FedRAMP Impact Levels: High vs Moderate vs Low

Pansy
Pansy Jan 23, 2025

Share:

Pansy

Pansy

Jan 23, 2025
fedramp impact levels security controls

Cloud Service Providers (CSPs) aiming for FedRAMP authorization must categorize their systems’ security impact levels as per FIPS 199, a NIST standard. However, there’s always an initial confusion of how accurately you can categorize systems.  

Misclassifying systems, either by over-securing or under-protecting, often cause a delay in authorization or expose sensitive data to risks. So, before we dig into differentiating between the FedRAMP impact levels, let’s get an overview of the framework and why it’s such a hot topic right now.

TL;DR

FedRAMP categorizes security levels into Low, Moderate, and High, per sensitivity and impact of the data handled.

The FIPS 199 assessment uses the CIA triad (Confidentiality, Integrity, and Availability) to determine an IT system’s security impact level.

The security level for FedRAMP depends on the data’s sensitivity and potential breach impact.

Who needs FedRAMP authorization? 

Any Cloud Service Provider (CSP) that wants to offer their services to U.S. federal agencies needs FedRAMP authorization. Getting ATO (Authorization to Operate) guarantees that their services meet stringent security standards required for government use. Without FedRAMP authorization, CSPs cannot work with federal agencies.

As of January 2025, there are 357 ATO services in the FedRAMP marketplace. Service models include IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). 

What are the FedRAMP impact levels?

For all impact levels under FedRAMP, the security controls list revolves around 18 unique families:

  1. Access Control
  2. Awareness And Training
  3. Audit And Accountability
  4. Security Assessment And Authorization
  5. Configuration Management
  6. Contingency Planning
  7. Identification And Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical And Environmental Protection
  12. Planning
  13. Personnel Security
  14. Risk Assessment
  15. System And Services Acquisition
  16. System And Communications Protection
  17. System And Information Integrity
  18. Supply Chain Risk Management Family 

As you explore CSPs in the AWS marketplace, you can filter them by impact levels: low, moderate, and high. Let’s understand what these mean.

1. Low impact level

A low-security baseline means that the loss of confidentiality, integrity, or availability of information would have minimal impact on your CSP. This would result in only minor disruption to the agency’s customers, operations, assets, employees, or vendors.

FedRAMP offers two levels for data systems with minimal impact:

  • Low Impact (LI)-SaaS Baseline: Meant for SaaS applications that only store basic login information without any sensitive personal information (PII).
  • Low Baseline: Covers less risky data for public use, where a breach wouldn’t harm safety, reputation, mission, or financial stability.

FedRAMP low-level controls

FedRAMP low impact level has 155+ security controls. Here are some examples:

  • Policy and Procedures
  • Account Management
  • Access Enforcement
  • Unsuccessful Logon Attempts
  • System Use Notification
  • Permitted Actions Without Identification or Authentication
  • Remote Access
  • Wireless Access
  • Access Control for Mobile Devices
  • Use of External Systems
  • Publicly Accessible Content
  • Role-based Training
  • Training Records
  • Policy and Procedures
  • Event Logging
  • Content of Audit Records
  • Time Stamps
  • Audit Re