FedRAMP logo and checklist graphic, courtesy of the FedRAMP blog.
When looking to implement cloud software, choosing a solution that has earned FedRAMP High certification ensures thorough security measures have been met to validate your stored data is being properly protected by both the software and team behind it.
This article will discuss FedRAMP High certification and its value, including:
- What FedRAMP High is, and which industries are impacted
- What the FedRAMP High standards are, including:
- The 17 security control families to meet for this certification
- Why FedRAMP High is valuable
- How to find a FedRAMP-certified solution
What is FedRAMP Level High, and what makes it different?
What is FedRAMP?
The goal of FedRAMP is to increase the use of secure cloud technology by government agencies. Prior, federal government agencies would have to complete their own lengthy investigations before implementing new software.
FedRAMP assesses cloud software using the National Institute of Standards and Technology (NIST) Security and Privacy Controls for Federal Information Systems and Organizations. This assessment ensures that each Cloud Service Provider (CSP) is taking appropriate security measures within their software and operations. After a thorough assessment and authorization process, the software is certified and listed in the FedRAMP Marketplace. This enables the federal government to accelerate their adoption of secure cloud computing in a more efficient, cost-effective and risk-averse way.
What does ‘High’ mean? What differentiates FedRAMP levels?
FedRAMP follows the Federal Information Processing Standard (FIPS) 199, which are standards for categorizing information and information systems. FIPS outlines three impact levels across three security categories: Confidentiality, Integrity and Availability.
These levels correlate with data impact. The FedRAMP site describes FedRAMP Low as ‘most appropriate for [organizations] where loss of any of the three security measures would have limited adverse effect on the agency’s operations, assets or individuals.’
Meanwhile, for High Impact industries, any loss of confidentiality, integrity or availability of their data would have a severe adverse impact on the organization, its employees, clients and/or patients.
Which industries require FedRAMP High?
High Impact Level industries may include a variety of federal government agencies including law enforcement, healthcare, financial, and any other organization with sensitive data that require a stringent level of security.
Indeed, due to the comprehensive and thorough controls that must be met (see next section), the FedRAMP level of certification is one of the highest security standards a cloud solution can achieve.
FedRAMP High also creates an umbrella certification for every level, meaning that it’s the highest certification for FedRAMP and provides coverage for both Low and Moderate Impact level industries that desire an extra level of protection and compliance.
What are the FedRAMP High standards? The 17 security control categories
To reach full FedRAMP High authorization, a CSP must undergo several assessments, a thorough authorization process and then continued maintenance to ensure over 400 security controls are being met. These controls fall under 17 categories that we’ve listed below. More information on each category can be found in the FedRAMP System Security Plan (SSP).
The 17 FedRAMP High Control Categories:
- Access Control
- Proper Security Awareness & Training
- Audit and Accountability
- Security Assessments (both internal and external)
- Contingency Planning
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communication Protection
- System and Information Integrity
Why FedRAMP High is valuable?
As mentioned, FedRAMP High provides a standardized approach for assessing and certifying cloud service providers who deliver security measures to a certifiable degree. This…
- Bridges high impact industries with highly secure cloud technologies and their providers
- Allows government and other high impact organizations to find protective cloud software more efficiently
- Reduces repetition, extra costs or inconsistencies that could occur with individualized investigation processes
- Promotes transparency of security protocols and innovation by CSPs.
- Gets agencies ready for the upcoming Presidential Mandate M-19-21 where NARA requires federal agencies manage and maintain all their permanent records and metadata in electronic format by the end of 2022. FedRAMP High is the stamp of security approval which can accelerate agencies’ secure cloud software search.
How to find a FedRAMP High-certified cloud solution
Since FedRAMP Marketplace publicly lists every certified solution, their sector and level, this approach has made making these approved cloud solutions easily available and accessible for interested agencies and organizations. For example, our cloud solution, Collabspace, is listed as a FedRAMP Ready High Cloud vendor.
Collabspace is currently listed as the only SaaS Cloud vendor for archive, discovery and records management solutions listed as FedRAMP Ready High. If your organization requires a cloud solution to securely archive your data or meet the upcoming M-19-21 mandate, Collabspace is certified for NARA’s Universal Electronic Records Management (Universal ERM) requirements and available for purchase via GSA Advantage.
To learn more, contact us with any questions, read our article about achieving FedRAMP Ready High, or download our brochure to read about the additional measures we’ve taken to ensure Collabspace protects your data: