FedRAMP has three primary authorization levels, known as “Impact Levels,” which are used to categorize cloud services based on the sensitivity of the data they handle. The three FedRAMP authorization levels are: Low Impact, Moderate Impact, and High Impact. Each authorization level corresponds to a specific set of security requirements and controls that cloud service providers must implement and adhere to during the FedRAMP authorization process.
- Low Impact: The Low Impact level is suitable for cloud services that handle non-sensitive, unclassified information. This level includes data that, if exposed, would have a low impact on an organization’s operations, assets, or individuals. Cloud services at this level must implement a baseline set of security controls to protect the data.
- Moderate Impact: The Moderate Impact level applies to cloud services that manage controlled unclassified information (CUI) or other sensitive but unclassified information. This level includes data that, if exposed, could have a moderate impact on an organization’s operations, assets, or individuals. Cloud services at this level must implement a more extensive set of security controls compared to the Low Impact level.
- High Impact: The High Impact level is designed for cloud services that handle highly sensitive controlled unclassified information (CUI) data that if exposed, could have severe or catastrophic effects on an organization’s operations, assets, or individuals. Cloud services at this level must implement the most stringent and comprehensive set of security controls to ensure the highest level of protection.
It is crucial to involve your agency’s information security and compliance teams in this decision-making process. Conduct a thorough risk assessment and engage with cloud service providers who have obtained FedRAMP authorizations at the appropriate impact level.
Remember that different systems within your agency may handle data of varying sensitivity levels, and it is possible to use cloud services at different impact levels to accommodate these differences. Choosing a product that is FedRamp High authorized provides a superset of coverage for all impact levels, thus providing flexibility to address your current and possible future requirements.
Solution brief: FedRamp High authorized zero trust security platform
Marketplace: FedRAMP Marketplace