Choosing the Right FedRAMP Impact Level

As a cloud service provider (CSP), working with the federal government can create a great opportunity. A business could dramatically increase revenue by landing just one government contract. But to get those contracts, a CSP needs to be compliant with FedRAMP, the federal government’s cloud security compliance standard. The first steps can be daunting without someone to guide the CSP through the FedRAMP compliance process.

According to FedRAMP.gov, “FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.”

By standardizing the vetting of CSPs, FedRAMP compliance eliminates redundant processes for everyone. It also ensures that information on federal systems is protected with the highest standards. 

FedRAMP Impact Levels: Low, Moderate, High

Once a company decides to become FedRAMP compliant, the next decision is to identify the impact level for the organization. FIPS PUB 199 is the Standard for Security Categorization of Federal Information and Information Systems. It is a short guide that will help to select which level is most appropriate for a CSP. Next, the business will evaluate its cloud service offering on principles of Confidentiality, Integrity and Availability of the information that an agency is putting into its system. 

It is also helpful to use NIST Special Publication 800-60 volume 2 Revision 1, a “Guide for Mapping Types of Information and Information Systems to Security Categories”.

As an additional consideration, if an agency deems that the CSP needs a higher impact level, they must comply to move forward. According to FedRAMP.gov, “Moderate Impact systems account for nearly 80% of CSP applications that receive FedRAMP authorization”. A CSP should always check with the agency they are working with, as the agency will have more information regarding their requirements and required impact level.

A CSP should not necessarily choose the highest impact level upfront. There is a significant disparity between low, moderate and high impact levels because of the time, budget, and effort it takes to achieve them. For example, the low impact level has 11 controls for access control. The high impact level has a whopping 54. The main difference is granularity. This is the case for the other 16 control families in FedRAMP. Low impact systems have 125 controls, moderate impact systems have 325 controls, and high impact systems have 421 controls. 

Final Thoughts

FedRAMP compliance opens up a whole new world of possibilities for business development. Although a great effort is required, it helps reinforce strong security guidelines, building trust with customers and ultimately strengthening the business. 

Please reach out to us at connect@compliancepoint.com if you have any questions about FedRAMP. CompliancePoint’s security assurance experts can walk you through the compliance process and help you achieve your goals.