Different kinds of data require different kinds of protection.
Based on FISMA requirements, federal agencies define three distinct security objectives for both information and information systems. These standards are outlined in the Federal Information Processing Standard (FIPS) Publication 199, and include:
- Confidentiality: Methods for protecting personal privacy and proprietary information
- Integrity: Methods for guarding stored information against modification or destruction
- Availability: Timely, reliable access to information
Cloud Service Providers, or CSPs, use these standards as a baseline level to make certain their services meet the minimum security requirements to process, store, and transmit certain data.
When determining a system's FedRAMP Security Level categorization, government agencies must first determine the information types to be stored, processed, or transmitted using a cloud system.
Determining this categorization allows government agencies to select a CSP that can best meet their needs and provide the appropriate security controls.
The three FedRAMP Security Impact Levels are:
- Low Impact Risk: This security level encompasses data that is intended for mass or public consumption. It specified that any loss of integrity, availability, or confidentiality would not be detrimental to your agency's mission, safety, finances, or reputation, in the event of a compromise.
- Moderate Impact Risk: Moderate impact systems largely include data that is not available to the public. This level is appropriate for those systems in which failure to uphold any or all of the security objectives could have a mild impact on the government agency's mission. Personally identifiable information is a prime example of data classified as moderate risk.
- High Impact Risk: Protection for high risk systems is required by law. These systems are most notably found in Law Enforcement, Emergency Services, Healthcare, and other industries that require the access and handling of the government's most sensitive, unclassified data. Breaches to such systems are considered catastrophic - potentially shutting down operations or resulting in financial ruin, and posing a threat to intellectual property and even human life. Controls often include reducing human error through automation, and heightening authentication procedures for those working within the system.
GovDataHosting offers government information assurance for systems categorized as low, moderate, and high risk. Our all-inclusive services covers full Assessment & Authorization (A&A) compliance documentation, system hardening, vulnerability scanning, continuous monitoring, edge perimeter defense, identity management, log aggregation/analysis, Plan of Actions and Milestones (POAM) vulnerability tracking, and audit/assessment support services.
In short, we do it all. Protect your agency's sensitive data. Reach out to GovDataHosting today.