Some data breaches have serious consequences, endangering the life or financial viability of the individuals or organizations whose data has been compromised. This is a special risk with government-collected data. As government use of cloud products and services grows, securing sensitive data stored in cloud environments is essential.
FedRAMP High, the highest impact level in the US federal government’s Federal Risk and Authorization Management Program (FedRAMP) is reserved for cloud service providers (CSPs) that have demonstrated compliance with stringent requirements designed to protect the government’s most sensitive unclassified data. In this article, we’ll explain FedRAMP High, exploring how its requirements support secure cloud storage, information security and data protection. We’ll also share how organizations and governments at all levels benefit when they partner with CSPs that are FedRAMP High authorized.
What is FedRAMP?
The federal government is committed to modernizing its digital infrastructure, including the way it uses, shares and stores data. A cornerstone feature of this transformation is an increased reliance on modern cloud technologies. However, concerns related to security are commonly cited when migrating to cloud-based products and services. In response to these concerns, the FedRAMP program began in 2011, designed to verify that CSPs serving the federal government meet established security criteria. This government-wide program provides a standardized framework for conducting security assessments, authorization and continuous monitoring for cloud products and services.
The FedRAMP authorization process
FedRAMP authorization involves three distinct stages: FedRAMP Ready, In Process, and FedRAMP Authorized. Once a cloud service provider successfully completes the full authorization process, they are awarded FedRAMP Authorized status. This final stage indicates that their security package is available for agency review and use. FedRAMP Authorized providers are eligible to host federal data in their systems at the categorization level (Low, Moderate or High) their authorization allows and can supply services to their agency partners.
How FedRAMP High compares to other FedRAMP levels
FedRAMP High is reserved for highly sensitive, unclassified data. The program also includes two lower levels of authorization: Low and Moderate. Each one has its own security control requirements based on the sensitivity of the data that falls within that level. Low impact level systems have 125 controls, moderate impact level systems have 325 controls and high impact level systems require 421 controls. These security controls are divided into 17 control families such as Access Control (AC), Audit and Accountability (AU), Personnel Security (PS), Risk Assessment (RA), Contingency Planning (CP), and Incident Response (IR).
FedRAMP Low
The low-impact level applies primarily to systems available for public use—the data does not include any personal identifiable information (PII) other than login details such as usernames, passwords and email addresses. The loss of confidentiality, integrity or availability of these systems would have only minor impacts on the agency’s ability to fulfill its mission.
FedRAMP Moderate
Moderate-impact systems are the ones most commonly serviced by CSPs. At the moderate level, the loss of confidentiality, integrity or availability would result in a serious disruption to an agency’s mission, creating substantial damage to agency assets, financial loss or individual harm, excluding death or physical injury.
FedRAMP High
High-impact level includes data used by federal law enforcement and emergency services systems, financial systems and health systems. At this level, the loss of confidentiality, integrity or availability would likely cause severe or catastrophic consequences, including loss of intellectual property, financial devastation and even physical injury or death. FedRAMP’s high-impact level includes the government’s most sensitive, unclassified data stored in cloud computing environments.
FedRAMP security objectives
FedRAMP categorizes providers by the level of authorization they have achieved. It also organizes them across three broad security objectives: confidentiality, integrity and availability.
Confidentiality: Adequate safeguards are in place to prevent unauthorized access to personal or proprietary data.
Integrity: Stored data is appropriately protected, preventing its modification or destruction.
Availability: Secure data is ready when it is needed; the systems are tasked with providing data access continuously.
Benefits to partnering with CSPs that have FedRAMP High authorization
FedRAMP High Authorized CSPs meet the strictest security standards. Federal agencies and state and local governments can confidently entrust these providers with their sensitive data. Additionally, the benefits of partnering with a cloud service provider that is FedRAMP Authorized extend far beyond simply providing a secure place to store and work with data. Let’s look at five advantages FedRAMP High authorization provides.
Comprehensive data security features
FedRAMP High providers have fully met FedRAMP standards, ensuring full alignment with federal standards. Providers that have achieved FedRAMP High authorization are committed to upholding rigorous standards of data confidentiality, integrity and availability.
Compliance
FedRAMP is required for all federal government cloud deployments and service models at the low, moderate and high impact levels. In addition to being FedRAMP Authorized, select cloud data platforms, such as Snowflake, also provide compliance with other government and industry standards, including NIST 800-171, SOC1 Type 2, SOC2 Type 2, ISO 27001, HIPAA and PCI. These additional certifications allow users to demonstrate compliance with security standards relevant to their specific use cases.
Increased collaboration
Cloud data platforms serve as a single source of truth for sensitive government data, eliminating the data silos that prevent local, state and federal government entities from using their data effectively. With secure data collaboration, government agencies can collaborate across internal teams, between agencies and externally with the public or private sector partners.
Public trust and reputation
Working with a CSP that has attained FedRAMP High authorization helps build trust with the public. State and local governments and private sector businesses that choose FedRAMP authorized providers send a strong message that they are committed to maintaining high standards for data security.
Faster procurement and deployment
CSPs that have attained FedRAMP High, Moderate, or Low authorization are added to the FedRAMP Marketplace, a searchable and sortable database of cloud service offerings. The FedRAMP Marketplace provides a convenient way for federal agencies, state and local governments and private sector businesses to search for providers who have met the data security standards required for their specific use cases. In addition, partnering with a FedRAMP Authorized CSP can save users a significant amount of time and resources as they don’t have to re-verify compliance with individual security controls included in the FedRAMP standards.
Snowflake is FedRAMP High Authorized
The Snowflake Data Cloud is FedRAMP Authorized (High). Having achieved FedRAMP’s highest level of authorization, government agencies can take full advantage of the Data Cloud, knowing Snowflake’s cloud services meet federal standards for data security. With Snowflake, government teams can easily collaborate across and between agencies with secure data sharing and robust controls for data access and governance.