FedRAMP High, Moderate, and Low Security Baseline Levels
The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program based on three security baselines (i.e., FedRAMP high, moderate, and low impact levels) for cloud products and services used by United States (U.S.) federal agencies.
Rolled out by the Office of Management and Budget (OMB) as part of the U.S. government’s 2011 Cloud First Policy, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP is controlled by a Joint Authorization Board (JAB) and is endorsed by the U.S. government’s Federal Chief Information Officers Council. The board’s makeup underscores the gravity of the authorization, especially for FedRAMP high. It includes representatives from:
- Department of Homeland Security (DHS)
- General Services Administration (GSA)
- Department of Defense (DoD)
Before the FedRAMP program came into effect, individual federal agencies established evaluation techniques and security controls to secure their information systems. Cloud service providers (CSPs) had to prepare an authorization package for each agency, which was particularly onerous for the FedRAMP high impact level.
The detailed and strict security and protection protocols established with FedRAMP introduced consistency and streamlined the process. Evaluations and requirements were standardized so that multiple government agencies could reuse the provider’s FedRAMP authorization security package. With this, FedRAMP accelerated the adoption of secure cloud solutions across the federal government.
There are two different ways to become FedRAMP authorized. Either type of authorization works for FedRAMP high, moderate, and low impact levels.
1. Joint Authorization Board (JAB) Provisional Authority to Operate
The JAB issues a provisional authorization for this authorization process, which lets agencies know the risk has been reviewed. However, federal agencies using a JAB are also required to issue their own Authority to Operate. JAB Provisional Authority to Operate is usually used for communications service providers (CSPs) in FedRAMP high or moderate levels.
2. Agency Authority to Operate
The federal agency is involved throughout this process once a vendor establishes a relationship with it. After the risk review has been evaluated, the agency issues an Authority to Operate letter.
There are three steps to FedRAMP authorization at all security baseline levels from FedRAMP high to low impact levels, regardless of the type of authorization being pursued.
1. Preparation
This includes a readiness assessment, which, if needed, is followed by remediation. Then a full security assessment and a Security Assessment Report (SAR) are created.
2. Authorization
The JAB or authorizing agency decides whether the risk as described in the SAR is acceptable. If it is determined to be acceptable, an Authority to Operate letter is submitted to the FedRAMP project management office, and the provider is listed in the FedRAMP Marketplace.
3. Continuous monitoring
The provider is required to send monthly security monitoring documentation to each agency using the service, and each year, an assessment is conducted. This phase also includes an annual assessment.
Overview of FedRAMP Security Baseline Levels
FedRAMP categorizes cloud service offerings (CSO) into three levels according to the potential impact of a data breach. The three security baselines for controls are based on the Federal Information Processing Standard (FIPS) 199 standards from the National Institute of Standards and Technology (NIST). These controls are required to achieve three security objectives:
1. Confidentiality
Protections for personal privacy and proprietary information
2. Integrity
Protections against the destruction or modification of stored information
3. Availability
Timely and reliable access to information
The three FedRAMP security baseline levels—FedRAMP high, moderate, and low—set the risk for each category. There is a list of security controls that are required for each of these levels.
FedRAMP high
FedRAMP high is based on 421 controls and is usually applied to emergency services, law enforcement, financial services, and health systems. FedRAMP high is described as:
“The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.”
FedRAMP moderate
FedRAMP moderate is based on 325 controls and makes up the bulk of FedRAMP applications and covers data that is not publicly available, such as personally identifiable information (PII), protected health information (PHI), and financial information. It is described as:
“The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.”
FedRAMP low
FedRAMP low is based on 125 controls and includes that is intended for mass or public consumption. It is described as:
“The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”
Also included at the FedRAMP low level is FedRAMP low-Impact Software-as-a-Service (LI-SaaS). FedRAMP LI-SaaS is described as:
“Systems that are low risk for uses like collaboration tools, project management applications, and tools that help develop open-source code.”
The 17 FedRAMP Controls by Family
FedRAMP controls are grouped by “family.” Seventeen families of controls make up the FedRAMP Security Controls Baseline and apply to FedRAMP high, moderate, and low.
| FedRAMPControls | FedRAMPHigh | FedRAMPModerate | FedRAMPLow | |
| 1 | Access control | 54 | 43 | 11 |
| 2 | Audit and accountability | 31 | 19 | 10 |
| 3 | Awareness and training | 7 | 5 | 4 |
| 4 | Configuration management | 36 | 26 | 8 |
| 5 | Contingency planning | 35 | 24 | 6 |
| 6 | Identification and authentication | 31 | 27 | 15 |
| 7 | Incident response | 26 | 18 | 7 |
| 8 | Maintenance | 14 | 11 | 4 |
| 9 | Media protection | 12 | 10 | 4 |
| 10 | Personnel security | 10 | 9 | 8 |
| 11 | Physical and environmental protection | 27 | 20 | 10 |
| 12 | Planning | 6 | 6 | 3 |
| 13 | Risk assessment | 12 | 10 | 4 |
| 14 | Security assessment and authorization | 16 | 15 | 8 |
| 15 | System and communications protection | 39 | 32 | 10 |
| 16 | System and information integrity | 39 | 28 | 7 |
| 17 | System and services acquisition | 26 | 22 | 6 |
| TOTALS | 421 | 325 | 125 |
FedRAMP High Impact Level
Until 2016, federal government agencies were only allowed to contract with CSPs for work at the low and moderate impact levels. With the addition of the FedRAMP high impact level, federal agencies can use CSPs for high-risk systems and data.
A data breach of FedRAMP high impact level data could lead to catastrophic consequences, including financial ruin, or loss of human life. The FedRAMP high impact level requires extensive security protocols, heightened authentication procedures, and automation of as many processes as possible to eliminate the probability of human error.
The 421 controls required for the FedRAMP high impact level ensure that CSPs provide security protections to handle data with these qualities.
- Confidentiality
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. - Integrity
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. - Availability
The disruption of access to use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FedRAMP Moderate Impact Level
FedRAMP moderate impact level requires cloud service providers to automate many management and risk detection functions to secure systems and data. A data breach of a CSP under the FedRAMP moderate impact level could have serious effects, such as considerable operational damage, financial loss, or non-fatal injuries to individuals.
The FedRAMP moderate impact level controls require CSPs to use automated mechanisms to support the supervision of systems. The 325 controls required at the FedRAMP moderate impact level protect data with the following qualities.
- Confidentiality
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - Integrity
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - Availability
The disruption of access to use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
FedRAMP Low Impact Level
FedRAMP has two baseline levels for cloud service offerings (CSOs) that are already in the public domain and use low-impact data—low impact level and low-Impact software-as-a-service (LI-SaaS) or FedRAMP Tailored.
With 125 controls, the FedRAMP low impact level encompasses low-risk data intended for mass or public consumption. In the event of a data breach, the loss of this data would not be detrimental to safety, reputation, mission, or finances. The qualities of data at the FedRAMP low impact level are as follows.
- Confidentiality
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. - Integrity
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. - Availability
The disruption of access to use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
Based on 36 controls, FedRAMP Tailored allows for a quicker, more efficient approval process for low-risk CSOs. These applications do not store sensitive data other than what is usually required to log in to various systems, websites, or applications (i.e., username, email address, password). To qualify for FedRAMP Tailored, the CSP must answer yes to six questions.
1. Does the service operate in the cloud?
2. Is the cloud service fully operational (e.g., not still under development)?
3. Is the cloud service a software application (SaaS) as opposed to Infrastructure (IaaS) or a Platform (PaaS) offering?
4. Can the cloud service operate without collecting personally identifiable information (PII)?
5. Is the cloud service low-security-impact, according to the FIPS 199 definition?
6. Is the cloud service hosted within an existing FedRAMP authorized infrastructure, where pre-existing controls and validations can be inherited?
FedRAMP Authority to Operate Delivers Opportunities
Although FedRAMP, especially FedRAMP high, is, arguably, the most rigorous software-as-a-service certification in the world, it opens doors for the CSPs that are granted Authority to Operate status. The FedRAMP was created, in part, to facilitate federal government agencies’ adoption of cloud technologies.
The FedRAMP marketplace is the first place government agencies look when they want to source a new cloud-based solution. In addition to enabling procurement of federal government contracts, FedRAMP authorization gives non-governmental clients more confidence about CSPs security protocols. Achieving and maintaining FedRAMP authorization represents a CSP’s ongoing commitment to meeting the highest security standards.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 18th April, 2022
