The Federal Risk and Management Program, referred to as FedRAMP, is a cybersecurity risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services used by U.S. federal agencies. Before the FedRAMP program came into effect, it was the responsibility of federal agencies to establish their own evaluation techniques and security controls to secure their information systems. While this requirement was enshrined in the Federal Information Security Management Act (FISMA) of 2002, it was a costly and inefficient process.
FedRAMP was rolled out in 2011, and it standardized the process of verifying whether cloud service providers meet U.S. government security guidelines. During the FedRAMP approval process, third-party assessment organizations (3PAOs) evaluate the cloud service providers and confirm that they meet these guidelines and, therefore, are FedRAMP compliant.
FedRAMP aims to save not only time but also minimize the costs that each federal agency would have to spend evaluating the security of CSPs. The security controls highlighted in FedRAMP are derived from the National Institute of Standards and Technology (NIST) Special Publication 800-53. This publication provides security requirements and standards for information systems used by the federal government.
FedRAMP categorizes Cloud Service Offerings (CSOs) fall into three security baseline levels: low, medium, and high. These security baseline levels are outlined in the Federal Information Processing Standard (FIPS) publication 199, and they specify the intensity of a potential impact that may occur if an information system is jeopardized. FIPS defines three distinctive security objectives for both information and information systems as follows:
- Confidentiality: ways of protecting proprietary information and personal privacy
- Integrity: ways of protecting stored information against destruction or modification
- Availability: timely reliable access to information
Without further ado, here are overviews of the three security baseline levels:
1 FedRAMP Low Impact Level
The low impact level is the standard for cloud computing security for CSOs. This security baseline level encompasses low-risk data that is intended for mass or public consumption. Any data, whose loss in the event of a data breach would not be detrimental to a federal agency’s safety, reputation, mission, or finances, is classified under this level.
Currently, FedRAMP has two baseline levels for systems with low-impact data. They are:
- Low Baseline: this baseline level applies to CSOs that are already in the public domain.
- Low-Impact Software-as-a-service (LI-SaaS): this baseline level applies to applications that do not store data personal identifiable information other than what is usually required to log in to various systems, websites, or applications, i.e., username, email address, and password. Compared to the standard low baseline, LI-SaaS has fewer baseline security controls in place.
FedRAMP Tailored allows for a quicker, more efficient approval process for low-risk services, including collaboration tools, project management applications, and tools that help create open-source code.
Since this level applies to cloud service providers that handle low-risk data, it has less controls (125) compared to the other two levels. Controls are basically the techniques and technologies cloud service providers use to protect the federal data they store in the cloud. As the levels progress from low to high, more security controls are added to ensure that federal data is effectively secured.
2 FedRAMP Moderate Impact Level
The moderate impact level is the standard for cloud computing security for controlled unclassified data across federal agencies. It is the most common impact level, accounting for about 80 percent of CSOs that obtain FedRAMP approval. It basically applies to cloud service offerings used for data that is mostly not accessible by the public. A good example of data that is classified as a moderate impact risk is personal identifiable information.
In the event that data classified under a moderate impact level is breached, there would be serious effects on the federal agency, such as considerable operational damage to its assets, financial loss, or non-fatal injuries to individuals. The moderate impact level has a total of 325 controls. These controls include obligating cloud service providers to apply automated mechanisms to help with the supervision of information system accounts. For instance, they should monitor account usage using information systems such as text messaging or email to automatically alert account managers when users are transferred or terminated.
3 FedRAMP High Impact Level
The FedRAMP high impact level applies to cloud service offerings used by federal agencies that deal with high impact risk data, such as healthcare data, emergency services, financial systems, and law enforcement. A data breach of high impact risk data can lead to catastrophic results, including economic crises or loss of human life. As such, FedRAMP high impact level systems must comply with a total of 421 controls. Cloud service providers are also required to automate as many processes as possible in order to eliminate the probability of human error.
How to Obtain FedRAMP Compliance
For a cloud service provider (CSP) to sell its offering(s) to federal agencies, it must have FedRAMP approval. It is imperative for CSPs to understand the baseline level of their CSOs and allied security classification. When creating their authorization strategy, they must ensure that their CSOs meet the minimum security requirements needed to process, store, and send certain data.
When assessing the security level categorization of a CSPs offering, government agencies must also determine the type of information to be processed, stored, or sent using a cloud system. Their choice of CSP should be the one that best meets their needs and provides the appropriate security controls.
CSPs confirm their FedRAMP compliance through a Provisional Authority to Operate or an Authority to Operate from the Joint Authorization Board, which comes up with the FedRAMP accreditation standards. While the Joint Authorization Board may give the provisional approval that permits CSPs to operate, it is the responsibility of federation agencies to grant CSPs the final Authority to Operate.
A good example is Microsoft, which currently offers Azure public services that comply with the requirements for the FedRAMP high impact level. Additionally, FedRAMP High P-ATO has been expanded to all of Microsoft’s Azure public regions in the U.S.