BLUF - Bottom Line Up Front
Getting a FedRAMP LI-SaaS ATO can be complex, costly, and time-consuming. LI-SaaS needs only 37 controls, a significant reduction from other levels. Answer Yes to six specific questions to qualify. Ignyte has helped organizations save an average of $85,000 and six months on federal authorizations. LI-SaaS is not suitable for the Department of Defense, and additional controls may be required based on specific agency needs.
There are four key takeaways in this post
- Getting a FedRAMP LI-SaaS ATO can be prohibitively complicated, expensive, and time intensive.
- Low impact – SaaS applications only have to implement 37 controls.
- There are 6 questions you have to answer Yes to in order to ‘qualify’ for LI-SaaS.
- Ignyte has saved organizations an average of $85,000 and 6 months on their federal authorizations.
So many great software and cloud-based organizations turn away from working with the US Government because the authorization to operate (ATO) processes are prohibitively complicated, expensive, and time intensive.
As the FedRAMP website says,
“FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use.”
The goal is to allow companies to concentrate on controls that are the most important and provide the most assurance of security.
The solution
If you have a simple web-application, acquiring an ATO can be fast tracked using the Low Impact-Software as a Service (LI-SaaS) Tailored FedRAMP Profile (FedRAMP LI-SaaS).
Controls by impact level:
- High impact = 421
- Moderate impact = 325
- Low impact = 125
- LI-SaaS = 37
Why you should care
The clear advantage of this impact level is that the number of controls you have to implement and monitor is significantly reduced.
To put it in more tangible terms, the difference between 421 controls and 37 is potentially hundreds of thousands of dollars if not millions. It is also the difference between a 12-month time horizon and 2 months.
Who can take advantage of the LI-SaaS option?
The official FedRAMP LI-SaaS requirements document tells us that if you can answer Yes to the following questions, then your solution is a prime target for LI-SaaS:
- Does your software operate in a cloud environment?
- Is it fully operational?
- Is it a software as a service as defined by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145? That is:
- The application is accessible from various devices, and
- The consumer doesn’t manage or control the underlying cloud infrastructure.
- Does your software contain zero PII except information needed for login?
- Is your software low-security-impact as defined by the Federal Information Processing Standard (FIPS) 199? That is:
- The loss of confidentiality, integrity, or availability would have a limited adverse effect.
- Is your solution hosted in a FedRAMP authorized platform or infrastructure as a service (PaaS/IaaS); or does the cloud service provider control the underlying cloud infrastructure?
Answer Yes to all these questions and an entirely new market worth billions of dollars could be available to you.
Other caveats to consider
If your target government customer is the Department of Defense, then LI-SaaS is likely a nonstarter. Anyone trying to break into the defense industrial base (DIB) is looking at an impact level of at least FedRAMP Moderate. This is due to the constraints placed on Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
As with all other impact levels, LI-SaaS comes with a minimum set of controls. This means that Agencies can still require you to implement additional controls depending on their policies, procedures, and risk tolerances.
If your software uses an underlying service provider, then you have to be sure that it’s implemented in a FedRAMP authorized system with either a provisional authorization (P-ATO) or an agency ATO.
If you provide the software and the underlying infrastructure, certifications such as ISO-27001 or SOC 2 Type 2 may be accepted on a case-by-case basis.
Ignyte can help
If that seemed like gibberish to you, know that you’re not alone. It’s no secret that FedRAMP LI-SaaS is intimidating, and we are no stranger to its difficulties.
However, our practiced and proven hands can help. At the time of this writing, we’ve guided 20 organizations through federal authorization processes saving them an average of $85,000 and 6 Months.
Ignyte helps organizations navigate the different and difficult options and avenues of FedRAMP LI-SaaS compliance. Talk to us today about how the Ignyte Assurance Platform can open new roads for you and your business.