FedRAMP Low, Moderate, High: Understanding Security Baseline Levels

Written by
FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that ensures that the proper level of information security is in place when U.S. government agencies access cloud products and cloud services. 

FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs).

FedRAMP grants authorizations to CSPs at three impact levels: low, medium, and high. 

These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized.

Here’s a quick summary of each level, with detailed sections below:

  • Low impact risk: Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation.
  • Moderate impact risk: Mainly includes data that’s not available to the public, such as personally identifiable information. A breach of this data can have a serious impact on an agency’s operations.
  • High impact risk: Includes sensitive federal information, such as law enforcement, emergency services, and healthcare data. Breaches to government systems containing this data would likely be catastrophic—potentially shutting down operations or resulting in financial ruin or posing a threat to intellectual property and maybe even human life.

These security baseline levels are categorized based on the Federal Information Processing Standard 199, which defines three ways of securing data according to confidentiality, availability, and integrity.

Cloud service providers use these standards as baseline levels to ensure their services meet the minimum security requirements necessary to process, store, and transmit data. They must correctly align their cloud service offerings to an impact level to pursue the appropriate authorization baseline.

Controls and levels are important concepts of FedRAMP. Controls are the technologies and techniques CSPs use to secure the government data they store in the cloud. 

To ensure that government data is adequately protected, additional security controls are added as the levels move from low to high.

Low-level systems have 125 controls, moderate level systems have 325 controls, while high-level systems are required to comply with 421 controls. FedRAMP released the high-level security baseline in June 2016. Before that date, federal agencies were only able to outsource low-level and moderate-level cloud operations to CSPs.

With the three levels now in place, any federal agency can store its data on any cloud services provider that’s FedRAMP compliant. 

FedRAMP Low Impact Level

FedRAMP low impact level is the standard for cloud computing security for cloud service offerings (CSOs). This applies where the loss of confidentiality, integrity, and availability of data would result in limited adverse effects on a federal agency’s operations, assets, or individuals.

FedRAMP currently has two baseline levels for systems with low-impact data: low baseline and low-impact SaaS. 

The low impact level is most appropriate for CSPs that will handle federal information intended for public use. Any loss of data at this level wouldn’t compromise an agency’s mission, safety, finances, or reputation. 

The FedRAMP Tailored Baseline for CSPs with low-impact software-as-a-service (LI-SaaS) systems was developed to support cloud services and products that the agencies using them consider to be low risk. There are fewer baseline security controls in place (38) for the LI-SaaS baseline compared to the standard low baseline, and the required security documentation is consolidated.

FedRAMP Tailored accounts for low-impact SaaS applications that don’t store personally identifiable information other than what people use to log in to various web sites, applications, and systems, i.e., usernames, passwords, and email addresses. FedRAMP Tailored enables a faster, more streamlined authorization process for low-risk services, such as project management applications, collaboration tools, and tools that help develop open source code.

FedRAMP Moderate Impact Level

FedRAMP moderate impact level is the standard for cloud computing security for controlled unclassified information across federal government agencies.

The moderate impact level is appropriate for CSPs that will handle government data that is not publicly available. Breaches to the systems of these CSPs could have a serious impact on the mission of a government agency. These include significant operational damage to agency assets, financial loss, or individual harm that is not physical and does not cause loss of life. Personally identifiable information is an example of data that’s categorized as a moderate risk.

Moderate-level systems have a baseline of 325 controls.

For moderate-level systems these controls include requiring the CSP to implement automated mechanisms to support the management of information system accounts. For example, using email or text messaging to automatically notify account managers when users are terminated or transferred and using the information system to monitor account usage.

FedRAMP High Impact Level

FedRAMP high impact level is the standard for security necessary to protect some of the federal government’s most sensitive, unclassified data in cloud computing environments.

The high baseline level lets agencies use cloud computing environments for high impact data, including data that involves the protection of life and financial ruin. High impact data includes that found in law enforcement, emergency services, healthcare, as well as other industries that handle the government’s most sensitive, unclassified data. 

Breaches to the systems of CSPs that house this data are considered catastrophic as they could potentially shut down government systems and operations, result in economic ruin as well as pose threats to intellectual property and even human life. 

Cloud service providers demonstrate FedRAMP compliance through an Authority to Operate (ATO) or a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB), which develops the FedRAMP accreditation standards. The JAB may grant provisional authorization allowing CSPs to operate, but the federal agencies consuming the services are still responsible for granting CSPs the final ATO.

Microsoft, for example, now offers Azure public services that meet the requirements for the FedRAMP High impact level. In addition, Microsoft has extended FedRAMP High P-ATO to all of its Azure public regions in the United States. Previously, FedRAMP High was only available to customers using Azure Government Cloud services. 

In the past, federal agencies were responsible for establishing their own assessment methodologies and security controls to protect their information systems as set forth under the Federal Information Security Management Act (FISMA) of 2002—a costly and inefficient system.

FedRAMP standardizes the process to determine whether CSPs meet U.S. government security guidelines. During the FedRAMP authorization process, third-party assessment organizations, or 3PAOs, assess the CSPs and certify that they meet these guidelines and therefore are FedRAMP compliant.

The aim of FedRAMP is to save time as well as cut the costs that each agency would have to spend to assess the security of cloud service providers. 

The security controls outlined in FedRAMP are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides standards and security requirements for information systems used by the federal government.