FedRAMP may grant authorizations to a CSP at three impact levels: high, medium, and low. The FedRAMP impact levels estimate the scale of disruption resulting from compromising a cloud-based information system.
The FedRAMP low-impact level sets the standard for cloud security. It applies to cloud service offerings (CSOs) where losing data availability, confidentiality, or integrity will cause minimal harm to the assets and operations of a federal agency.
Systems with FedRAMP low-impact data can have a low baseline or low-impact SaaS level. The standard low level is most relevant to a CSP that handles federal data for public consumption, comprising 125 security controls. Losing data at this level doesn’t impact the agency’s safety, mission, reputation, or finances.
FedRAMP’s tailored baseline applies to CSPs with low-impact SaaS systems. This baseline has fewer security controls than the standard low-impact baseline-only 38—and has consolidated security documentation.
The tailored baseline allows faster, streamlined authorization processes for low-risk cloud services. Examples include project management systems, collaboration platforms, and open source code development applications.
FedRAMP’s moderate-impact level is common for cloud services that handle controlled, unclassified information (CUI) for federal government organizations and agencies. This level applies to CSPs that handle confidential government data, not publicly available information.
Compromises of a moderate-impact system could severely damage the operations and mission of a government agency. This damage could affect digital assets, harm individuals, or result in financial losses. A notable example of medium-risk data is personally identifiable information (PII). The baseline for a moderate-level system is 325 security controls.
Moderate-impact systems must have controls implemented via automated mechanisms, facilitating the management of accounts and information system security. For instance, account managers should receive automatic text or email notifications of the transfer or termination of a user. CSPs must also maintain continuous monitoring of account usage.
The FedRAMP high-impact level is the security standard required for the most critical and sensitive government data. It applies to unclassified information in cloud environments.
Industries that use high-impact data include law enforcement, healthcare, and emergency services. Compromising this type of data (or the cloud systems housing it) can have catastrophic consequences for a government agency.
High-impact breaches can cause operations and information systems to shut down, resulting in heavy financial losses and derailing government investigations. Exposing this data can also threaten intellectual property and even human life.