FedRAMP High, Moderate, and Low Security Baseline Levels
The Federal Risk and Management Program (FedRAMP) is a cybersecurity risk management program based on three security baselines (i.e., FedRAMP high, moderate, and low impact levels) for cloud products and services used by United States (U.S.) federal agencies.
Rolled out by the Office of Management and Budget (OMB) as part of the U.S. government’s 2011 Cloud First Policy, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP is controlled by a Joint Authorization Board (JAB) and is endorsed by the U.S. government’s Federal Chief Information Officers Council. The board’s makeup underscores the gravity of the authorization, especially for FedRAMP high. It includes representatives from the U.S.:
- Department of Homeland Security (DHS)
- General Services Administration (GSA)
- Department of Defense (DoD)
Before the FedRAMP program came into effect, individual federal agencies established evaluation techniques and security controls to secure their information systems. Cloud service providers (CSPs) had to prepare an authorization package for each agency, which was particularly onerous for the FedRAMP high impact level.
The detailed and strict security and protection protocols established with FedRAMP introduced consistency and streamlined processes. Evaluations and requirements were standardized so that multiple government agencies could reuse the provider’s FedRAMP authorization security package. As a result of that change, FedRAMP accelerated the adoption of secure cloud solutions across the federal government.
There are two different ways to become FedRAMP authorized. Either type of authorization works for FedRAMP high, moderate, and low impact levels.
1. Joint Authorization Board (JAB) Provisional Authority to Operate
The JAB issues a provisional authorization for this authorization process, which lets agencies know the risk has been reviewed. However, federal agencies using a JAB are also required to issue their own Authority to Operate. JAB Provisional Authority to Operate is usually used for communications service providers (CSPs) in FedRAMP high or moderate levels.
2. Agency Authority to Operate
The federal agency is involved throughout this process once a vendor establishes a relationship with it. After the risk review has been evaluated, the agency issues an Authority to Operate (ATO) letter.
There are three steps to FedRAMP authorization at all security baseline levels from FedRAMP high to low impact levels, regardless of the type of authorization being pursued.
1. Preparation
This includes a readiness assessment, which, if required, is followed by remediation. Then a full security assessment and a Security Assessment Report (SAR) are created.
2. Authorization
The JAB or authorizing agency decides whether the risk as described in the SAR is acceptable. If it is determined to be acceptable, an Authority to Operate letter is submitted to the FedRAMP project management office, and the provider is listed in the FedRAMP Marketplace.
3. Continuous monitoring
The provider is required to send monthly security monitoring documentation to each agency using the service, and an assessment is conducted each year. This phase also includes an annual assessment.
Let’s jump in and learn:
Overview of FedRAMP Security Baseline Levels
FedRAMP categorizes cloud service offerings (CSO) into three levels, according to the potential impact of a data breach. The three security baselines for controls are based on the Federal Information Processing Standard (FIPS) 199 standards from the National Institute of Standards and Technology (NIST). Those controls are required to achieve three main security objectives:
1. Confidentiality
Protection for personal privacy and proprietary information
2. Integrity
Protection against the destruction or modification of stored information
3. Availability
Timely and reliable access to information
The three FedRAMP security baseline levels—FedRAMP high, moderate, and low—set the risk for each category. There is a that are required for each of those levels.
FedRAMP high
FedRAMP high is based on 421+ controls and is usually applied to emergency services, law enforcement, financial services, and health systems. The impact of FedRAMP high is described as:
“The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.”
FedRAMP moderate
FedRAMP moderate is based on 325+ controls and makes up the bulk of FedRAMP applications and covers data that is not publicly available, such as personally identifiable information (PII), protected health information (PHI), and financial information. It is described as:
“The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.”
FedRAMP low
FedRAMP low is based on 125+ controls and includes that is intended for mass or public consumption. It is described as:
“The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”
Also included at the FedRAMP low level is FedRAMP Low-Impact Software-as-a-Service (LI-SaaS). FedRAMP LI-SaaS is described as:
“Systems that are low risk for uses like collaboration tools, project management applications, and tools that help develop open-source code.”
For questions regarding the FedRAMP levels detailed above, please reach out to the FedRAMP team in the U.S. government, since requirements can change based on rapidly-evolving cyber-threats. The control numbers by category presented above are current as of November 2024.
FedRAMP High Impact Level
Until 2016, federal government agencies were only permitted to contract with CSPs for work at the low and moderate impact levels. With the addition of the FedRAMP high impact level, federal agencies can use CSPs for high-risk systems and data.
A data breach of FedRAMP high impact level data could lead to catastrophic consequences, including financial ruin or loss of human life. The FedRAMP high impact level requires extensive security protocols, heightened authentication procedures, and automation of as many processes as possible to eliminate the probability of human error.
The controls required for the FedRAMP high impact level enable CSPs to provide enhanced security protection for extremely sensitive governmental data, especially in light of the increase in Advanced Persistent Threats (APTs).
FedRAMP Moderate Impact Level
FedRAMP moderate impact level requires cloud service providers to automate many management and risk detection functions to secure systems and data. A data breach of a CSP under the FedRAMP moderate impact level could have serious effects, such as considerable operational damage, financial loss, or non-fatal injuries to individuals.
The FedRAMP moderate impact level controls require CSPs to use automated mechanisms to support the supervision of systems.
FedRAMP Low Impact Level
FedRAMP has two baseline levels for cloud service offerings (CSOs) that are already in the public domain and use low-impact data—low impact level and low-Impact software-as-a-service (LI-SaaS) or FedRAMP Tailored LI-Saas.
The FedRAMP low impact level encompasses low-risk data intended for mass or public consumption. In the event of a data breach, the loss of that data would not be detrimental to safety, reputation, mission, or financial stability.
FedRAMP Tailored allows for a quicker, more efficient approval process for low-risk CSOs. These applications do not store sensitive data other than what is usually required to log in to various systems, websites, or applications (i.e., username, email address, password). To qualify for FedRAMP Tailored, the CSP must answer yes to at least six questions.
1. Does the service operate in the cloud?
2. Is the cloud service fully operational (e.g., not still under development)?
3. Is the cloud service a software application (SaaS) as opposed to Infrastructure (IaaS) or a Platform (PaaS) offering?
4. Can the cloud service operate without collecting personally identifiable information (PII)?
5. Is the cloud service low-security-impact, according to the?
6. Is the cloud service hosted within an existing FedRAMP authorized infrastructure, where pre-existing controls and validations can be inherited?
FedRAMP Authority to Operate Delivers Opportunities
Although FedRAMP, especially FedRAMP high, is one of the most rigorous software-as-a-service certifications in the world, it opens doors for the CSPs that are granted formal Authority to Operate status. The FedRAMP was created, in part, to facilitate federal government agencies’ adoption of cloud technology.
The FedRAMP marketplace is one of the first places government agencies want to look when they source a new cloud-based solution. In addition to enabling procurement of federal government contracts, FedRAMP authorization gives non-governmental clients more confidence about CSPs’ security protocols. Achieving and maintaining FedRAMP authorization represents a CSP’s ongoing commitment to meeting the highest security standards.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 22nd November, 2024
