FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP’s goal is to enhance the framework by which the government secures and authorizes cloud technologies.
FedRAMP standardizes security requirements for the authorization and ongoing cyber security of cloud services in accordance with:
- Federal Information Security Modernization Act (FISMA) to protect federal information.
- FedRAMP leverages National Institute of Standards and Technology (NIST) standards and guidelines to provide standardized security requirements for cloud services, contract language, a conformity assessment program, standardized authorization packages and a repository for authorization packages.
This blog will review the different impact levels of FedRAMP and the Department of Defense. It will show how MuleSoft Government Cloud can provide an authorized cloud platform for government IT teams.
FedRAMP impact levels
FedRamp categorizes Cloud Service Offering (CSO) into one of three impact levels: low, moderate, and high. The impact levels are based across three security objectives: confidentiality, integrity, and availability following the Federal Information Processing Standard (FIPS) 199 standards.
Low impact level
- Confidentiality: The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
- Integrity: The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
- Availability: The disruption of access to use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
Moderate impact level
- Confidentiality: The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
- Integrity: The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
- Availability: The disruption of access to use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
High impact level
- Confidentiality: The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
- Integrity: The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
- Availability: The disruption of access to use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Department of Defense (DoD) impact levels
Defense Information Systems Agency (DISA) published the Cloud Computing Security Requirements Guide (CC SRG) which introduces terminology and concepts that are unique to cloud computing and DoD’s usage of the technology.
This CC SRG outlines the security model by which DoD leverages cloud computing along with the security controls and requirements necessary for using cloud-based solutions. Defines the requirements and architectures for the use and implementation of DoD or commercial cloud services by DoD Mission Owners.
CC SRG provides security requirements and guidance to DoD and commercial cloud service providers (DoD contractors) that wish to have their cloud service offerings CSO(s) included in the DoD Cloud Service Catalog. CC SRG defines the DoD Impact Levels (IL2, IL4, IL5 & IL6) which are the combination of:
- The sensitivity of the information to be stored and/or processed in the cloud.
- The potential impact of an event that results in the loss of confidentiality, integrity or availability of that information.
DoD impact level 2 (IL2)
- Information security: Accommodates DoD information that has been approved for public release or is non-critical mission information
- Security controls: FedRAMP v2 Moderate
- Location: US/US-outlying areas
- Off-premises connectivity: Internet
DoD impact level 4 (IL4)
- Information security: Accommodates DoD controlled or non-controlled unclassified information, non-critical mission information and non-national security systems information
- Security controls: IL2 + controlled unclassified information specific tailored set
- Location: US/US-outlying areas or DoD on-premises
- Off-premises connectivity: NIPRNet (non-classified internet protocol router network) via CAP (cloud access point)
DoD Impact Level 5 (IL5)
- Information security: Accommodates DoD higher sensitivity controlled unclassified information, mission-critical information, and national security systems information
- Security controls: IL4 + national security systems information
- Location: US/US-outlying areas or DoD on-premises
- Off-premises connectivity: NIPRNet (non-classified internet protocol router network) via CAP (cloud access point)
DoD Impact Level 6 (IL6)
- Information security: Accommodates DoD classified SECRET and national security systems information
- Security controls: IL5 + classified overlay information
- Location: US/US-outlying areas, DoD on-premises, or cleared/classified facilities
- Off-premises connectivity: Secret internet protocol router network (SIPRNET) DIRECT With DoD SIPRNet enclave connection approval
MuleSoft Government Cloud
MuleSoft Government Cloud is a FedRAMP and DoD authorized cloud platform that gives options to deploy applications in cloud or on-premises data centers based on the security and compliance requirements of federal agencies. With MuleSoft Government Cloud, you can leverage an industry-leading, enterprise-grade integration platform as a service, to reduce the infrastructure and management costs and increase speed to market. You can manage all government integration assets from a single secure, cloud-based management console.
MuleSoft Government Cloud is FedRAMP moderate level and DoD impact level 2 (IL2) approved and supports security standards like TLS 1.2, ITAR, NIST 800-53, and FIPS 140-2. It offers a large library of FIPS compliant connectors and modules to ensure logic within runtimes is secure. It provides third-party auditing and monitoring of security controls. MuleSoft plans to pursue higher impact levels in the future.
We look forward to government agencies using MuleSoft Government Cloud, where IT teams can rapidly design, develop, and manage APIs and integrations to connect cloud and on-premises applications all from a single, unified platform. Learn how government agencies can accelerate digital transformation with MuleSoft’s Government Cloud by downloading our whitepaper.