FedRAMP authorization provides a standardized approach for cloud service providers (CSPs) to demonstrate that their services meet the minimum federal security requirements for processing, storing, and transmitting sensitive data.

These requirements vary based on the impact level of the data they handle. The greater the potential impact of a security incident, the more stringent the baseline of requirements the CSP will have to meet. 

Since CSPs must correctly align their service offerings to an impact level in order to pursue the correct authorization baseline, it’s critical that you understand the different impact levels and how they’re determined. We’ll cover that below.

What are the FedRAMP levels?

FedRAMP defines three impact levels for cloud service offerings (CSOs): Low, Moderate, and High. These are based on the Federal Information Processing Standard (FIPS) 199, which categorizes the severity of potential adverse effects if the information or system were compromised. Each impact level reflects the sensitivity of the data managed and the consequences of a security breach.

The impact level is determined based on the potential loss of three core security objectives:

• Confidentiality: Preventing unauthorized access to sensitive data
• Integrity: Ensuring data is accurate and hasn’t been tampered with
• Availability: Making sure systems and data are accessible when needed

We’ll dive into the FIPS 199 categorization in more depth in the next section. Below, let’s take a closer look at the three impact levels at which FedRAMP currently authorizes CSOs.

Low Impact Level

A Low impact level is used for cloud services where a loss of confidentiality, integrity, or availability would have limited adverse effects on federal operations, assets, or individuals. These systems typically handle publicly available data or internal agency content that doesn’t contain sensitive information.

Examples of Low-impact systems include:

• Public websites
• Non-sensitive collaboration tools
• Basic SaaS apps with login functionality

While these systems still require security controls in place to prevent security breaches, the potential consequences of a breach are relatively minor so the number of baseline controls required for this level is lower. 

Moderate Impact Level

The Moderate impact level is assigned to systems where a loss of confidentiality, integrity, or availability would result in serious adverse effects on agency operations or individuals. These effects may include significant financial loss, harm to agency missions, or damage to an individual’s reputation or rights—but not loss of life.

Moderate is by far the most common and widely-accepted impact level under FedRAMP, accounting for nearly three-quarters (73%) of all authorized CSOs. It typically applies to systems that handle Controlled Unclassified Information (CUI) or other sensitive but unclassified data.

Examples of Moderate-impact systems include:

• Financial systems
• Human resources platforms
• Case management tools for government programs

Given the increased risk, Moderate-impact systems require a much broader set of baseline controls than Low-impact systems.

High Impact Level

The High impact level is reserved for systems where a security incident could result in severe or catastrophic adverse effects, such as loss of life, mission failure, or financial ruin. This level applies to the government’s most sensitive, unclassified systems, especially those supporting national security, public health, or law enforcement.

Examples of High-impact systems include:

• Emergency response platforms
• Law enforcement data repositories
• Healthcare systems with sensitive patient data

Due to the critical nature of these systems, High-impact systems require the most extensive set of baseline controls under FedRAMP.

Understanding FIPS 199 categorization: How FedRAMP Impact Levels are determined 

FedRAMP impact levels are based on FIPS 199: Standards for Security Categorization of Federal Information and Information Systems. These standards help CSPs assess the criticality and sensitivity of the data their systems handle and evaluate the risks associated with a potential breach.

FIPS 199 categorizes systems based on the potential impact to each of the following objectives:

• Confidentiality: A loss of confidentiality, i.e. the unauthorized disclosure of information, could violate privacy, expose proprietary data, or compromise national interests.
• Integrity: A loss of integrity, i.e., the unauthorized modification or destruction of information,  could lead to flawed decisions, data corruption, or loss of system functionality.
• Availability: : A loss of availability, i.e., the disruption of access to systems and data, could disrupt operations, delay critical services, or endanger individuals.

The loss of any of these three objectives in a CSO may impact a federal agency’s ability to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. 

Each objective is assigned a value of Low, Moderate, or High based on the potential consequences of a breach.

Since the potential impact for the three security objectives may differ, FIPS 199 introduced the high water mark concept to determine an information type or system’s overall impact level. This means that the highest values from among the three security categories determines the overall impact level. So under FedRAMP:

• A low-impact system is an information system in which all three security objectives are assigned a potential impact value of Low. 
• A moderate-impact system is an information system in which at least one security objective is assigned a potential impact value of Moderate and no security objective is assigned High. 
• A high-impact system is an information system in which at least one security objective is assigned a potential impact value of High. 

To support accurate categorization, CSPs should use the FedRAMP FIPS 199 Categorization Template (Appendix K) in the SSP along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1, which maps specific data types to their appropriate impact levels.

What are the FedRAMP baselines?

What are the FedRAMP baselines?

Once a CSO’s impact level is determined, the CSP must implement the corresponding FedRAMP security control baseline. Each baseline outlines a minimum set of security controls and enhancements selected from the NIST SP 800-53 Rev. 5 control catalog that CSPs must meet to achieve FedRAMP authorization.

FedRAMP currently supports four distinct baselines aligned to Low, Moderate, and High impact levels:

• Low (and 20x Low) Baseline
• Low Impact SaaS (LI-SaaS) Baseline or Tailored Baseline
• Moderate Baseline
• High Baseline

Let’s explore each in detail below.

Note: The total number of controls for each baseline are taken from the FedRAMP Security Controls Template linked in the latest FedRAMP® CSP Authorization Playbook. The total number of controls for the Low 20x baseline is taken from the FedRAMP 20x Standards and Docs available on fedramp.gov. 

Low and 20x Low Baseline

The Low Baseline applies to systems categorized as Low impact under FIPS 199 because the potential harm from a breach is considered minimal.

CSPs pursuing a traditional Low authorization must implement 156 controls (including base controls and control enhancements). 

These controls focus on foundational security measures such as:

• User access control
• Basic auditing and monitoring
• Encryption for data at rest and in transit

While not as rigorous as the Moderate or High baselines, the Low Baseline still requires formal documentation including a System Security Plan (SSP), independent assessment, and continuous monitoring.

In May, a pilot program for FedRAMP 20x introduced a reduced set of Key Security Indicators (KSIs) to fast track authorization for the Low baseline, allowing qualified CSPs to achieve Low authorization more efficiently. The goal of this pilot program is to accelerate authorizations for cloud-native services running on already-authorized infrastructure. Phase One grants successful participants a 12-month Low authorization and a prioritized path to Moderate authorization in Phase Two.

As of July 31, 2025, there are 585 CSOs that have achieved a FedRAMP designation and are listed in the FedRAMP Marketplace. Of this total, 17 CSOs are FedRAMP Low Authorized or working toward a FedRAMP Authorization at this level using the traditional Low baseline or 20x Low baseline. This is 3% of the total products listed in the FedRAMP marketplace.

Low Impact SaaS Baseline

The Low Impact Saas Baseline, also known as the LI-SaaS or FedRAMP Tailored Baseline, is a subset of controls from the Low Baseline designed for simple, Low-impact SaaS applications that pose minimal risk and do not store personal identifiable information (PII) beyond basic login credentials (i.e., username, password, and email address).

To qualify for the LI-SaaS Baseline, the CSO must meet all of the following criteria:

• Operates in a cloud environment
• Is fully operational cloud service
• Meets the definition of SaaS in NIST SP 800-145
• Does not store PII beyond login credentials
• Has a FIPS 199 Low impact categorization
• Is hosted on a FedRAMP-authorized IaaS/PaaS or the CSP is providing the underlying cloud infrastructure

The LI-SaaS baseline includes:

• 45 required controls to be documented and assessed: These controls must be documented in Appendix B of the SSP, and independently assessed. This does not mean that a vendor will necessarily have each control fully implemented or implemented as stated. A vendor must address how they meet (or don't meet) the intent of the control so that it can be independently assessed and detail any risks associated with the implementation.
• 20 conditional controls to be documented and assessed: These controls must be documented in Appendix B and independently assessed, if a certain condition exists. If the condition does not exist, then the CSP must attest to this in Appendix E. 
• 75 controls that must exist and be attested to in Appendix E but require no documentation or independent assessment

FedRAMP determined that 13 of the 156 controls of the Low Baseline do not impact the security of the Cloud SaaS and categorizes them as NSO for the LI-SaaS baseline. FedRAMP also determined that 3 controls are typically the responsibility of the Federal Government, not the CSP, and categorizes them as FED for the Li-SaaaS Baseline.

By reducing documentation and assessment requirements, this tailored baseline offers a faster, more cost-effective path to authorization for CSPs with low-risk services.

Of the 585 CSOs that have achieved a FedRAMP designation and are listed in the FedRAMP Marketplace as of July 31, 2025, 49 have done so using the Li-SaaS baseline. This represents 8% of the products listed in the FedRAMP marketplace. 

Moderate Baseline

The Moderate Baseline applies to systems categorized as Moderate impact under FIPS 199 because a breach could result in serious harm to operations, finances, or individuals. This includes most systems that process Controlled Unclassified Information (CUI) and is the most common and widely applicable FedRAMP baseline.

CSPs seeking Moderate authorization must implement 323 controls (including base controls and control enhancements).

Given the sensitivity of the data, controls focus heavily on access management, incident response, vulnerability management, and continuous monitoring. CSPs must provide extensive documentation, undergo a third-party assessment, and maintain a robust continuous monitoring program post-authorization.

424 of the 585 CSOs that have achieved a FedRAMP designation and are listed in the FedRAMP Marketplace as of July 31, 2025 are moderate-impact systems. This represents the majority (73%) of the products listed in the FedRAMP marketplace. 

High Baseline

The High Baseline is reserved for CSOs categorized as High impact under FIPS 199 because they could pose severe or catastrophic risks to federal agencies or the public if compromised. 

CSPs pursuing High authorization must implement 410 controls (including base controls and control enhancements).

These controls include advanced protections such as:

• System-wide auditing and logging
• Continuous security analytics
• Advanced identity and access controls
• Business continuity and disaster recovery

Because of the sensitivity of the data involved, High authorization requires the most rigorous assessment and operational maturity.

There are 95 CSOs listed in the FedRAMP Marketplace as of July 31, 2025 that are high-impact, which represents 16% of the products listed in the Marketplace. 

Tips for determining your FedRAMP impact level and baseline

Tips for determining your FedRAMP impact level and baseline

Understanding FedRAMP levels and baselines is essential for CSPs seeking federal business. Accurately categorizing your cloud service and aligning with the appropriate baseline ensures a smoother authorization process and proper protection for the data you handle.

To get started:

• Use FIPS 199 and NIST 800-60 guidance to determine your impact level
• Match your impact level to the appropriate FedRAMP baseline
• Implement and document the required baseline controls from NIST 800-53 Rev. 5
• Explore FedRAMP LI-SaaS or FedRAMP 20x pathways for faster entry, if eligible (sign up here if you’re interested in participating in the FedRAMP 20x Phase One Pilot Program with the support of Secureframe and our C3PAO partner Coalfire Federal)
• Evaluate automation tools like Secureframe that offer pre-mapped controls, automated evidence collection, continuous monitoring, and federal expertise to simplify FedRAMP authorization for any level