FedRAMP Impact Levels (Low, Moderate, High) Explained
Quick Answer
FedRAMP has three impact levels: Low (125 controls, for non-sensitive data), Moderate (325 controls, for CUI and PII — covers 80% of authorizations), and High (421 controls, for law enforcement and critical infrastructure data). The level is determined by FIPS 199 categorization of the data processed.
Understanding FedRAMP Impact Levels
FedRAMP impact levels determine the rigor of security controls required for your cloud service. The level is based on FIPS 199 (Federal Information Processing Standard 199), which categorizes information systems based on the potential impact of a security breach across three dimensions: confidentiality, integrity, and availability.
Key Takeaways
- FedRAMP Low: 125 controls — publicly available data and non-sensitive operations
- FedRAMP Moderate: 325 controls — covers CUI, PII, and most federal data. 80% of authorizations
- FedRAMP High: 421 controls — law enforcement, healthcare, financial, and critical infrastructure
- Your level is determined by the most sensitive data your system will process
- You can apply for a higher level later, but downgrading is uncommon
Impact Level Comparison
| Attribute | Low | Moderate | High |
|---|---|---|---|
| Security controls | 125 | 325 | 421 |
| Control families | 17 | 17 | 17 |
| Data sensitivity | Publicly available | CUI, PII, financial | Law enforcement, critical infrastructure |
| Typical authorization cost | $150K-$400K | $750K-$2M | $1.5M-$3M+ |
| Typical timeline | 6-12 months | 12-18 months | 18-24+ months |
| Annual assessment scope | Subset of controls | Full assessment | Full assessment |
| Penetration testing | Required | Required | Required + more rigorous |
| Percentage of authorizations | ~10% | ~80% | ~10% |
FedRAMP Low
FedRAMP Low is for cloud systems where a security breach would have limited adverse effect on organizational operations, assets, or individuals. It applies to systems handling publicly available data or non-sensitive internal data.
✅ FedRAMP Tailored for SaaS
FedRAMP Tailored (officially called FedRAMP Low-Impact SaaS or Li-SaaS) is a streamlined baseline for low-impact SaaS products. It requires fewer controls and a lighter assessment than standard FedRAMP Low, making it accessible for startups and smaller companies.
FedRAMP Moderate
FedRAMP Moderate is the most common level, covering approximately 80% of all FedRAMP authorizations. It applies to systems where a breach would have serious adverse effect — significant financial loss, disruption to operations, or exposure of PII or CUI.
- Email and collaboration platforms (Microsoft 365 GCC, Google Workspace)
- HR and financial management systems
- CRM and customer management tools
- Cloud hosting and infrastructure services
- Analytics and business intelligence platforms
- Any system processing PII, financial data, or controlled unclassified information
FedRAMP High
FedRAMP High is for systems where a breach would have severe or catastrophic adverse effect — threat to life, major financial loss, or national security implications. It is required by agencies like the Department of Defense, Department of Justice, and Department of Homeland Security.
How to Determine Your Level
Level Determination Process
Identify the data types
List all types of federal data your cloud service will process, store, or transmit. Consult with your prospective agency customers about their data classification.
Apply FIPS 199 categorization
For each data type, assess the potential impact of a breach across confidentiality, integrity, and availability. Use the highest impact rating across all dimensions.
Use the high-water mark
Your FedRAMP level is determined by the highest impact data type. If any data category is 'High,' your system must meet FedRAMP High requirements.
Consult with agencies
Confirm the level with your target agencies. They may have specific requirements or policies about which level they require for different types of services.
Consider business strategy
If you plan to serve multiple agencies with different needs, consider pursuing the higher level upfront to avoid re-authorization later.
FIPS 199 Impact Categorization
Data categorization determines your FedRAMP impact level using the high-water mark principle
Confidentiality
Impact of unauthorized disclosure
Integrity
Impact of unauthorized modification
Availability
Impact of disruption to access
High-Water Mark
Use the HIGHEST rating across all three dimensions
FedRAMP Level
Maps directly to Low, Moderate, or High baseline
Can I start at Low and upgrade to Moderate later?
Yes, but upgrading requires implementing additional controls, updating your SSP, and undergoing a new 3PAO assessment for the Moderate baseline. It is often more cost-effective to pursue Moderate from the start if you anticipate needing it within 1-2 years.
What if my agency customer says Moderate but I think Low is sufficient?
The sponsoring agency has the final say on the required impact level. If they say Moderate, you must meet the Moderate baseline. Their assessment is based on the specific data and use case within their agency.
Is there a level between Low and Moderate?
Yes, FedRAMP Tailored (Li-SaaS) sits between Low and Moderate. It is a streamlined baseline specifically designed for low-impact SaaS products with about 36 controls plus additional requirements. It is faster and cheaper than standard FedRAMP Low.
Do IaaS providers need High authorization?
Not necessarily. The required level depends on the data their customers will process. However, IaaS providers like AWS, Azure, and GCP maintain High authorizations because their customers span all impact levels. A High-authorized IaaS can host workloads at any level.
Find FedRAMP Compliance Support
Compare consultants and 3PAOs who can help determine your impact level and plan your authorization.
Browse FedRAMP Partners