The Federal Risk and Authorization Management Program, or FedRAMP, defines three distinct categorization levels to help government agencies and their supporting contractors implement the appropriate security controls required to protect U.S. government data. These levels – low, medium, and high – standardize an approach to the security of cloud products and cloud services across the federal sphere.
As the levels move from low to high, additional security controls and tighter restrictions are mandated to ensure the proper level of information security is in place, dependent on the type of data to be stored, processed, or transmitted and the risk to the overall mission if that data is compromised. Let’s take a closer look at the three FedRAMP certification levels and the kinds of data that each protect.
FedRAMP Low Impact Level
The low impact level is the baseline security standard for cloud systems and data. It is designed to support cloud services and products that are intended for public use and generally considered to be low risk. Any loss in the availability or confidentiality of systems and information at this level would not substantially impact an agency’s mission (nor operations, finances, reputation, and personnel).
With less risk assigned, security documentation is consolidated, and the timeline for approvals is shortened. Low-level systems are secured by 125 controls – the technologies and processes cloud service providers set in place to secure government data stored in the cloud.
FedRAMP Moderate Impact Level
Data that is not publicly available, like personally identifiable information, is considered controlled unclassified information and is subject to the 325 controls of the FedRAMP moderate impact level. These enhanced controls require cloud service providers to automate many management and risk detection functions to better secure systems and data. At this level, data loss or exposure could have direct impact on an agency’s mission. Operations might be disrupted, assets lost, and personnel files exposed.
FedRAMP High Impact Level
Prior to June 2016, when FedRAMP released the high-level security baseline, government agencies were only able to contract cloud service providers for low level and moderate level cloud operations. Now, an agency can outsource the management of high risk systems and data – provided the external environments comply with the 421 controls of the FedRAMP high impact level.
The high impact level is suitable for the federal government’s most sensitive, unclassified information. This generally applies to law enforcement, emergency operations, financial services, and healthcare systems, where a breach could result in significant institutional damage, financial ruin, or loss of life. Extensive security protocols, heightened authentication procedures, and more automation help ensure the integrity, availability, and confidentiality of this high-impact data.
Protect Your Agency's Systems and Data
Cloud service providers like GovDataHosting use the three FedRAMP certification levels as baseline standards to ensure security requirements are met when handling government data. Not sure what level is appropriate for your information, systems, or mission? Reach out to GovDataHosting to speak with a FedRAMP Assessment & Authorization (A&A) specialist. We’ll guide you through compliance documentation, accreditation, and ongoing scrutiny of your security controls to keep your information safe in the cloud.