The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that ensures that the proper level of information security is in place when U.S. government agencies access cloud products and cloud services.
FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs).
FedRAMP grants authorizations to CSPs at three impact levels: low, moderate, and high. These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized:
- Low impact risk: Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation.
- Moderate impact risk: Mainly includes data that’s not available to the public, such as personally identifiable information. A breach of this data can have a serious impact on an agency’s operations.
- High impact risk: Includes sensitive federal information, such as law enforcement, emergency services, and healthcare data. Breaches to government systems containing this data would likely be catastrophic – potentially shutting down operations or resulting in financial ruin or posing a threat to intellectual property and maybe even human life.
These security baseline levels are categorized based on the Federal Information Processing Standard 199, which defines three ways of securing data according to confidentiality, availability, and integrity.
CSPs use these standards as baseline levels to ensure their services meet the minimum security requirements necessary to process, store, and transmit data. CSPs must correctly align their cloud service offerings to an impact level to pursue the appropriate authorization baseline.
Controls and levels are important concepts of FedRAMP. Controls are the technologies and techniques CSPs use to secure the government data they store in the cloud.
To ensure that government data is adequately protected, additional security controls are added as the levels move from low to high.
Low-level systems have 125 controls, moderate level systems have 325 controls, while high-level systems are required to comply with 421 controls. FedRAMP released the high-level security baseline in June 2016. Before that date, federal agencies were only able to outsource low-level and moderate-level cloud operations to CSPs.
With the three levels now in place, any federal agency can store highly-sensitive data on any cloud services provider that’s FedRAMP compliant.
In the past, federal agencies were responsible for establishing their own assessment methodologies and security controls to protect their information systems as set forth under the Federal Information Security Management Act (FISMA) of 2002 – a costly and inefficient system.
FedRAMP standardizes the process to determine whether CSPs meet U.S. government security guidelines. During the FedRAMP authorization process, third-party assessment organizations, or 3PAOs, assess the CSPs and certify that they meet these guidelines and therefore are FedRAMP compliant.
The aim of FedRAMP is to save time as well as cut the costs that each agency would have to spend to assess the security of cloud service providers.
The security controls outlined in FedRAMP are based on NIST (National Institute of Standards and Technology) Special Publication 800-53, which provides standards and security requirements for information systems used by the federal government.
In addition, the FedRAMP program has created a Joint Authorization Board (JAB) consisting of chief information officers from the U.S. Department of Defense (DoD), the U.S. Department of Homeland Security (DHS), and the General Services Administration (GSA).
The JAB develops the FedRAMP accreditation standards and reviews authorization packages. The JAB may grant provisional authorization allowing CSPs to operate, but the federal agencies consuming the services are still responsible for granting CSPs the final authority to operate (ATO).