Low, Moderate or High: What FedRAMP Impact Level is Right for You?
The Federal Risk and Authorization Management Program, or FedRAMP, has been around for nearly a decade. But with the dramatic rise of high-profile, cloud-based cyberattacks at a time when citizens’ reliance on technology has grown, cybersecurity has become top priority—even capturing the attention of the nation’s highest office as more organizations begin working with the public sector.
Achieving the FedRAMP certification is a requirement for organizations working with government agencies. FedRAMP is a necessary compliance framework to ensure the proper level of security is in place for cloud products and services. FedRAMP designates three impact levels: low, moderate and high, which, depending on data’s sensitivity, determine the minimum security requirements to achieve compliance. For organizations pursuing a FedRAMP certification, understanding the differences between each of these impact levels—and ultimately choosing the right one—is an imperative first step before undergoing the complex FedRAMP certification process.
FedRAMP certification has earned a reputation for being notoriously difficult to achieve, thanks to 14 separate laws and regulations and 19 standard and guidance documents (and more on the way as the result of new executive orders). To make sure organizations start FedRAMP compliance off on the right foot in order to meet the correct security requirements, they can turn to an experienced DevOps technology partner, to help them streamline the path to FedRAMP compliance.
Understanding FedRAMP’s security objectives
At their core, FedRAMP impact levels aim to ensure that organizations that provide technology services or work with government agencies meet the minimum security requirements to keep data safe. Designated by the Federal Information Processing Standard (FIPS) 199, the levels are based on the potential impact that certain adverse events (such as breaches) could have on the government—including its ability to accomplish its mission, protect its assets and individuals, fulfill its legal responsibilities and maintain its day-to-day functions.
In order to guide organizations to adopt the correct impact level that keeps data secure, FedRAMP bases compliance requirements on three security objectives:
- Confidentiality: Security means are in place to ensure personal privacy and proprietary information are protected during information access and disclosure.
- Integrity: Stored information is sufficiently guarded against modification or destruction.
- Availability: Information can be accessed in a reliable and timely manner.
FedRAMP levels explained
It is imperative for organizations to use FedRAMP’s security objectives to both understand and determine the proper impact level needed, as this is a critical first step to develop the right FedRAMP authorization with the correct security in place. Here’s a simplified explanation of each level to help organizations understand what designation they need for FedRAMP implementation.
- Low Impact
Low impact level is used in scenarios where the loss of confidentiality, integrity or availability of data would result only in limited adverse effects to an agency’s operations, assets or individuals. Low impact is applicable when systems do not need to store personal identifiable information (PII) beyond what is commonly needed to login—such as usernames, passwords or email addresses. Once PII is used or stored, organizations will most often need to go up to the next level.
- Moderate Impact
The moderate category is the most commonly used impact level, applying to 80% of FedRAMP authorization instances. Moderate impact level is necessary when the loss of confidentiality, integrity or availability would cause more serious adverse effects, such as a breach leaking citizens’ social security numbers or disclosing sensitive data relating to a public project. These effects could have a serious impact on an agency and result in operational damage, financial loss or individual harm (that is not loss of life or physical).
- High Impact
High impact data is the top level of protection necessary for the government’s most sensitive and critical services—such as security or law enforcement, financial systems or healthcare. FedRAMP introduced this highest baseline to account for sensitive, but still unclassified, government data in cloud computing environments that involves the protection of life and financial ruin.
Streamline security and compliance with a FedRAMP-authorized technology partner
Understanding the necessary FedRAMP impact level is but one step on the complex and time-consuming process to achieve FedRAMP compliance. But as the government’s reliance on technology grows, and more organizations begin working with federal agencies, the number of organizations needing to be FedRAMP authorized will only continue to grow.
To more effectively partner with government agencies, organizations should look to an experienced, FedRAMP-authorized technology partner. For example, Contegix’s team of experts can streamline the path to FedRAMP compliance: beginning with choosing the right impact level, taking on the heavy lifting of creating compliant cloud environments and providing ongoing compliance management and support as prerogatives change and requirements evolve.
In doing so, developers and operations teams can find peace of mind that FedRAMP compliance is maintained now and in the future, so they can stay focused on more strategic priorities, such as improving application performance and features. No matter if they need the lowest FedRAMP impact level or the highest, with Contegix, organizations receive the expertise and hands-on support needed to reduce the burden of achieving FedRAMP compliance while running highly available, secure and cost-effective environments.
Atlassian and FedRAMP
Working with a FedRAMP-authorized partner for your Atlassian needs will allow your team to satisfy operation and logical controls that frequently become burdensome for internal IT. Contegix is the only Atlassian Platinum partner and Government Verified Partner that offers managed FedRAMP compliant hosting platforms.
Certified compliance processes assure you will receive the highest level of support for Physical Access Controls, Logical Access Controls, Network Access Controls, and general security policy requirements. All of this means that your team will be able to spend more time using your Atlassian tools and less time managing compliance and security.
Learn more about partnering with Contegix on FedRAMP security and compliance.