FedRAMP Low, Moderate, or High?

Which security baseline do you need under the Federal Risk and Authorization Management Program (FedRAMP)? Is it low, moderate, or high?

While choosing to utilize cloud services has the added benefits of flexibility, increased collaboration, and lower upfront investments, it can also bring about increased risks, and for that reason, the US federal government has instituted FedRAMP to improve security while reducing the costs of securing IT systems.

To lessen the inconsistent, redundant, costly, inefficient, and time-consuming approach to risk management to cloud platforms, FedRAMP has instituted a “do once, use many times” approach to doing security assessments for agencies.

Low, Moderate, High-Security Baseline Levels

The three levels of FedRAMP authorization, low, moderate, or high, would depend on the different kinds of data you are using and the different modes of securing and protection that those data require.

The categorization of these three security baseline levels is based on the Federal Information Processing Standard or FIPS199 which defines three ways of securing data according to confidentiality, availability, and integrity.

Preparing for FedRAMP?

See how StandardFusion can make your life easier with tools that help you before, during and after your authorization.

Our easy-to-use platform comes with all FedRAMP controls, regardless of baseline level, so you can get started right away.  Powerful tools help you prepare for and complete your authorization. Then once you're done, we give you everything you need to maintain your authorization monthly.

Want to find out more? Arrange a demo of StandardFusion today!

You will need a low-security level baseline if the information you are dealing with is already publicly available and this data will have limited impact to government and the national economy if something does happen to that data.

You will need a moderate security baseline level if the data your organization manages will have a serious impact when breached or compromised. This set of information would include personally identifiable information or PII.

Finally, you will need a high-security level baseline if any problem that befalls data your organization peruses would have severe impact on government system and operations and may even lead to financial ruin or economic crisis.

Indeed, to make sure that your data is adequately protected, additional controls are added for each level as you move from low to moderate to high levels.

Higher security levels, for instance, would have a higher level of authentication required for people to enter, access, and gain control of these systems. This means increasingly more secure ways of determining if the person doing so is who they claim they are. This also means ensuring upgraded procedures of validating this information as well as determining what they can have access to and what they can do with this data.

For high-impact systems, some key aspects recommended by FedRAMP include the reduction of as much human error as possible. In other words, this means the rolling-out of automatization. FedRAMP also suggests guaranteeing that the entire scope of authorization already encompasses the full spectrum of services does take care that it does not incorporate sharing services with the provider.

From low to high: Increasing number of controls (requirements)

Low-level systems have exactly 125 controls, moderate level systems have 325 controls, while high-level systems are required to comply with 421 controls. FedRAMP released the high-level security baseline only last year. With the three levels in place, any federal agency can now store highly-sensitive date on any provider of cloud services as long as they are FedRAMP compliant.


Control Type Low Moderate High
Access Control 11 43 54
Awareness Training 4 5 7
Audit and Accountability 10 10 30
Security Assessment and Authorization 9 16 16
Configuration Management 11 26 36
Contingency Planning 6 23 35
Identification and Authentication 15 27 32
Incident Response 7 17 26
Maintenance 4 12 14
Media Protection 4 10 12
Physical and Environmental Protection 10 20 26
Planning 3 6 6
Personnel Security 8 9 10
Risk Assessment 4 10 12
System and Services Acquisition 6 22 26
System and Communications Protection 10 32 39
System and Information Integrity 7 28 38

Under development from January 2015, the high-level security baseline level has meanwhile been in operation since June 2016. Federal agencies are hence allowed to delegate the carrying of high-impact data with cloud service providers. Prior this update, only low level, and moderate level cloud operations could be outsourced to outside vendors.

With FedRAMP, your organization can enhance trust in security evaluations, improve automation for purposes of near real-time and continuous monitoring, guarantee reliable security practice implementation, promote the use of cloud solutions, consolidate standards for cloud products, and ultimately, boost confidence in cloud security.

In the end, this will redound to benefits to your organization regarding savings in resources, time, and cost, enhancement of real-time security, improved re-utilization of current security assessment across organizations, enhance transparency, ensure uniformity in approaches to risk-based management, and enrich the authorization process of federal security.

By knowing exactly the kind of data your organization is handling and the kind of protection these data need, you can best determine whether you will require complying to FedRAMP’s low, moderate, or high-security base lines.