Understanding Baselines and Impact Levels for FedRAMP® Authorizations
Federal Information Processing Standard (FIPS) 199 provides the standards for the security categorization of federal information and information systems. A system’s category is dependent on the potential impact on an agency’s assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction. These are the standards Cloud Service Providers (CSPs) must employ to ensure their services meet the minimum security requirements for the data processed, stored, and transmitted.
It is important that CSPs understand the impact level of their offering(s) and correlated security categorization when developing their FedRAMP authorization strategy. Below is a high level overview of the FIPS 199 security categories. Cloud Service Offerings (CSOs) are categorized into one of three impact levels (Low, Moderate, and High), and across three security objectives (confidentiality, integrity, and availability.
Security Objectives
Confidentiality
Information access and disclosure includes means for protecting personal privacy and proprietary information.
Integrity
Stored information is sufficiently guarded against unauthorized modification or destruction.
Availability
Ensuring timely and reliable access to information.
CSOs Impact Levels
FedRAMP authorizes CSOs at the: Low, Moderate, and High impact levels. The FedRAMP baselines do not allow for tailoring of controls based on the confidentiality, integrity and availability. For example, if Integrity is required to be at the High impact level, then the system must also meet the High requirements for confidentiality and availability as well.
Low Impact Level
Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effect on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: Tailored LI-SaaS Baseline and Low Baseline.
FedRAMP Tailored Li-SaaS
FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use. Tailored policy and requirements provide a more efficient path for Low Impact-Software as a Service (LI-SaaS) providers. The LI-SaaS Baseline accounts for Low-Impact SaaS applications that do not store personal identifiable information (PII) beyond that is generally required for login capability (i.e. username, password, and email address). Required security documentation is consolidated and the requisite number of security controls needing testing and verification are lowered relative to a standard Low Baseline authorization. While all requirements identified in the FedRAMP Low Baseline are required, FedRAMP Tailored identifies those requirements typically satisfied by a LI-SaaS customer, or underlying service provider, allowing the provider to focus only on relevant requirements. Further, FedRAMP Tailored allows agencies to independently validate only the most important of these requirements.
Moderate Impact Level
Moderate Impact accounts for the majority of CSOs that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or serious life threatening injuries.
High Impact Level
High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin.
CSPs should use the FedRAMP FIPS 199 Categorization Template (Appendix K) in the SSP along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on their systems. Customer agencies are expected to perform a separate FIPS 199 analysis for their own data hosted in the CSP’s cloud environment.
CSPs can achieve a FedRAMP Authorized designation via the Agency Path for any of the baselines (LI-SaaS, Low, Moderate, High). CSPs can only pursue a FedRAMP Authorized designation via the JAB Path for the Moderate and High baselines.