FedRAMP High Impact Level and Unique NIST Controls
In the era of digitization, the security of cloud services, particularly those engaged with federal agencies, is paramount. The government uses the Federal Risk and Authorization Management Program (FedRAMP)–to ensure cloud services meet stringent security standards to protect federal data.
This article will dig into the intricacies of the FedRAMP High Impact Level and its relevance for different organizations. Whether you are a federal agency, a CSP, or a government contractor, understanding the FedRAMP High Impact Level is crucial to navigating the evolving landscape of cloud security.
What Is FedRAMP High Impact Authorization?
FedRAMP authorizations are divided into three impact levels based on the data sensitivity: Low, Moderate, and High.
The High Impact level is designed for systems that, if their confidentiality, integrity, or availability were compromised, would have a severe or catastrophic adverse effect on organizational operations, assets, or personnel. At this level, the conversation will turn to mission-critical information, Personally Identifiable Information (PII), or Personal Health Information (PHI).
Accordingly, this classification level requires the most stringent security measures and controls. To achieve FedRAMP High authorization, a CSP must properly implement 421 security controls defined in the High Impact authorization baseline.
What Organizations Should Meet FedRAMP High Authorization?
FedRAMP High authorization is relevant to any organization that provides cloud services to a U.S. federal government agency and handles highly sensitive data. While it primarily applies to CSPs intending to work with federal agencies, it also relates to federal agencies themselves, as they must use FedRAMP-authorized services for their cloud-based IT needs.
Here are examples of organizations that might need FedRAMP High Impact authorization:
- Federal Agencies: All U.S. federal agencies are required to use FedRAMP-authorized CSPs for their cloud-based IT needs. When these agencies deal with high-impact data (law enforcement, financial, Personal Health Information, etc.), they must ensure that their CSP has FedRAMP High Impact authorization.
- Cloud Service Providers: Any CSPs wanting to provide services to federal agencies that handle high-impact data must achieve FedRAMP High Impact authorization. This includes both Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) providers.
- Government Contractors: Companies providing services to government agencies, relying on cloud technology through third parties, must also conform with and use FedRAMP-compliant systems.
While FedRAMP High Impact is designed explicitly for organizations dealing with the federal government, its rigorous security standards can benefit any organization dealing with sensitive data, even in the private sector.
What Is FedRAMP’s Relationship with the National Institute of Standards and Technology (NIST)?
FedRAMP’s security assessment framework is based on NIST SP 800-53, the standard for security controls for federal information systems and organizations. NIST 800-53 outlines the security controls and guidelines federal information systems must implement to comply with the Federal Information Security Management Act (FISMA).
In the context of FedRAMP, NIST 800-53 provides the set of controls used to secure cloud services and protect federal information. FedRAMP packages these controls into different baselines depending on the system’s impact level.
The FedRAMP High baseline includes 421 controls from NIST 800-53 (as of May 2023), including every control defined in Low and Moderate Impact Levels. CSPs must comply with these controls to satisfy an independent third-party assessment organization (3PAO) to achieve the corresponding FedRAMP authorization.
With 421 controls defined as necessary for compliance, it’s clear that High Impact authorization expands requirements into much more advanced security postures.
What Are Some Unique Controls Included in FedRAMP High Impact?
There is a gap of 96 controls between FedRAMP High and Moderate and almost 300 between High and Low Impact Levels. Following that, it’s important to note the areas where High Impact requires finer attention to detail regarding security.
Note that this list isn’t exclusive. Instead, we’ll focus on some control families where the High Impact requirements introduce a significant number of additional controls:
Wireless Access (AC-18)
High Impact authorization adds several additional requirements to the CSPs plate. These include:
- Disable Wireless Networking: The organization should disable wireless access to system programs and components where users may access it. This access should be limited only to those that need such access.
- Restrict Configuration By Users: Users should not have access to or have limited access to, the ability to configure wireless capabilities from their access levels.
- Antennas and Transmission Power Levels: The organization must calibrate its wireless access points and RF transmitted such that users outside the organization’s physical location cannot access that network.
Audit Record Review, Analysis, and Reporting (AU-06)
The High Impact Level adds several significant requirements to CSPs regarding analyzing and reporting their audit logs. These include:
- Centralized, Integrated Audit Review: Organizations should be able to automate and centralize audit reviews, specifically through SIEM tools, and these audits integrate data-gathering activities like vulnerability scanning or record aggregation.
- Correlation with Physical Monitoring: Audit logs should include information from physical monitoring of restricted spaces.
- Permitted Actions: The organization should be able to define permitted actions for any user or role related to accessing, analyzing, or reporting audit data.
Configuration Change Controls (CM-03)
Configuration management is an essential set of controls that require organizations to ensure that users, malicious or otherwise, cannot haphazardly change settings in a way that can damage a system.
Some of the additions that come into play at the High Impact Level include:
- Documenting and Managing Changes: Organizations must be able to log and create notifications around any configuration changes. Additionally, this capability should include the ability to disallow changes from users based on the user’s designation, role, etc. Finally, the organization must conduct any testing or modifications to operating systems in a way that doesn’t change critical configuration settings.
- Roles: The organization must fill critical positions to manage security and privacy around configuration changes. These include security officers, privacy officers, and executives.
- Cryptography: The management of critical encryption files (certificates, keys, etc.) must fall under the configuration standards outlined in CM-03.
Incident Handling (IR-04)
Incident handling refers to the capability of the organization to respond to security events to mitigate and remediate them readily. Some of the more advanced capabilities expected at High Impact Level include:
- Dynamic Reconfiguration: Systems can and should include some capabilities to dynamically reconfigure elements like firewalls or filters in response to security incidents to isolate threats.
- Continuity: There must be some capability to fall back to earlier or more secure states after incidents to ensure that operations may continue safely.
- Information Correlation: The organization must be able to correlate data from multiple sources to determine the source, scale, and scope of an attack or vulnerability. This factor includes correlating information from both internal and external sources as necessary.
Systems and Security Acquisition (SA)
Some of the most critical decisions organizations can make is acquiring third-party services, including software, infrastructure, and managed services. Some of the requirements that come with a High Impact Level include:
- Development Documentation and Standards: Organizations working with third-party suppliers should have a process to vet the product for security issues. This means requiring their vendors to provide documentation and undergo reviews and audits related to tool configurations, development standards, and change management.
- Training: Organizations can, as part of a third-party supplier contract, require that those vendors provide specific security training to developers of shared systems that meet minimum security and privacy standards requirements.
- Architecture: The organization should require the vendor to create and implement a development architecture that meets the minimum security requirements articulated in a third-party agreement.
System Monitoring (SI-04)
Organizations meeting FedRAMP requirements should be able to properly monitor systems for potential or ongoing threats for mitigation and remediation. At the High Impact Level, there are several advanced controls defined, including:
- Traffic Analysis: The organization should define endpoints for internal networks and subnets to monitor network traffic and identify potential points of covert data exfiltration.
- Risk and Privilege: Users must be monitored based on their potential risk in the system, based on role or background. This monitoring should include capabilities to adjust the risk profile of that user based on behavior. Accordingly, there should be more direct and expanded monitoring of privileged users with access to sensitive data.
- Unauthorized Services: Organizations should detect and remove any network or software sources in a service architecture that do not have authorization.
Trust an Experienced FedRAMP 3PAO in Lazarus Alliance
Are you getting ready for FedRAMP Authorization? Looking for a trusted 3PAO who knows federal requirements and regulations like the back of our hand? Tired of shopping for security agencies that can only meet some of your IT and compliance needs? Then work with Lazarus Alliance.