FedRAMP and FIPS-Defined Impact Levels
One of the foundational pieces of information that a cloud provider needs to know when preparing for their FedRAMP Authorization is the required Impact Level. These levels aren’t generic labels applied by agencies to highlight the importance of their data–they are clearly-defined categories laid out by the National Institute of Standards and Technology (NIST) to structure security requirements.
What Is an Impact Level?
Federal Information Processing Standard (FIPS) document 199 defines a set of security categories that articulate a scale of potential damages resulting from the breach of a federal IT system or theft of federal data. This document assumes that depending on the IT system and its context, the loss, damage, or theft of information within that system could have a minor or significant impact on federal agencies and constituents.
These categories are based on a common rubric known as the “CIA” triad:
- Confidentiality: The privacy and security of the information in an IT system. This includes the ability of an agency or partner to render information unreadable or inaccessible to unauthorized users at any point in the data lifecycle (storage, transmission, use, destruction, etc.).
- Integrity: The accuracy and continued longevity of information within a system as it is processed and used. Maintaining the integrity of information can mean both protecting it from modification or destruction by unauthorized users, and ensuring that system applications and processes do not unintentionally alter or damage that information such that it is rendered unusable.
- Availability: Information must be usable by agencies and contract partners, even within its security context. Availability refers to the ability of an IT system to serve data for analytical and daily business purposes without sacrificing its confidentiality or integrity.
FIPS 199 uses these criteria to determine how federal government agencies and their contractors implement their security infrastructure.
FIPS 199 and Impact Levels
Using the CIA triad as a starting point, FIPS 199 defines three primary impact levels based on the potential negative impact that may occur during or following a breach.
Note that some of the language used here may need to be more specific (significant, limited, etc.). This openness is intentional and allows governing regulators and agencies to better adapt their own understanding of their systems into a categorization method.
However, generally speaking, it’s understood that the adverse impact of a breach of a federal system is understood to threaten specific stakeholders and operations, including:
- Agency Functioning: The adverse results of a breach may negatively affect an agency’s ability to perform its duties. This could mean something as small as a limited outage of service capabilities to a major loss of functionality such that the agency ceases to operate as-is.
- Citizens and Privacy: A federal systems breach may not harm federal constituents. Conversely, it could radically threaten their privacy or financial and physical well-being, depending on the information compromised and the context of its theft or damage.
Questions of national security and defense don’t generally fall under this category, as information designated SECRET or under the designation of Controlled Unclassified Information is usually governed by different regulations, technologies, and security requirements.
Low Impact Levels
A system falls under a Low impact level if the loss of confidentiality, integrity, or availability will have a limited impact on the agency or its constituents.
Generally speaking, a Low Impact level refers to contexts where loss or theft of sensitive information could degrade an agency’s ability to perform its function (without entirely ceasing it) or result in minor harm to individuals.
In some cases, IT systems falling under a Low Impact level may house data that’s available elsewhere and is thus technically public. However, the information itself is important enough that it could be used maliciously in the context in which it’s stored or processed.
Moderate Impact Levels
Federal IT systems fall under the Moderate Impact level if the loss of confidentiality, integrity, or availability could have a serious impact on an agency or its constituents.
A step up from the Low Impact, a designation of Moderate Impact, means that the loss of any of the CIA triad could seriously degrade an agency’s ability to function. This agency may still be able to operate, but the effectiveness and capabilities of that operation are noticeably and significantly lower. This may also include serious or irreversible damage to organizational assets.
Additionally, the data impact at this level could seriously affect federal employees’ and individuals’ financial or physical health or well-being. Information that may fall under this category may include personally identifiable information (PII) such as addresses, phone numbers, etc.
High Impact Levels
At a High Impact level, the loss of data confidentiality, accessibility, or integrity will have a catastrophic impact on an agency and its constituents.
At this level, data loss or theft could result in the loss of mission functionality for an agency. That is, an agency may only have the capabilities to perform limited operations, if any at all, resulting in a significant loss of functionality.
Likewise, the damage to individuals is considered quite severe at this level. Compromising information at a High Impact level could lead to significant damage to agency assets, to the financial well-being of individuals, or even the physical health of these individuals–up to and including serious injury or loss of life. Typically found at this level would be protected health information (PHI), law enforcement records, sensitive operational records, or other information related to emergency services.
FedRAMP Adoption of FIPS 199
A few federal standards adopt the FIPS 199 impact level model, the most prominent of which is FedRAMP. This cloud security framework defines specific regulations and requirements for cloud service providers to assure that their cloud offerings can capably protect the confidentiality, integrity, and availability of any information they handle for federal clients.
The process for FedRAMP Authorization involves these CSPs working closely with federal agencies. Following that, agencies are responsible for defining the impact level of their IT systems and the required impact level a provider must meet to secure their data properly.
Therefore, FedRAMP creates a necessary relationship between the designated impact level and the level of compliance a cloud provider has with NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations.” Simply put, the higher the impact level, the higher the number of controls from NIST 800-53 that the provider must implement.
- Low Impact: 125 Controls
- Moderate Impact: 325 Controls
- High Impact: 421 Controls
Generally speaking, it isn’t the case that an impact level will impact core security features. For example, a Low Impact level doesn’t forego an organization’s need to implement secure authentication or encryption standards. However, higher impact levels will increase the complexity of the required security controls and the practices surrounding those controls. An impact level of high may include more advanced physical security around cryptographic modules or require advanced physical authentication modules that Low Impact levels do not.
Align Your Cloud Infrastructure with FIPS Impact Levels Using Continuum GRC
NIST 800-53 is a massive catalog of controls, and managing these controls over different Impact Levels as part of your FedRAMP authorization can be a major headache. It’s critical that you use modern reporting and assessment tools to quickly show you how your infrastructure aligns with FedRAMP requirements so that you can focus less on spreadsheets and more on running your business.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.