAMP Tailored draft policy also specifies a minimum set of secu- rity controls for low-risk applications based on the National Institute of Standards and Technology’s recom- mended baseline requirements. Agen- cies, however, may decide what con- trols they need to make the process easier for low-impact cloud providers based on the types of services they use.
“Agencies will be doing a good per- centage more of the work during the
“It became clear that our traditional one-size-fits- all security
baseline has not worked particularly well... for many of our government constituents.”
— MATT GOODRICH, FEDRAMP
assessments to reduce the cost — not only for vendors but also to reduce
the cost for agencies to begin to use a service,” Goodrich said. “I think that many agencies will take on the assess- ment work because it will help them not only speed up their time frame but also for vendors as well.”
The initial public comment period for FedRAMP Tailored closed on April 24. Revised guidelines based on that feedback will be posted for further comment in early June. •
The new governance tools let devel- opers set up a blockchain network and assign roles and levels of visibility from a single dashboard. Network members can set rules, manage memberships and enforce compliance once the net- work is up and running, officials said.
IBM Blockchain for Hyperledger Fabric v1.0 is now available through a beta program on IBM Bluemix. It is also available for free download on Docker Hub as an IBM-certified image. •
IBM launches blockchain as a service
BY SUSAN MILLER
IBM has announced enterprise-ready blockchain services that will allow developers to quickly build and host blockchain networks on the IBM Cloud.
IBM Blockchain is based on the Linux Foundation’s Hyperledger Fabric Version 1.0, which provides a framework for building blockchain networks that can be quickly scaled and support more than 1,000 transac-
tions per second in large ecosystems of users.
Several financial services clients — from startup Everledger to established institutions such as Northern Trust and the Bank of Tokyo-Mitsubishi UFJ — are currently running their blockchain applications on the IBM Cloud, the company said.
IBM also announced blockchain governance and open-source developer tools that automate the steps it takes to build with the Hyperledger Fabric.
8 GCN MAY 2017 • GCN.COM
ZAID HAMID