background

FedRAMP Low, 20x, and LI-SaaS Baselines: What They Are & Who They Apply to

  • fedrampangle-right
  • FedRAMP Low, 20x, and LI-SaaS Baselines: What They Are & Who They Apply to

FedRAMP Low is the entry point for many cloud service providers (CSPs) looking to work with the U.S. federal government. 

Designed for systems that handle publicly available or non-sensitive government data where the risk of harm from a breach is minimal, this level of authorization is often ideal for lightweight SaaS applications, early-stage startups, and cloud-based tools that don’t process Controlled Unclassified Information (CUI) or mission-critical workloads.

If this applies to your system or you’re not sure, keep reading to learn:

  • What FedRAMP Low is and who needs it
  • When to use the Low baseline vs LI-SaaS baseline
  • What each baseline requires
  • How LI-SaaS or FedRAMP 20x can help fast-track authorization for this level

What is FedRAMP Low?

A FedRAMP Low system is one in which the loss of confidentiality, integrity, or availability would have limited adverse effects on an agency’s operations, assets, or individuals. 

These systems are categorized using the Federal Information Processing Standards (FIPS) 199 framework, which assesses potential impact across three security objectives:

  • Confidentiality: Unauthorized disclosure of this data is expected to have a limited adverse effect on organizational operations, assets, or individuals.
  • Integrity: Any unauthorized changes or destruction of information would similarly have minimal adverse effects.
  • Availability: Disruptions in accessing or using this information are also expected to have a limited impact.

If all three objectives are categorized as Low, the system qualifies for FedRAMP Low authorization. 

This categorization is generally suitable for cloud service offerings (CSOs) or Cloud Service Providers (CSPs) used for routine operations, internal collaboration, and basic public-facing tools. Let’s look at specific examples below.

Who needs FedRAMP low?

FedRAMP Low is commonly pursued by CSPs offering tools like:

  • Public websites
  • Scheduling or survey platforms
  • Internal collaboration tools (e.g., project management apps)
  • Productivity tools that do not store sensitive or proprietary data

These applications are typically not critical to agency missions, nor do they contain personally identifiable information (PII) beyond what’s required for login functionality.

To better understand who needs or may benefit from FedRAMP Low authorization, let’s look at the CSOs that have achieved a FedRAMP designation at this level. As of July 31, 2025, there are 585 CSOs listed in the FedRAMP Marketplace. 66 are low-impact systems that are FedRAMP Authorized, FedRAMP Ready, or working toward a FedRAMP Authorization. That means low-impact systems make up about 11% of the products listed in the FedRAMP marketplace. 

Here are some examples of CSOs that have achieved a FedRAMP Low designation and are listed in the marketplace:

  • Adobe Creative Cloud for Enterprise
  • CircleCI Cloud
  • CivicPlus
  • Flock Safety
  • GitHub Enterprise Cloud
  • Hootsuite Enterprise
  • Trello Enterprise Cloud
  • Zendesk Customer Support and Help Desk Platform

These CSOs have achieved a FedRAMP Low designation by implementing one of three baselines that FedRAMP currently has or is testing for low-impact systems: Low, 20x Low, and the Low Impact Software-as-a-Service (LI-SaaS) baseline. 

Let’s start with an overview of the Low baseline. 

FedRAMP Low baseline: What’s required?

Cloud service providers pursuing a traditional FedRAMP Low authorization must implement 157 controls derived from the NIST SP 800-53 Rev. 5 catalog. These include both base controls and control enhancements. The controls are distributed across 17 control families.

Here’s a breakdown of the number of controls by family, which highlights the emphasis areas for Low baseline systems:

The control families with the highest number of requirements include:

  • Identification and Authentication (16 controls)
  • System and Communications Protection (14 controls)
  • Access Control (11 controls) 

These focus areas reflect a strong emphasis on access management and secure data transmission, even in low-impact environments.

What is the FedRAMP LI-SaaS Baseline?

The LI-SaaS baseline is a subset of the full Low baseline designed for SaaS applications that do not store PII beyond what is necessary for login (e.g., username, password, email). These applications typically present very low or negligible risk, and the LI-SaaS framework reflects that by reducing the documentation and testing burden of the traditional Low baseline.

The LI-SaaS baseline includes 45 controls that must be documented and assessed, at a minimum. Note that the vendor does not necessarily have to fully implement these controls. Instead, they must address how they meet (or don't meet) the intent of each control so that it can be independently assessed and detail any risks associated with the implementation.

The documentation and assessment requirements are lower for the other controls in this tailored baseline, including:

  • 20 conditional controls that must be documented and assessed only if a certain condition exists. If the condition does not exist, then the CSP has to attest to this in Appendix E of their SSP instead. Most of these controls are conditioned on whether the CSO has connection(s) to external systems, the users are privileged, or the control is inherited from a FedRAMP-authorized PaaS or IaaS.
  • 75 controls that can be attested to in Appendix E, with no documentation or independent assessment required.
  • 13 “NSO” controls that FedRAMP determined do not impact the security of the Cloud SaaS
  • 3 controls that FedRAMP determined are typically the responsibility of the federal agency not the CSP

In other words, low-impact systems that qualify for the LI-SaaS baseline must document and assess 45 controls and attest to 95 controls, at minimum. This will only be the case if no conditional controls apply. Or, at maximum, they’ll need to document and assess 65 controls and attest to 75 controls. This will only be the case if all conditional controls apply. 

This tailored baseline offers two major advantages. First, it provides a faster path to approval for the lowest risk services, which benefits both the cloud service providers and the federal agencies that use those services. Second, it provides a more practical option for cloud-based SaaS applications that meet specific criteria by requiring only the most relevant security controls and streamlining documentation and assessment requirements.

In short, LI-SaaS makes FedRAMP compliance more accessible for modern SaaS providers that pose very low or negligible operational risk to government agencies.

Who’s eligible for the LI-SaaS Baseline?

To qualify for the LI-SaaS baseline, the cloud service must:

  • Be fully operational in a cloud environment
  • Be a SaaS application per NIST SP 800-145
  • Contain no sensitive PII beyond basic login credentials
  • Be categorized as Low impact under FIPS 199
  • Be hosted on a FedRAMP-authorized PaaS or IaaS (or provide its own infrastructure)

FedRAMP Low vs LI-SaaS: Key differences

Although both FedRAMP Low and LI-SaaS baselines address systems with a low impact level under FIPS 199, they are intended for slightly different types of services and risk profiles.

Let’s look at their key differences below.

Eligibility

Both baselines apply to low-impact systems, but LI-SaaS imposes additional eligibility requirements. For example, the SaaS must not process sensitive PII and must be hosted on a FedRAMP-authorized IaaS or PaaS. These restrictions make LI-SaaS ideal for lightweight, standalone tools with limited functionality and minimal security risk.

Reduced controls

The traditional FedRAMP Low baseline requires 156 controls to be documented, independently assessed, and continuously monitored. 

LI-SaaS reduces this burden significantly by requiring only 45 to 65 controls to be documented and assessed (depending on the number of conditional controls that apply to the CSO). The remainder of the 140 controls of the LI-SaaS baseline can be addressed through attestation,  with no independent assessment or documentation required. This makes LI-SaaS a more practical option for cloud-native startups and simple applications that would otherwise face unnecessary complexity trying to get FedRAMP Low authorized. 

FedRAMP Marketplace share

The current FedRAMP Marketplace (as of July 31, 2025) reflects the growing adoption of LI-SaaS. Of the 66 low-impact systems listed as FedRAMP Authorized, Ready, or In Progress, 74% have implemented the LI-SaaS baseline. This represents 8% of the total products listed in the FedRAMP marketplace. In comparison, 26% of the low-impact systems have implemented the Low or FedRAMP 20x Low baseline—representing 3% of the total products listed in the FedRAMP marketplace.

While these percentages will likely change as more CSOs opt into the FedRAMP 20x pilot program (detailed below), the current data shows that the streamlined LI-SaaS approach is a popular path to authorization for many CSPs serving federal customers with minimal risk workloads.

Now that we understand these major differences between the FedRAMP Low and LI-SaaS baselines, let’s take a closer look at the two ways you can accelerate your path to FedRAMP Low authorization. 

How to Fast-Track FedRAMP Low Authorization: Comparing LI-SaaS vs. FedRAMP 20x

As the federal government continues to adopt cloud technologies, it has become increasingly important to offer pathways for rapid authorization that still maintain adequate security protections. 

For low-impact cloud services, there are two options: LI-SaaS and FedRAMP 20x. Let’s take a closer look at these two accelerated paths to authorization to see which you may be eligible for.

LI-SaaS Baseline

The LI-SaaS baseline was created to support SaaS providers offering tools that are simple, cloud-native, and handle no sensitive data beyond what’s required for login functionality. Because these services pose very low or negligible risk, LI-SaaS reduces the number of controls requiring independent assessment and documentation.

While the process is lighter than full FedRAMP Low, LI-SaaS still results in a full Low authorization and is well-suited for CSPs offering standalone applications like productivity tools, time trackers, or survey apps hosted on FedRAMP-authorized infrastructure.

FedRAMP 20x Low Baseline

FedRAMP 20x is a newer initiative launched in 2025 to provide an accelerated route for cloud-native services built on already authorized IaaS or PaaS platforms.

Instead of the full FedRAMP Low baseline or even the LI-SaaS subset, the FedRAMP 20x Phase One pilot program introduced a reduced set of 51 Key Security Indicators (KSIs) as indicators of a CSP’s security posture and readiness.

Phase One grants successful participants a 12-month limited Low authorization, which allows the agency to use the service while the provider prepares for a longer-term Moderate authorization under Phase Two. 

While both approaches provide a faster path to federal authorization, their applicability differs based on the nature of the service, target agency needs, and long-term compliance goals. Here’s a quick overview:

In short, FedRAMP 20x is ideal for cloud-native services building on authorized platforms, while LI-SaaS works best for standalone lightweight SaaS applications.

How to prepare for FedRAMP Low authorization

FedRAMP Low, LI-SaaS, and FedRAMP 20x offer an achievable on-ramp to federal compliance for CSPs with simple, low-risk cloud services. FedRAMP 20x, in particular, introduces a more modern approach to Low baseline authorization, shifting from traditional documentation to automation, machine-readable files, and KSIs that can be validated quickly and at scale.

By selecting the right path and preparing the appropriate documentation and assessments, vendors can efficiently demonstrate their commitment to federal security standards while reducing the cost and complexity of authorization.

While the core readiness steps for authorization are consistent across FedRAMP levels (as described in described in the latest FedRAMP® CSP Authorization Playbook), CSPs pursuing FedRAMP Low can often complete these steps with fewer resources and in less time than those targeting Moderate or High.

Below is a simplified overview of the steps CSPs should take to prepare. You can find a more detailed overview in the FedRAMP High article

  • Partner with a federal agency: Identify and secure a sponsoring federal agency interested in authorizing your cloud service offering (CSO).
  • Allocate internal resources: Dedicate key personnel such as a technical writer, technical subject matter expert (SME), and project manager to support the process.
  • Select a 3PAO: Choose a Third Party Assessment Organization (3PAO) listed in the FedRAMP Marketplace to perform your required security assessment.
  • Complete FedRAMP training: Take advantage of free FedRAMP training courses to better understand the required documents and assessment phases.
  • Align with your agency’s review approach: Coordinate with your sponsoring agency to determine whether deliverables will be reviewed iteratively or all at once.
  • Conduct a kickoff meeting: Meet with your agency sponsor and 3PAO to align on timelines, documentation expectations, and roles.

These steps help establish a clear path to authorization and reduce unnecessary delays. 

For CSPs eligible for LI-SaaS or FedRAMP 20x, additional time savings and efficiency gains are possible through streamlined documentation and selective control validation.

How Secureframe can simplify FedRAMP Low authorization

Secureframe can help CSPs prepare for, navigate, and obtain FedRAMP Low authorization—whether through the FedRAMP 20x pilot program or other pathways—with:

  • Out-of-the-box support for FedRAMP: The Secureframe platform supports both the Fedramp Low and FedRAMP 20x KSI frameworks out of the box. With the Low baseline requirements and KSIs already mapped to pre-built controls and tests, you know exactly how to meet FedRAMP Low requirements.
  • Federal-ready automation:  From initial gap assessments to machine-readable SSP generation, to continuous monitoring and Trust Center generation, Secureframe automates the most time-intensive tasks in the FedRAMP Low authorization process.  This automation is not optional for FedRAMP 20x—CSPs must be able to generate and maintain machine readable documents and Trust Centers to attest to KSIs.
  • Expertise you can trust: Our team includes former FedRAMP auditors who have first-hand experience undergoing the FedRAMP 20x process for Secureframe. We also partner with 3PAO Coalfire Federal to ensure you have expert guidance at every step of the FedRAMP Low authorization process, from readiness to submission.

If you’re interested in participating in the FedRAMP 20x Phase One Pilot Program, sign up here to learn how Secureframe and our C3PAO partner Coalfire Federal can help support you.