By Greg Kent, Senior Vice President, CTO
FedRAMP has control baselines for low, moderate, and high impact systems. The appropriate baseline, and therefore the particular control requirements that apply, depend on the system impact level or categorization. The FedRAMP impact level or categorization of a system is determined by formal process defined by FIPS Publication 199 and NIST SP 800-60.
FIPS Publication 199 defines the overall approach for Federal agencies to follow to determine the security impact level of a system, which is also referred to as the system’s security categorization. The impact level is based on a number of factors, including the “effect on organizational operations, organizational assets, or individuals,” the extent of “degradation in mission capability” and “the agency’s ability to perform its primary function,” and the extent of “damage to assets,” “financial loss,” or “harm to individuals.” The chart below summarizes the organizational effects associated with low, moderate, and high impacts.
|Effect on agency operations, assets, and individuals
||Limited adverse effect
||Serious adverse effect
||Severe or catastrophic adverse effect
|Effect on the agency’s mission capability
||Degradation that noticeably reduces effectiveness but the agency can still perform its primary functions
||Significant degradation that significantly reduces effectiveness but the agency can still perform its primary functions
||Severe degradation or loss that makes the agency unable to perform one or more of its primary functions
|Extent of damage to the agency’s assets and financial loss
|Extent of harm to individuals
||Significant but no loss of life or serious life-threatening injuries
||Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries
The FIPS 199 process entails assessing the potential impact on an agency or individuals if a breach of security were to occur related to a loss of confidentiality, integrity, or availability. Potential impacts are individually assessed for confidentiality, integrity, and availability (CIA), and the highest impact among those three security objectives (often referred to as “the high-water mark”) determines the security categorization of the system. That means that a system has a low impact if and only if the confidentiality, integrity, and availability impacts are all low. But if any impact is moderate, then the system must be categorized as a moderate impact system. Similarly, if any CIA impact is high, then a system is categorized as high impact.
The process defined by FIPS 199 makes sense, but it is rather theoretical and subjective. For example, what exactly is the difference between a “significant” financial loss and a “major” financial loss? It’s hard to ensure consistent, reliable categorizations across systems with such qualitative descriptions of impact levels.
NIST SP 800-60
To provide a more grounded, consistent approach for applying FIPS 199 to particular systems, NIST published Special Publication 800-60. The 800-60 process involves categorizing a system by the impact level of the particular data involved. Volume 2 of this publication provides initial impact ratings for confidentiality, integrity, and availability for various types of data that is commonly used in Federal information systems. For example, section C.3.4.4 pertains to information about services acquisition. Such information is used to oversee or manage contracts and services provided to the Federal Government by the private sector. For this type of data, NIST has assigned an initial (or provisional) impact level of low for confidentiality, low for integrity, and low for availability. NIST also identifies “special factors” that would lead agencies to increase the assessed impact levels above that provisional level. For example, if the particular service acquisition information in question could be used by malicious parties to commit a crime or cause harm, or if the acquisition information involves proprietary business information that could harm private enterprises, then NIST guidance suggests that the confidentiality impact level should be raised to moderate or even high. Similarly, if the service acquisition information is used to grant an award such that data corruption could disrupt the procurement of services, then the impact level should be raised to moderate or even high.
To determine the system categorization for FedRAMP, Cloud Service Providers (CSPs) have to follow the NIST SP 800-60 process in order to anticipate the system impact level that their customer agencies will use. This means CSPs need to (1) identify all of the SP 800-60 volume 2 data types involved in the system, (2) determine the provisional impact levels for those data types for CIA, and (3) adjust the provisional impact levels after factoring in “special factors” and other considerations. When adjusted impact levels have been defined for all data types related to the system, then the highest impact level assigned to any data type must be selected as the system categorization. For example, a SaaS that stores, processes, or transmits services acquisition information would have to follow the guidance from SP 800-60, volume 2, section C.3.4.4. That means that a cloud service should be rated as a low impact system only if these “special factors” identified by NIST were not relevant so that the provisional impact levels for confidentiality, integrity, and availability all remained low impact. If the “special factors” were relevant to the data stored, processed, or transmitted by the cloud service, then the system categorization would either be moderate or high impact.
Documenting Information Types and Impact Levels
The System Security Plan (SSP) templates are the main documents that CSPs need to use to capture information about the cloud system and the controls that are implemented. Information about the system categorization, data types, and impact levels are recorded in SSP Section 2 and Attachment 10. In Attachment 10, Table 15-9 is used to record the provisional impact levels (from NIST SP 800-60) for each information type, the final selected impact levels for CIA, and the rationale for the adjustment. Table 2-2 is used to document the information types based on NIST SP 800-60 that relate to the system and the selected confidentiality, integrity, and availability impact ratings, as documented in Table 15-9. The highest rating for each security objective is then documented in Table 2-3, and the highest impact level is recorded in Table 2-4 and Table 2-1 as the overall system security categorization.
Communication with Agency Customers
CSPs performing this analysis to determine the system categorization need to remember that it is ultimately their customer agencies who will determine the risk level of the system. This is especially important when adjustments are made to the provisional impact levels. CSPs should anticipate how their customer agencies will adjust the impact levels, which of course means that CSPs should discuss impact levels with potential client agencies. Transparency between CSPs and their customer agencies is critical for ensuring that system is properly categorized to meet the need of those agencies. Ultimately, it is the Federal agency customer that determines the impact level or categorization of the system based on the data that is stored, processed, or transmitted within it. Because the data belongs to the Federal agency customer, their assessment of the impact is the only one that matters.
Not sure where to begin? SecureIT is a trusted security, audit and compliance firm with certified cybersecurity professionals that provide practical, efficient solutions. If you’re planning a FedRAMP authorization effort and want an advisor to help ensure your success, please contact us. We’d love to talk and show you how we can help