Updated April 16, 2020
Becoming certified under the Federal Risk and Authorization Management Program (FedRAMP) is a costly and resource intensive undertaking. Obtaining certification and continually staying in compliance can make a major impact on your business as a Cloud Service Provider (CSP).
To lessen the costly and time-consuming process, FedRAMP utilizes a “do once, use many times” Security Assessment Framework (SAF). This approach helps reduce redundancies when conducting security assessments and process monitoring reports.
As part of FedRAMP’s effort to streamline compliance, their SAF is standardized into four process areas: Document, Assess, Authorize, and Monitor. Within the Document process area, FedRAMP asks CSP’s to determine what types of data they are managing and complete a FIPS PUB 199 worksheet.
Your security categorization of Low, Moderate, or High impact level is based on the type of data in your system and how it maps in the FIPS PUB 199 worksheet.
What is FIPS 199 Worksheet?
FedRAMP didn’t create these categorization levels. Instead it borrows from the Federal Information Processing Standard (FIPS) which was developed by the National Institute of Standards and Technology (NIST). Here they’ve defined three ways of securing data according to Confidentiality, Availability, and Integrity.
As you can see in the above chart, there are three FedRAMP impact levels: Low, Moderate, and High. Deciding which set of control requirements to follow depends on the kinds of data you are managing and the different modes of securing and protecting that data. Each subsequent impact level requires additional controls to ensure that your data is adequately protected.
Is your Data Low, Moderate, or High Security Impact?
Figuring out which FedRAMP impact levels your Cloud Service Offering (CSO) should follow is critical to the compliance process.
Low Impact Security Level
The low security level baseline is required if the information system you are managing contains publicly available data. If the data were to be compromised it would have low impact.
Moderate Impact Security Level
The moderate security level baseline is required if the your data includes personally identifiable information (PII). If this information system is compromised, it would have a serious impact.
High Impact Security Level
The high security level baseline is required if any problem that befalls your information system would have severe impact on government bodies and operations, which could lead to financial ruin or economic crisis.
From Low to High: Increasing Number of Controls
Higher security levels require additional security controls, such as higher levels of authentication for people to enter, access, and gain control of these systems. This means more, and increasingly secure ways of determining if the person with access is who they claim to be. This also means ensuring upgraded procedures of validating this information as well as determining what they can have access to and what they can do with this data.
For high-impact systems, some key aspects recommended by FedRAMP include the reduction of human error as much as possible, often done by the means of automation. FedRAMP also suggests guaranteeing that the entire scope of authorization already encompasses the full spectrum of services.
Low-level systems have exactly 125 controls, moderate level systems have 325 controls, while high-level systems are required to comply with 421 controls. With the three levels in place, any federal agency can now store highly sensitive data on any provider of cloud services as long as they are FedRAMP compliant.
Breakdown of FedRAMP Control Types
| Control Type | Low | Moderate | High |
| Access Control | 11 | 43 | 54 |
| Awareness Training | 4 | 5 | 7 |
| Audit and Accountability | 10 | 10 | 30 |
| Security Assessment and Authorization | 9 | 16 | 16 |
| Configuration Management | 11 | 26 | 36 |
| Contingency Planning | 6 | 23 | 35 |
| Identification and Authentication | 15 | 27 | 32 |
| Incident Response | 7 | 17 | 26 |
| Maintenance | 4 | 12 | 14 |
| Media Protection | 4 | 10 | 12 |
| Physical and Environmental Protection | 10 | 20 | 26 |
| Planning | 3 | 6 | 6 |
| Personnel Security | 8 | 9 | 10 |
| Risk Assessment | 4 | 10 | 12 |
| System and Services Acquisition | 6 | 22 | 26 |
| System and Communications Protection | 10 | 32 | 39 |
| System and Information Integrity | 7 | 28 | 38 |
Preparing for FedRAMP?
See how StandardFusion can make your life easier with tools that help you before, during and after your authorization.
Our easy-to-use platform comes with all FedRAMP controls, regardless of baseline level, so you can get started right away. Powerful tools help you prepare for and complete your authorization. Then once you're done, we give you everything you need to maintain your authorization monthly.
Want to find out more? Arrange a demo of StandardFusion today!
With FedRAMP, your organization can enhance trust in security evaluations, improve automation for near real-time and continuous monitoring, guaranteeing reliable security practice implementation, promote the use of cloud solutions, consolidate standards for cloud products and ultimately, boost confidence in cloud security. Learn more about what FedRAMP certification could mean for you company
In the end, this will redound to benefits to your organization regarding savings in resources, time, and cost, enhancement of real-time security, improved re-utilization of current security assessment across organizations, enhance transparency, ensure uniformity in approaches to risk-based management, and enrich the authorization process of federal security.
By knowing exactly the kind of data your organization is handling and the kind of protection these data need, you can best determine whether you will require complying to FedRAMP’s low, moderate, or high-security base lines.
StandardFusion Fit Analyzer