The Federal Information Security Modernization Act of 2002 (FISMA) requires all federal agencies and their contractors to implement security standards for information, assets, and systems used in their operations. The National Institute of Standards and Technology (NIST) is the government agency that develops and publishes the standards for technologies, including privacy and security controls required for safeguarding federal data (except those related to national security) and ensures compliance with FISMA. (For background and additional help, get the FedRAMP compliance starter guide.)
NIST Special Publication 800-53 details the specific requirements that federal agencies and third-party contractors must adhere to if they store, share, or transmit federal data. The Federal Risk and Authorization Management Program (FedRAMP) provides the standardized approach to security for Cloud Service Providers (CSPs) that store or transmit federal data.
To work with government agencies, all CSPs (including SaaS, IaaS, and PaaS providers) must obtain FedRAMP authorization. Google Workspace, Hootsuite, Workday, Salesforce, GitHub, ServiceNow, and Microsoft are a few of the CSPs that are FedRAMP-authorized. CSPs must demonstrate compliance with NIST security requirements to obtain FedRAMP Authority to Operate (ATO).
FedRAMP authorization is an exhaustive process, and CSPs must determine which authorization is suitable for their business needs. A critical first step toward achieving FedRAMP Authority to Operate is the comprehensive categorization of federal data stored or transmitted, and a worst-case scenario impact should that data be compromised. CSPs must align security categories to the impact levels based on three security objectives:
1. Confidentiality
Data must be safeguarded to protect personal privacy and proprietary information. For example, if a physician stores a patient’s data, that data should only be accessible to the patient, not to their acquaintances or friends, unless granted specific approval. Unauthorized access to information constitutes a loss of confidentiality.
2. Integrity
Data should be protected from modification or destruction, whether intentional or accidental. If the physician mentioned above sends an email to a patient containing lab results, the email and lab results should be delivered as the physician intended. If an unauthorized individual or entity intercepts and modifies the email or lab results, the integrity of the data has been compromised.
3. Availability
Information should be readily available and accessible. The data is considered unavailable if the physician cannot retrieve the patient’s lab results in a timely manner.
Proper categorization is essential and helps organizations understand the work required to achieve FedRAMP authorization. While the responsibility of determining data criticality falls on the organization, NIST provides the guidelines for safeguarding data and IT assets.
Risk impact levels
Low impact
There are two security baselines for Low Impact data — Low Baseline and LI-SaaS Baseline.
A Low Impact level is suitable when a loss of confidentiality, integrity, and availability may result in limited adverse effects on an agency’s operations, assets, or individuals. These effects may include minor financial loss and damage to assets.
LI-SaaS Baseline is a tailored version of Low Impact, developed to support low-cost, low-risk industry solutions used by agencies. LI-SaaS Baseline is appropriate for providers that do not store personally identifiable information (PII) other than login credentials. Authorization is streamlined to only the most relevant controls.
Publicly available data is often designated as Low Impact risk.
Moderate impact
A Moderate Impact level is appropriate where the loss of confidentiality, integrity, and availability can lead to serious adverse effects on an agency’s operations, assets, or individuals. These effects may include significant operational damage to agency assets, financial loss, or individual harm, but not loss of life. Nearly 80% of CSP applications are for Authority to Operate in the Moderate Impact category.
IP addresses and personally identifying data are often designated as Moderate Impact.
High impact
The High Impact level generally includes hospitals, law enforcement, banks, and emergency services, where the loss of confidentiality, integrity, and availability may result in severe or catastrophic adverse effects on an agency’s operations, assets, or individuals. These effects may include loss of mission capabilities, damage to agency assets, financial loss, and loss of life.
Critical infrastructure, emergency services, and law enforcement data are often designated as High Impact.
Mapping data to risk impact levels
Federal Information Processing Standards (FIPS) 199 uses the scenario of a power plant that distributes electricity to a military installation. The power plant uses a Supervisory Control and Data Acquisition (SCADA) system, including sensors. The power plant management has made the following determinations:
- For sensor data collected by the SCADA system:
- A loss of confidentiality would result in limited adverse effects or Low Impact
- A loss of integrity would result in severe or catastrophic adverse effects or High Impact
- A loss of availability would also result in severe or catastrophic adverse effects or High Impact
- For administrative information processed by the SCADA system:
- A loss of confidentiality would result in limited adverse effects or Low Impact
- A loss of integrity would result in limited adverse effects or Low Impact
- A loss of availability would also result in limited adverse effects or Low Impact
Data Type | Confidentiality | Integrity | Availability |
Sensor data | L | H | H |
Administrative data | L | L | L |
To summarize, a security breach on administrative data would likely have limited adverse effects. In contrast, a security breach on sensor data could have severe or catastrophic adverse effects, including loss of life, financial data, and assets. Using the principle of maximum potential impact (or worst-case scenario) to determine the security level, the highest impact data type — the “high-water mark” — determines the resulting security category. In the case of the power plant, the category is High Impact.
In a public university setting, course descriptions, class prerequisites, and departmental directories would likely be considered Low Impact as this is generally data available to the public. Budgets, contracts, and moderate-risk intellectual property might fall into the Moderate Impact category. At the same time, sensitive research data, Social Security numbers, and detailed banking information would probably be categorized as High Impact.
In any industry, data can vary in its potential risk. Flight information, generally available to the public, may have a Low Impact risk if confidentiality is breached. That same data, however, may be considered a High Impact risk if modified or unavailable.
On the flip side, law enforcement agencies may use data from past crimes to forecast crimes in the future. If that data is unavailable, it may have negligible adverse effects. However, a loss of confidentiality could expose names, dates, forensic details, or more, resulting in severe adverse effects. Risk is distributed across a spectrum, and meticulous categorization is imperative.
Categorization requires more than competence
There are many factors to consider when determining FedRAMP impact levels. Correctly categorizing data is critical to ensuring adequate data protection and achieving FedRAMP Authority to Operate. Whether an organization should obtain FedRAMP authorization is sometimes ambiguous — and potentially problematic. In any case, data security categorization for the FedRAMP authorization process is complex and nuanced. Consulting with a Third Party Assessment Organization (3PAO) that is certified to assist Cloud Service Providers is strongly recommended to ensure that time and money allocated to ATO are wisely invested.
If you want to learn more about the FedRAMP authorization process, check out our FedRAMP Compliance Quickstart Guide.
If you’re ready to implement FedRAMP, we’re prepared to help.
Monthly Newsletter