AuditXYZ

Lesson 2 of 5

FedRAMP Impact Levels: Low, Moderate, and High

10 min readIntermediate

FedRAMP Impact Levels

FedRAMP categorizes cloud services into three impact levels based on FIPS 199 — Low, Moderate, and High. The impact level determines the security controls required and the rigor of the assessment. Most commercial CSPs seeking federal customers pursue Moderate authorization.

Low Impact

Low impact applies to cloud services where the loss of confidentiality, integrity, or availability would have a limited adverse effect on the agency. This covers systems handling publicly available information or non-sensitive data.

Controls: Approximately 125 security controls. Typical use cases: Public websites, collaboration tools for non-sensitive work, development environments. Assessment effort: The least intensive, but still significant.

Moderate Impact

Moderate impact applies where the loss would have a serious adverse effect. This is the most common FedRAMP impact level, covering the vast majority of federal cloud use cases.

Controls: Approximately 325 security controls. Typical use cases: Most SaaS applications, email systems, CRM, HR systems, case management, and any system handling controlled unclassified information (CUI). Assessment effort: Substantial — this is the standard FedRAMP authorization most CSPs pursue.

High Impact

High impact applies where the loss would have a severe or catastrophic adverse effect, including loss of life, major financial loss, or significant harm to national security.

Controls: Approximately 421 security controls. Typical use cases: Law enforcement systems, emergency services, financial regulation systems, and systems supporting critical infrastructure. Assessment effort: The most intensive, with the strictest requirements and longest timelines.

Choosing Your Impact Level

Your impact level is determined by the types of data your service will process. In practice, most agencies require Moderate or higher. If you are unsure, discuss with potential agency customers — they will specify the impact level required for their use case. Starting with Moderate authorization addresses the broadest market.

LI-SaaS (Low Impact SaaS)

FedRAMP offers an expedited path for Low Impact SaaS services through the LI-SaaS authorization. This uses a simplified set of controls and a streamlined process, making it faster and less expensive. LI-SaaS is appropriate for services that do not handle personally identifiable information or sensitive data.

In the next lesson, we will cover the FedRAMP authorization process.