The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that helps to assure that cloud service providers employ the proper level of information security when providing services to U.S. government agencies.
FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs) to give federal agencies a more efficient way to use those services.
To become FedRAMP compliant, CSPs must implement certain baseline sets of security controls into their cloud service offerings (CSOs). FedRAMP dictates what those controls should be according to three “impact levels:” low, medium, and high. The higher the impact level, the more baseline controls a CSP must implement to assure that its cloud service offering meets FedRAMP standards and can be used by government agencies.
Understanding FedRAMP is essential for any cloud service provider. You cannot bid on government contracts without FedRAMP compliance, and achieving compliance can give you a strategic advantage over competitors.
What Is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative that provides a consistent approach to cloud product and service security evaluation, authorization, and continuous monitoring. It was launched in 2011 to give the federal government a cost-effective, risk-based method for adopting and using cloud services.
FedRAMP has two main components: the Joint Authorization Board (JAB) and the Program Management Office (PMO). The JAB consists of chief information officers (CIOs) from the Departments of Defense, Homeland Security, and the General Services Administration. FedRAMP’s principal governing and decision-making body is the JAB.
The FedRAMP PMO is part of the General Services Administration (GSA). It assists agencies and cloud service providers with the FedRAMP authorization process. In addition, it maintains a secure repository of FedRAMP authorizations to allow security packages to be reused across agencies.
Cloud service providers demonstrate FedRAMP compliance through an Authority to Operate (ATO) from specific agencies or a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB). The JAB may grant provisional authorization allowing CSPs to operate, but the federal agencies consuming the services are still responsible for giving CSPs the final ATO.
What Is the FIPS 199 Worksheet?
The Federal Information Processing Standards (FIPS) 199 of the National Institute of Standards and Technology (NIST) provides guidelines for categorizing federal information and information systems based on an agency’s concern for confidentiality, integrity, and availability.
It also addresses the potential impact of the FIPS on agency assets and operations if their information and information systems are compromised due to unauthorized access, use, disclosure, disruption, modification, or destruction.
What Are the Different Levels of FedRAMP?
FedRAMP grants authorizations to CSPs at three impact levels: low, medium, and high. These FedRAMP levels refer to the extent of disruption that may occur if an information system is jeopardized.
Here’s a quick summary of each level, with detailed sections below:
- Low impact. Encompasses data intended for public use. Data loss wouldn’t compromise an agency’s mission, safety, finances, or reputation.
- Moderate impact. Mainly includes data unavailable to the public, such as personally identifiable information. A breach of this data can harm an agency’s operations.
- High impact. Includes sensitive federal information, such as law enforcement, emergency services, and healthcare data. Breaches to government systems containing this data would likely be catastrophic—potentially shutting down operations, causing financial ruin, and posing a threat to intellectual property and even human life.
These security baseline levels are based on FIPS 199, which defines three ways of securing data confidentiality, availability, and integrity.
FedRAMP Low Impact
FedRAMP low impact level is the standard for cloud computing security for cloud service offerings (CSOs). This applies where the loss of confidentiality, integrity, and data availability would result in limited harm to a federal agency’s operations, assets, or individuals.
FedRAMP has two baseline levels for systems with low-impact data: low baseline and low-impact SaaS. The low impact level is most appropriate for CSPs that handle federal information intended for public use and comprises 125 security controls. Any data loss at this level wouldn’t compromise an agency’s mission, safety, finances, or reputation.
The FedRAMP Tailored Baseline was developed for CSPs with low impact software-as-a-service (LI-SaaS) systems. As a result, there are fewer baseline security controls for the LI-SaaS baseline (only 38) compared to the standard low baseline, and the required security documentation is consolidated.
FedRAMP Tailored enables a faster, more streamlined authorization process for low-risk services, such as project management applications, collaboration tools, and tools that help develop open-source code.
FedRAMP Moderate Impact
FedRAMP Moderate impact level is the standard for cloud computing security for “controlled, unclassified information” (CUI) across federal government agencies. The moderate impact level is appropriate for CSPs handling government data that is not publicly available.
Breaches to these CSPs’ systems could severely harm a government agency’s mission. These include significant operational damage to agency assets, financial loss, or individual harm. Personally identifiable information is an example of data categorized as a moderate risk. Moderate-level systems have a baseline of 325 controls.
For moderate-level systems, these controls require the CSP to implement automated mechanisms to support the management of information system accounts. For example, email or text messages should automatically notify account managers when users are terminated or transferred. Information systems must also monitor account usage.
FedRAMP High Impact
FedRAMP high impact level is the standard for security necessary to protect some of the federal government’s most sensitive unclassified data in cloud computing environments.
High-impact data includes that used by law enforcement, emergency services, and healthcare. Breaches to the systems of CSPs that house this data are considered catastrophic as they could potentially shut down government systems and operations, result in economic ruin, derail investigations, and pose threats to intellectual property and human life.
What Are FedRAMP Control Types?
In the past, federal agencies were responsible for establishing their assessment methods and security controls to protect their information systems as mandated under the Federal Information Security Management Act (FISMA) of 2002.
FedRAMP is an extension of FISMA, rather than a replacement of it. FedRAMP standardizes the process of determining whether CSPs meet U.S. government security guidelines. During the FedRAMP authorization process, third-party assessment organizations (3PAOs) assess the CSPs and certify that they meet these guidelines and therefore are FedRAMP compliant.
The objective of FedRAMP is to save time and cut the costs each agency would have to spend to assess cloud service providers’ security. The security controls outlined in FedRAMP are based on NIST Special Publication 800-53, which provides standards and security requirements for information systems used by the federal government.
Low-level systems have 125 controls, moderate-level systems have 325 controls, high-level systems 421 controls. These controls are categorized into 17 types, which gather specific controls according to the company’s level. These types are:
- Access control
- Awareness training
- Audit and accountability
- Security assessment and authorization
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Physical and environmental protection
- Planning
- Personnel security
- Risk assessment
- System and service acquisition
- System and communications protection
- System and information integrity
Manage FedRAMP Compliance with Reciprocity ZenComply
One thing all compliance programs have in common is documentation; organizations must prove, through proper documentation, that they have complied with a certain regulation (be it FedRAMP or any other). Collecting that documentation and maintaining compliance is nearly impossible with manual processes and spreadsheets, especially as the number of internal and external stakeholders grows. A more streamlined solution will save time and money in the long term.
ZenComply is a software tool that simplifies compliance by automating numerous time-consuming, manual activities. Compliance templates help to standardize self-assessments and cross-reference control requirements across frameworks. Insightful reporting provides a unified picture of all your compliance frameworks.
Compliance officers will be able to track real-time compliance risks with dashboards indicating where gaps exist. ZenComply also archives and organizes all associated documents and workflows for quick retrieval when audit time comes around.
Schedule a demo today to learn more about ZenComply’s revolutionary compliance management system.
