The Federal Information Security Modernization Act of 2002 (FISMA) requires all federal agencies and their contractors to implement security standards for information, assets, and systems used in their operations. The National Institute of Standards and Technology (NIST) is the government agency that develops and publishes standards for technologies, including privacy and security controls required for safeguarding federal data (except those related to national security) and ensuring compliance with FISMA.
NIST Special Publication 800-53 details specific requirements that federal agencies and third-party contractors must follow if they store, share, or transmit federal data. The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security for Cloud Service Providers (CSPs) that store or transmit federal data.
To work with government agencies, all CSPs (including SaaS, IaaS, and PaaS providers) must obtain FedRAMP authorization. Google Workspace, Hootsuite, Workday, Salesforce, GitHub, ServiceNow, and Microsoft are some of the CSPs authorized by FedRAMP. CSPs must demonstrate compliance with NIST security requirements to obtain FedRAMP Authority to Operate (ATO).
FedRAMP authorization is a comprehensive process, and CSPs must determine which authorization is appropriate for their business needs. A critical first step toward achieving FedRAMP Authority to Operate is the comprehensive categorization of federal data stored or transmitted, and a worst-case scenario impact should that data be compromised. CSPs should align security categories with impact levels based on three security objectives:
1. Confidentiality
Data must be safeguarded to protect personal privacy and proprietary information. For example, if a physician stores a patient’s data, that data should only be accessible to the patient, not to their acquaintances or friends, unless specific approval is given. Unauthorized access to information constitutes a loss of confidentiality.
2. Integrity
Data must be protected from alteration or destruction, whether intentional or accidental. If the doctor mentioned above sends an email to a patient containing lab results, the email and lab results must be delivered as the doctor intended. If an unauthorized individual or entity intercepts and alters email or lab results, the integrity of data is compromised.
3. Availability
Information should be readily available and accessible. The data is considered unavailable if the doctor does not get the patient’s lab results in a timely manner.
Proper categorization is important and helps organizations understand the work required to achieve FedRAMP authorization. Although the responsibility of determining data criticality rests with the organization, NIST provides guidelines for safeguarding data and IT assets.
Risk Impact Levels
Low Impact
There are two security baselines for Low Impact data — Low Baseline and LI-SaaS Baseline.
A Low Impact The level is appropriate when loss of confidentiality, integrity, and availability may result limited adverse effects to an agency’s operations, assets, or individuals. These effects may include minor financial loss and damage to assets.
LI-SaaS Baseline is a customized version of Low Impact, developed to support low-cost, low-risk industrial solutions used by agencies. LI-SaaS Baseline is suitable for providers that do not store personally identifiable information (PII) other than login credentials. Permission is streamlined to only the most relevant controls.
Publicly available data is often designated as Low Impact danger.
Medium Effect
A Moderate Impact level is appropriate where loss of confidentiality, integrity, and availability may lead to serious adverse effects to an agency’s operations, assets, or individuals. These effects may include significant operational damage to agency assets, financial loss, or personal injury, but not loss of life. Almost 80% of CSP applications are for Authority to Operate in the Moderate Impact category.
IP addresses and personally identifiable data are often assigned as Medium Effect.
High Impact
The High Impact level generally includes hospitals, law enforcement, banks, and emergency services, where loss of confidentiality, integrity, and availability could result in serious or catastrophic adverse effects to an agency’s operations, assets, or individuals. These effects can include loss of mission capabilities, damage to agency assets, financial loss, and loss of life.
Critical infrastructure, emergency services, and law enforcement data are often designated as High Impact.
Mapping Data to Risk Impact Levels
Federal Information Processing Standards (FIPS) 199 uses the scenario of a power plant distributing electricity to a military installation. The power plant uses a Supervisory Control and Data Acquisition (SCADA) system, including sensors. Power plant management made the following decisions:
- For sensor data collected by the SCADA system:
- Loss of confidentiality will result in limited adverse effects or Low Impact
- Loss of integrity will result in severe or catastrophic adverse effects or High Impact
- Loss of usability will also result in severe or catastrophic adverse effects or High Impact
- For administrative information processed by the SCADA system:
- Loss of confidentiality will result in limited adverse effects or Low Impact
- Loss of integrity will result in limited adverse effects or Low Impact
- Loss of usability will also result in limited adverse effects or Low Impact
| Data type | Confidentiality | Integrity | Availability |
| Sensor data | L | H | H |
| Administrative data | L | L | L |
To summarize, there is likely to be a breach of administrative data security limited adverse effects. Conversely, there may be a security breach in the sensor data serious o catastrophic adverse effect, including loss of life, financial data, and assets. Using the principle of maximum potential impact (or worst-case scenario) to determine the level of security, the highest type of impact data — the “high-water mark” — determines the resulting security category. In the case of power plant, the category is High Impact.
In a public university setting, course descriptions, class requirements, and department directories are likely to be considered Low Impact because they are typically publicly available data. Budgets, contracts, and moderate risk intellectual property may fall into the Moderate Impact category. At the same time, sensitive research data, Social Security numbers, and detailed banking information are likely to be categorized as High Impact.
In any industry, data can vary in its potential risk. Flight information, which is generally available to the public, may have a Low Impact risk if confidentiality is breached. The same data, however, can be considered a High Impact risk if modified or unavailable.
On the other hand, law enforcement agencies can use data from past crimes to predict future crimes. If that data is not available, it can have some adverse effects. However, loss of confidentiality may expose names, dates, forensic details, or more, resulting in severe adverse effects. Risk is distributed on a spectrum, and careful categorization is necessary.
Category Requires More than Ability
There are many factors to consider when determining FedRAMP impact levels. Proper categorization of data is essential to ensuring adequate data protection and achieving FedRAMP Authority to Operate. Whether an organization must obtain FedRAMP authorization is sometimes ambiguous — and potentially problematic. In any case, the data security categorization for the FedRAMP authorization process is complex and nuanced. Consulting a Third Party Assessment Organization (3PAO) certified to assist Cloud Service Providers is highly recommended to ensure that the time and money allocated to the ATO is well invested.
If you want to learn more about the FedRAMP authorization process, check out our FedRAMP Compliance Quick Start Guide.
If you’re ready to implement FedRAMP, we’re ready to help.
The post Determining FedRAMP Risk Impact Levels and Data Security Categories appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof written by the Hyperproof Team. Read the original post at: https://hyperproof.io/resource/determining-fedramp-risk-impact-levels-and-data-security-categories/