FedRAMP Authorizations: A Framework for Modernizing Federal Government
As government agencies move more of their operations to the cloud, they’re experiencing increased flexibility, scalability, and cost savings. But this transition brings new security risks that must be addressed. Unsurprisingly, the federal government has stringent data security rules, requiring all cloud service providers it does business with to adhere to specific security standards and processes.
The Federal Risk and Authorization Management Program (FedRAMP) establishes these standards. Cloud service providers can earn various FedRAMP authorizations that indicate their level of security practices for partnering with federal agencies.
What Are FedRAMP Authorizations?
FedRAMP is a government-wide initiative for ensuring that the cloud services and systems used by federal agencies remain protected from unauthorized access, breaches, and cyberattacks. FedRAMP defines three levels of authorization: low, moderate, and high. These tiers are organized based on the level of disruption that would occur if data held by the cloud service was compromised or became unavailable due to a breach or system failure.
FedRAMP is governed by the Joint Authorization Board (JAB), which consists of the chief information officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). Together, they provide governance for FedRAMP with duties including defining and updating FedRAMP security authorization requirements, reviewing and updating provisional authorizations, and approving accreditation criteria.
3 Impact Levels of FedRAMP Authorization
FedRAMP authorizations fall into three impact levels. Each one is organized based on the level of disruption that would occur if the system or the data it contains was to become compromised or unavailable.
Low impact level
The low impact level applies primarily to systems available for public use; the data does not include any personal identifiable information (PII) other than login details such as usernames, passwords, and email addresses. The loss of confidentiality, integrity, or availability of these systems would have only minor impacts on the agency’s ability to fulfill its mission.
Moderate impact level
Moderate impact systems are the ones most commonly serviced by cloud providers. At the moderate level, the loss of confidentiality, integrity, or availability would result in a serious disruption to an agency’s mission, creating substantial damage to agency assets, financial loss, or individual harm, excluding death or physical injury.
High impact level
High impact level data includes data used by federal law enforcement and emergency services systems, financial systems, and health systems. At this level, the loss of confidentiality, integrity, or availability would likely cause severe or catastrophic consequences, including loss of intellectual property, financial devastation, and even physical injury or death. FedRAMP’s high impact level includes the government’s most sensitive, unclassified data stored in cloud computing environments.
FedRAMP High vs. Moderate
FedRAMP High is reserved for highly sensitive, unclassified data. It also includes two lower levels of authorization: Low and Moderate. Each one has its own security control requirements based on the sensitivity of the data that falls within that level. Low impact level systems have 125 controls, moderate impact level systems have 325 controls and high impact level systems need 421 controls. These security controls are divided into 17 control families such as Access Control (AC), Audit and Accountability (AU), Incident Response (IR) Personnel Security (PS), Risk Assessment (RA), and Contingency Planning (CP).
Benefits of Using a Modern Cloud Architecture
FedRamp authorizations allow government agencies to modernize their operations while protecting their sensitive data. Here are six ways federal agencies benefit from adopting a cloud-based architecture.
Decrease costs
Cloud data platforms use consumption-based, per-second pricing so customers pay only for the storage and compute resources they are using. With no physical infrastructure to purchase, install, and maintain, you can avoid expensive equipment or recurring annual costs, allowing those funds to be allocated to other projects.
Secure data sharing
Cloud data platforms effectively facilitate collaboration and innovation. Implementing a cloud-based architecture makes it easy to store, integrate, analyze, and safely share data across and beyond your agency.
Reduce database administration
A cloud-based architecture drastically reduces administrative burden. By eliminating time-consuming tasks such as deploying hardware, configuring software, and optimizing the performance and security of your data platform, your team can focus on using data, not managing the system.
Eliminate concurrency and contention issues
Cloud data platforms aren’t subject to the same concurrency and contention issues that characterize legacy systems. With virtually instant, near-infinite elasticity, computing power can automatically scale so users don't experience a slowdown or disruption of their queries when concurrency surges.
Increase data security
FedRAMP Authorized cloud service providers offer robust data security capabilities that align with federal standards. Data is encrypted, both at rest and in transit. Additional safeguards include multi-factor authentication, role-based access control, IP address whitelisting, and federated authentication.
Achieve and maintain regulatory compliance
In addition to being FedRAMP Authorized, select cloud service providers such as Snowflake provide compliance with additional government and industry standards including NIST 800-171, SOC1 Type 2, SOC2 Type 2, and ISO 27001, HIPAA, and PCI.
Snowflake Is FedRAMP High Authorized
The Snowflake Data Cloud is FedRAMP Authorized (High). Having achieved FedRAMP’s highest level of authorization, government agencies can take full advantage of the Data Cloud, knowing Snowflake’s cloud services meet federal standards for data security. With Snowflake, government teams can easily collaborate across and between agencies with secure data sharing and robust controls for data access and governance.