Cloud computing has transformed the way that many businesses operate and manage their infrastructure. The federal government also recognizes the significant impact that the cloud can have on organizations and the information that they handle on a daily basis. To address security concerns surrounding cloud-based products and services, the Federal Risk and Authorization Management Program (FedRAMP) was established. This program was created to address the reliability and security of cloud services used by the federal government.
FedRAMP Moderate Impact Level
Before a cloud service offering (CSO) can be used by any federal agency, it will first need to demonstrate FedRAMP compliance. This refers to the organization’s ability to meet government security requirements outlined in NIST 800-53, as well as supplemented by the FedRAMP Program Management Office (PMO). Compliance can be demonstrated by acquiring a FedRAMP authorization, otherwise known as a FedRAMP Authority to Operate (ATO).
FedRAMP is made up of three basic levels: low, moderate and high. The lowest level represents the base level and as the levels go higher, the more security controls and tighter restrictions there are to follow. What level an organization has to adhere to will depend on the type of data that is to be processed, stored or transmitted, as well as the overall risk faced by the business.
A moderate impact level deals with data that has not been made publicly available, such as personally identifiable information. This type of data is considered to be controlled unclassified information and must meet a total of 325 controls under the FedRAMP moderate impact level. Security controls enable cloud service companies to automate a wide range of risk detection and management functions to achieve a more secure system and data. When data is lost or exposed at a moderate level, it could directly impact a business’s mission. It could also affect operations and expose personnel files.
Moderate Impact Level Compliance
Businesses interested in meeting FedRAMP moderate impact level compliance can do so by obtaining an agency ATO or JAB P-ATO. Both options can be a rigorous process that requires significant time and resources. The process requires the organization to provide documentation that the proper security controls have been implemented. The CSP must categorize their cloud service offerings in accordance with FIPS-199 to determine the proper level categorization which will then determine what NIST 800-53 controls will apply.
Once the proper documentation has been created and approved, an assessment is conducted by a third-party assessment organization (3PAO) who will develop a security assessment plan (SAP). The 3PAO will test the control implementation and create a security assessment report (SAR). The SAR is then reviewed by the federal government and approved. After achieving an ATO or JAB P-ATO, the cloud service provider then begins the continuous monitoring phase that ensures that the controls continue to operate efficiently.
Inquire About FedRAMP Compliance Services
Although meeting FedRAMP moderate impact level compliance requirements can be challenging, there is help available for organizations that are committed to the process. To learn more about FedRAMP compliance services or to schedule a consultation, contact SeaGlass Technology.