The Federal Risk and Authorization Management Program (FedRAMP) recognizes three system security categories: Low, Moderate and High. The number of required controls, and the stringency of the assessment process, increase as the category level rises. So does the cost and complexity of compliance.
The vast majority of Software-as-a-Service (SaaS) solutions end up categorized as Moderate. This includes many that probably could be rated Low based on the data they support, because Authorizing Officials (AOs) are historically reluctant to sign off on Low categorizations. This is especially true if the system contains any data that has the slightest whiff of being Personally Identifiable Information (PII).
And I get it. FedRAMP Low systems only have 156 controls. Moderate systems have to tackle 323. Clearly that means a Moderate authorized system is more than twice as secure right?
Not even close. In fact, I think that with some relatively minor tweaks to the Low baseline, we could capture 90% of the value of the Moderate baseline, at roughly 50% the cost. This would help AOs feel more comfortable keeping systems in the Low bucket, while making it much easier for SaaS providers to get through FedRAMP.
Learn more: Decoding FedRAMP Baselines: Get to Know Low, Moderate, and High Impact Levels for Compliance
Background on Control Organization
FedRAMP derives its controls from NIST Special Publication 800-53 Revision 5. 800-53 is organized around Control Families, for example Access Control (AC), with each control carrying a unique number (e.g., AC-02). Many controls also include enhancements, like AC-02(02).
These enhancements tack on additional requirements to their parent control. In the example above, AC-02 describes a bunch of requirements for managing accounts. AC-02(02) adds an additional requirement for managing temporary and emergency accounts. But most of the security value is in the parent control.
Understanding FedRAMP Low vs Moderate
The main difference between the FedRAMP Low and Moderate baselines is that Low includes very few enhancements. With modest exceptions, Low is mostly limited to parent controls, with many of the most important parent controls selected.
For SaaS providers, Moderate adds an additional 40 or so parent controls. The rest of the delta between Low and Moderate is made up by control enhancements.
Learn more about which of the different FedRAMP certification baselines your cloud service offering needs. Speak to a cybersecurity expert today.
Delta Deep Dive
To understand the security value of moving from Low to Moderate, it helps to look at what’s actually added to the control baseline when you make the jump. And there are some important controls added in the Moderate baseline that, truthfully, should probably apply to all SaaS systems regardless of categorization. I’ll talk about those in a bit.
But there are also a lot of controls in the Moderate baseline that add minimal value, while increasing compliance cost. These fall into two general categories.
Well-Meaning Enhancements That Add Minimal Value to their Parent
A lot of control enhancements barely tweak their parent control, but do so in ways that generate a lot of paperwork and compliance headaches. Many of the delta controls between Low and Moderate fall into this category. Let’s look at a few:
AC-06: Least Privilege – Least privilege is an immensely valuable control. But many of the enhancements to AU-6 simply apply the concept of least privilege to other aspects of access. That re-re-reiteration has minor value, maybe. But it’s covered well enough by the parent control that we can safely drop most AC-06 enhancements at the Low level while still capturing the lion’s share of the control’s value.
CM-03: Configuration Management: This is a great control. Its enhancements add testing requirements and also mandate that security and privacy representatives sit on change control boards. While these enhancements are OK, the blanket requirement for testing is unhelpfully broad (many organizations don’t test minor updates) and security and privacy input is essentially covered by the parent control.
CA-02: Control Assessments: Assessments are obviously critical. But FedRAMP Moderate selects enhancement (03). This enhancement provides a mealy-mouthed requirement to accept assessments from external organizations. It’s a “who really cares” type control that generates a lot of paperwork and process for no security value.
Learn more: What Does FedRAMP Ready Mean?
Controls That Are Good Ideas in Theory but Have Minimal Value in Practice
There are a lot of controls in the Moderate baseline that sound like good ideas, but in practice add a lot of compliance headaches for little SaaS security ROI. Here are a few examples.
CM-08(03): Automated Unauthorized Component Detection – This might be the most loathed control in all FedRAMP. The ability to detect unauthorized assets is great in principle. But (A) the FedRAMP-mandated five-minute detection window is ludicrous, (B) The value of this control in a modern, ephemeral environment is debatable, and (C) the tools to achieve it are expensive and finicky. There are much better uses of resources then trying to detect unauthorized components in five minutes.
CM-12 and CM-12(01): Information Location: This control and its enhancement generates a massive amount of effort and angst for little security value for SaaS. Together they require you to automatically identify where data is physically located and then document users that have access to those components. First, FedRAMP-authorized Infrastructure-as-a-Service (IaaS) providers tag data location for you. Second the access piece of this is covered in other controls. Third, assessors tend to interpret the automation requirement as automated identification of PII within a system. But those tools are expensive and rarely work well. So, there’s a lot of work and expense here, for minimal security value.
AC-21: Information Sharing – This control addresses information sharing. It requires organizations to come up with processes and techniques to help users make decisions on whether they can share information from the system with other users. This isn’t especially relevant in a commercial context where organizations aren’t authorized to share government data anyway. But it generates a lot of contrived compliance work, ginning up paper processes for something that isn’t especially relevant.
IA-3: Device Identification – This control requires that devices be identified prior to granting access. In limited scenarios, I actually like device ID as a control. But it’s an old school defensive measure that has largely been bypassed by modern cyber-attack techniques. It’s also expensive, difficult to implement and poorly understood by many AOs.
AC-05: Separation of Duties – Separation of duties has value, especially in classified or critical infrastructure-type environments. But for your average SaaS tool, it’s overkill. It’s also deceptively expensive, generating a lot of make-work and compliance paperwork, especially for smaller companies. It’s probably better to focus on strong access control and auditing, so you can track who does what and when, then it is to get precious about precise duty separation.
AC-12 / SC-10: Session Termination / Network Disconnect – I realize these are separate things so don’t @me. But they are related. Both are good ideas, and make sense for certain systems. But both brings lots of unintended complexity without good protection against modern threat actors. For the average SaaS we should probably focus resources on inbound and outbound monitoring to detect malicious activity, not muck up internal system processes with arbitrary TTLs on the myriad connections that power the modern cloud.
SI-7: Software, Firmware and Information Integrity – I love File Integrity Monitoring (FIM). It’s a great control…for High systems, or maybe as an optional selection for certain borderline Mod/High ones. It’s expensive, resource intensive overkill for the average SaaS. I think at the Low/Mod level it makes more sense to focus resources on identifying malicious software and / or funky inbound and outbound connections than it does to track file integrity at a granular level.
Moderate Controls That Should be Added to the Low Baseline
I’ve been knocking the Moderate baseline a bit, but there are some genuinely strong-yet-straightforward controls in the Mod baseline that are not in Low. Controls that probably should be in the FedRAMP Low baseline, at least for SaaS providers.
In fact, I think if you added these controls to the Low baseline for SaaS providers you’d capture 90% of the security value of the Moderate baseline at significantly reduced cost.
| Control Number | Title |
| AC-02 (01) | Account Management: Automated System Account Management |
| AC-02 (02) | Account Management: Removal of Temporary/Emergency Accounts |
| AC-02 (03) | Account Management: Disable Accounts |
| AC-02 (04) | Account Management: Automated Audit Actions |
| AC-02 (07) | Account Management: Privileged User Accounts |
| AC-02 (09) | Account Management: Restrictions on Shared and Group Accounts |
| AC-02 (12) | Account Management: Account Monitoring for Atypical Usage |
| AC-04 | Information Flow Enforcement |
| AC-04 (21) | Information Flow Enforcement: Physical or Logical Separation of Information Flows |
| AC-06 | Least Privilege |
| AC-06 (07) | Least Privilege: Review of User Privileges |
| AU-06 (03) | Audit Review, Analysis, and Reporting: Correlation |
| AU-07 | Audit Reduction and Report Generation |
| CA-07 (01) | Continuous Monitoring: Independent Assessment |
| CM-02 (02) | Baseline Configuration: Automation |
| CM-03 | Configuration Change Control |
| IA-02 (05) | Identification and Authentication (Organizational Users): Individual Authentication with Group Authentication |
| IA-02 (06) | Identification and Authentication (Organizational Users): Access to Accounts —Separate Device |
| IA-05 (07) | Authenticator Management: No Embedded Unencrypted Static Authenticators |
| IR-03 | Incident Response Testing |
| SA-11 | Developer Security Testing and Evaluation |
| SA-11 (01) | Developer Security Testing and Evaluation: Static Code Analysis |
| SC-02 | Separation of System and User Functionality |
| SC-07 (05) | Boundary Protection: Deny by Default |
| SC-07 (08) | Boundary Protection: Route Traffic to Authenticated Proxy Servers |
| SC-07 (12) | Boundary Protection: Host-Based Protection |
| SI-10 | Information Input Validation |
| SI-11 | Error Handling |
Normalize Gettin’ Low
Even without my suggested upgrades, the Low baseline still provides much of the value of the Moderate baseline at substantially reduced cost. But my relatively modest upgrade to Low – things that SaaS providers should be doing anyway – would capture almost all the value of the Moderate baseline while significantly reducing compliance cost. This might help AOs feel more comfortable keeping systems in the Low category. It would definitely help more SaaS providers get across the finish line.
38North Security is the leading expert in FedRAMP authorization. Whether your organization is looking to achieve Low, Moderate, or High, we can help. Get in touch with a cybersecurity expert today.
