Developing a standardized approach for analyzing and choosing technology is important for any organization that wants to avoid incompatibility or functionality issues with software. For an organization the size of the United States federal government, the need for standardized protocols is even more crucial due to the large amounts of sensitive data which pass through a department on a daily basis.
In 2011, the Office for Management and Budget published a memorandum that established FedRAMP, which aimed to provide government departments with “a cost-effective, risk-based approach” for the use of cloud services.
Before FedRAMP, federal agencies had their own risk management and authorization standards, which led to discord between federal departments when it came to sharing data or providing access. With FedRAMP in control of all authorization, the speed at which officials in different departments can access data and create collaborative tools has improved, and cloud service providers can optimize security services to meet the criteria of one department instead of several.
Gaining FedRAMP certification is a must for cloud service providers, as without it, government agencies cannot use the service. FedRAMP officials work with service providers to ensure their technology adheres to National Institute of Standards and Technology certifications, alongside other criteria such as baseline security controls, end-to-end encryption, regular audits, and continuous monitoring reports.
The FedRAMP certification is comprised of six impact levels, with each one determined by the potential impact data loss might have on “an agency’s ability to conduct its mission.” The first two levels are “low impact level” and are non-controlled, unclassified information with a low watermark for confidentiality, integrity, or availability.
The next impact level is “moderate impact” and covers around 80 percent of cloud service operators, in which data loss could have a serious to catastrophic impact on the agency’s ability to do its mission. At level five, additional controls are required for the cloud service operator to be compliant. The sixth level is for high-risk systems, such as defense, intelligence, healthcare, emergency services, and law enforcement.
Breaches at this level would be catastrophic and result in potentially putting lives at risk. This classification requires cloud service operators to transmit data at a secret level and should not be tied to any commercial offering that the service operator provides.