The Federal Risk and Management Program, referred to as FedRAMP, is a cybersecurity risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services used by U.S. federal agencies. Before the FedRAMP program came into effect, it was the responsibility of federal agencies to establish their own evaluation techniques and security controls to secure their information systems. While this requirement was enshrined in the Federal Information Security Management Act (FISMA) of 2002, it was a costly and inefficient process.
FedRAMP was rolled out in 2011, and it standardized the process of verifying whether cloud service providers meet U.S. government security guidelines. During the FedRAMP approval process, third-party assessment organizations (3PAOs) evaluate the cloud service providers and confirm that they meet these guidelines and, therefore, are FedRAMP compliant.
FedRAMP aims to save not only time but also minimize the costs that each federal agency would have to spend evaluating the security of CSPs. The security controls highlighted in FedRAMP are derived from the National Institute of Standards and Technology (NIST) Special Publication 800-53. This publication provides security requirements and standards for information systems used by the federal government.
FedRAMP categorizes Cloud Service Offerings (CSOs) fall into three security baseline levels: low, medium, and high. These security baseline levels are outlined in the Federal Information Processing Standard (FIPS) publication 199, and they specify the intensity of a potential impact that may occur if an information system is jeopardized. FIPS defines three distinctive security objectives for both information and information systems as follows:
Without further ado, here are overviews of the three security baseline levels:
The low impact level is the standard for cloud computing security for CSOs. This security baseline level encompasses low-risk data that is intended for mass or public consumption. Any data, whose loss in the event of a data breach would not be detrimental to a federal agency’s safety, reputation, mission, or finances, is classified under this level.
Currently, FedRAMP has two baseline levels for systems with low-impact data. They are:
Since this level applies to cloud service providers that handle low-risk data, it has less controls (125) compared to the other two levels. Controls are basically the techniques and technologies cloud service providers use to protect the federal data they store in the cloud. As the levels progress from low to high, more security controls are added to ensure that federal data is effectively secured.
The moderate impact level is the standard for cloud computing security for controlled unclassified data across federal agencies. It is the most common impact level, accounting for about 80 percent of CSOs that obtain FedRAMP approval. It basically applies to cloud service offerings used for data that is mostly not accessible by the public. A good example of data that is classified as a moderate impact risk is personal identifiable information.
In the event that data classified under a moderate impact level is breached, there would be serious effects on the federal agency, such as considerable operational damage to its assets, financial loss, or non-fatal injuries to individuals. The moderate impact level has a total of 325 controls. These controls include obligating cloud service providers to apply automated mechanisms to help with the supervision of information system accounts. For instance, they should monitor account usage using information systems such as text messaging or email to automatically alert account managers when users are transferred or terminated.
The FedRAMP high impact level applies to cloud service offerings used by federal agencies that deal with high impact risk data, such as healthcare data, emergency services, financial systems, and law enforcement. A data breach of high impact risk data can lead to catastrophic results, including economic crises or loss of human life. As such, FedRAMP high impact level systems must comply with a total of 421 controls. Cloud service providers are also required to automate as many processes as possible in order to eliminate the probability of human error.
For a cloud service provider (CSP) to sell its offering(s) to federal agencies, it must have FedRAMP approval. It is imperative for CSPs to understand the baseline level of their CSOs and allied security classification. When creating their authorization strategy, they must ensure that their CSOs meet the minimum security requirements needed to process, store, and send certain data.
When assessing the security level categorization of a CSPs offering, government agencies must also determine the type of information to be processed, stored, or sent using a cloud system. Their choice of CSP should be the one that best meets their needs and provides the appropriate security controls.
CSPs confirm their FedRAMP compliance through a Provisional Authority to Operate or an Authority to Operate from the Joint Authorization Board, which comes up with the FedRAMP accreditation standards. While the Joint Authorization Board may give the provisional approval that permits CSPs to operate, it is the responsibility of federation agencies to grant CSPs the final Authority to Operate.
A good example is Microsoft, which currently offers Azure public services that comply with the requirements for the FedRAMP high impact level. Additionally, FedRAMP High P-ATO has been expanded to all of Microsoft’s Azure public regions in the U.S.
Positioning well and as high as possible in search engines is important for several reasons.…
Explore the top 5 wellness trends in 2024, all backed by science to enhance your…
Discover how emerging technologies are redefining collaboration, efficiency, and skill sets in the workplace as…
Starting a home based business is a very attractive idea to a lot of people.…
Travelling is an adventure, whether you're heading to a place close by or far away.…