Understanding Baselines and Impact Levels for FedRAMP Authorizations
Federal Information Processing Standard (FIPS) 199 provides the standards for the security categorization of federal information and information systems. A system’s category is dependent on the potential impact on an agency’s assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction. These are the standards Cloud Service Providers (CSPs) must employ to ensure their services meet the minimum security requirements for the data processed, stored, and transmitted.
It is important that CSPs understand the impact level of their offering(s) and correlated security categorization when developing their FedRAMP authorization strategy. Below is a high level overview of the FIPS 199 security categories. Cloud Service Offerings (CSOs) are categorized into one of three impact levels (Low, Moderate, and High), and across three security objectives (confidentiality, integrity, and availability.
Information access and disclosure includes means for protecting personal privacy and proprietary information.
Stored information is sufficiently guarded against unauthorized modification or destruction.
Ensuring timely and reliable access to information.
CSOs Impact Levels
FedRAMP authorizes CSOs at the: Low, Moderate, and High impact levels. The FedRAMP baselines do not allow for tailoring of controls based on the confidentiality, integrity and availability. For example, if Integrity is required to be at the High impact level, then the system must also meet the High requirements for confidentiality and availability as well.
CSPs should use the FedRAMP FIPS 199 Categorization Template (Attachment 10) in the SSP along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on their systems. Customer agencies are expected to perform a separate FIPS 199 analysis for their own data hosted in the CSP’s cloud environment.
CSPs can achieve a FedRAMP Authorized designation via the Agency Path for any of the baselines (LI-SaaS, Low, Moderate, High). CSPs can only pursue a FedRAMP Authorized designation via the JAB Path for the Moderate and High baselines.