Understanding FedRAMP Impact Levels for Accreditation of Cloud Services
US Government agencies are increasingly procuring commercial cloud services for improving customer experience, reducing costs, and securing data. A recent market research report forecasts that agency demand for vendor-furnished cloud computing goods and services will grow from $5.3 billion in FY 2019 to $9.1 billion in FY 2024. A key requirement for commercial organizations selling cloud-hosted applications to US Federal and Department of Defense agencies is having FedRAMP accreditation. FedRAMP is a US Government program for certifying cloud-based solutions for use by US Government customers and is rapidly gaining acceptance. Commercial Cloud Service Providers (CSP) must understand key requirements associated with getting certified under the FedRAMP program.
What are FedRAMP Impact Levels?
FedRAMP Is a Government-wide Program for Authorizing Cloud Services that was established by OMB and managed by GSA. The FedRAMP program is intended to provide a standardized approach to securing systems, assessing security controls, and continuously monitoring cloud services used by federal agencies. The program is based on Government security and risk management standards and frameworks developed by NIST. It is critical for Commercial organizations looking to sell cloud services to US Government customers to understand NIST Special Publication 800-37, NIST Special Publication 800-53 and NIST FIPS 199.
Prior to beginning the FedRAMP certification journey, it is important to understand and categorize the nature of the data being hosted in the cloud service. The US Government follows a NIST prescribed standard that is used to categorize the data referred to as FIPS 199. FIPS 199 defines three impact levels for systems – Low, Moderate or High. The Impact levels are based on specific categorizations analyzed along three dimensions – confidentiality, integrity, and availability. Low impact systems are most appropriate where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals. Moderate impact systems are most appropriate where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is no loss of life or physical. High impact systems are usually related to law enforcement and emergency services systems, financial systems, health systems, and any other system where the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The impact level categorization drives the specific controls and requirements that must be met by the commercial Cloud Service Provider. NIST Special Publication 800-53 provides a comprehensive catalog of security requirements and specifications that must be met. To simplify the process, the FedRAMP PMO makes available templates that must be completed with a listing of security controls based on the impact level. The higher the impact level determined by the sensitivity of the data, the higher the number of security controls that must be implemented. FedRAMP High impact level has 421 security controls, Moderate has 325 controls while Low has 125 security controls. The FedRAMP PMO added a fourth category called Low-Impact SaaS (LI-SaaS) that further reduces the number of controls for systems with lower levels of sensitive information.
Are you interested in FedRAMP certification? Schedule a free consultation to learn more about our FedRAMP Accelerator Assessment on AWS. We have developed a fixed price consulting offer for a free 2-week engagement that provides an assessment of the business, technical, and security issues that would need to addressed for FedRAMP accreditation. The engagement output includes a FedRAMP strategy & roadmap and a detailed cost budget with tailored recommendations. Such engagements typically cost between $40,000 to $50,000.
Are you a commercial SaaS or PaaS provider looking to sell your services to US Government agencies? If so then conducting market research and getting a sense of options and trends is essential to making an informed decision on FedRAMP ATO (Authority To Operate) strategy. Here are some available links with additional content for research.