FedRAMP Impact Levels Low, Moderate, and High. What’s the Difference?

Fedramp low med high display
Updated April 16, 2020
Fedramp Risk Management Framework

Becoming certified under the Federal Risk and Authorization Management Program (FedRAMP) is a costly and resource intensive undertaking. Obtaining certification and continually staying in compliance can make a major impact on your business as a Cloud Service Provider (CSP).

To lessen the costly and time-consuming process, FedRAMP utilizes a “do once, use many times” Security Assessment Framework (SAF). This approach helps reduce redundancies when conducting security assessments and process monitoring reports.

As part of FedRAMP’s effort to streamline compliance, their SAF is standardized into four process areas: Document, Assess, Authorize, and Monitor. Within the Document process area, FedRAMP asks CSP’s to determine what types of data they are managing and complete a FIPS PUB 199 worksheet.

Your security categorization of Low, Moderate, or High impact level is based on the type of data in your system and how it maps in the FIPS PUB 199 worksheet.

What is FIPS 199 Worksheet?

FedRAMP didn’t create these categorization levels. Instead it borrows from the Federal Information Processing Standard (FIPS) which was developed by the National Institute of Standards and Technology (NIST). Here they’ve defined three ways of securing data according to Confidentiality, Availability, and Integrity.

FIPS PUB 199 Impact Levels

As you can see in the above chart, there are three FedRAMP impact levels: Low, Moderate, and High. Deciding which set of control requirements to follow depends on the kinds of data you are managing and the different modes of securing and protecting that data. Each subsequent impact level requires additional controls to ensure that your data is adequately protected.

Is your Data Low, Moderate, or High Security Impact?

Figuring out which FedRAMP impact levels your Cloud Service Offering (CSO) should follow is critical to the compliance process.

Low Impact Security Level

The low security level baseline is required if the information system you are managing contains publicly available data. If the data were to be compromised it would have low impact.

Moderate Impact Security Level

The moderate security level baseline is required if the your data includes personally identifiable information (PII). If this information system is compromised, it would have a serious impact.

High Impact Security Level

The high security level baseline is required if any problem that befalls your information system would have severe impact on government bodies and operations, which could lead to financial ruin or economic crisis.

From Low to High: Increasing Number of Controls

Higher security levels require additional security controls, such as higher levels of authentication for people to enter, access, and gain control of these systems. This means more, and increasingly secure ways of determining if the person with access is who they claim to be. This also means ensuring upgraded procedures of validating this information as well as determining what they can have access to and what they can do with this data.

For high-impact systems, some key aspects recommended by FedRAMP include the reduction of human error as much as possible, often done by the means of automation. FedRAMP also suggests guaranteeing that the entire scope of authorization already encompasses the full spectrum of services.

Low-level systems have exactly 125 controls, moderate level systems have 325 controls, while high-level systems are required to comply with 421 controls. With the three levels in place, any federal agency can now store highly sensitive data on any provider of cloud services as long as they are FedRAMP compliant.

Breakdown of FedRAMP Control Types

Control TypeLowModerateHigh
Access Control114354
Awareness Training457
Audit and Accountability101030
Security Assessment and Authorization91616
Configuration Management112636
Contingency Planning62335
Identification and Authentication152732
Incident Response71726
Maintenance41214
Media Protection41012
Physical and Environmental Protection102026
Planning366
Personnel Security8910
Risk Assessment41012
System and Services Acquisition62226
System and Communications Protection103239
System and Information Integrity72838

Preparing for FedRAMP?

See how StandardFusion can make your life easier with tools that help you before, during and after your authorization.

Our easy-to-use platform comes with all FedRAMP controls, regardless of baseline level, so you can get started right away.  Powerful tools help you prepare for and complete your authorization. Then once you're done, we give you everything you need to maintain your authorization monthly.

Want to find out more? Arrange a demo of StandardFusion today!

With FedRAMP, your organization can enhance trust in security evaluations, improve automation for near real-time and continuous monitoring, guaranteeing reliable security practice implementation, promote the use of cloud solutions, consolidate standards for cloud products and ultimately, boost confidence in cloud security. Learn more about what FedRAMP certification could mean for you company

In the end, this will redound to benefits to your organization regarding savings in resources, time, and cost, enhancement of real-time security, improved re-utilization of current security assessment across organizations, enhance transparency, ensure uniformity in approaches to risk-based management, and enrich the authorization process of federal security.

By knowing exactly the kind of data your organization is handling and the kind of protection these data need, you can best determine whether you will require complying to FedRAMP’s low, moderate, or high-security base lines.