FedRAMP’s Impact Levels: How to Move from Moderate to High

There are four different baselines and impact levels of FedRAMP authorization: Low Impact SaaS (FedRAMP Tailored or LI-SaaS), Low, Moderate, and High impact. These categories differ based on the number of control sets each has as its baseline. 

The majority of FedRAMP-authorized organizations pursue Moderate authorization. But today, more and more cloud service providers (CSPs) are looking to move from their Moderate authorization to a High authorization. This higher authorization allows organizations to work with government entities that require more stringent protocols to protect the Federal government’s most sensitive unclassified data. 

Along with opening the door to more business opportunities, higher impact levels can make an organization look more attractive to clients. A higher impact level highlights an organization’s stringent adherence to specific cybersecurity controls, which can provide an extra level of reassurance for clients.  

Here’s how organizations can move from the Moderate impact level to the High impact level. 

FedRAMP Impact Levels Explained 

The Federal Risk and Authorization Management Program, or FedRAMP, is the U.S. Federal government’s internal approach to securing the cloud services that its agencies use. FedRAMP grants authorizations at four impact levels: Low Impact SaaS (FedRAMP Tailored or LI-SaaS), Low, Moderate, and High. Each level has different control sets as its baselines: 

  • Low Impact SaaS (FedRAMP Tailored or Ll-SaaS): Ll-SaaS is a subset of low impact and typically includes at least 50 of the controls to be independently assessed. This tailored baseline accounts for SaaS applications that do not store personal identifiable information beyond what’s required for login capability, such as usernames and passwords. Therefore, organizations that achieve the LI-SaaS level would only experience minor adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here
  • Low Impact Level: Low includes approximately 125 controls. Organizations that achieve the low authorization status would only experience limited adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here
  • Moderate Impact Level: Moderate includes approximately 325 controls. Nearly 80% of organizations that receive FedRAMP authorization fall into this category. The loss of confidential information in this category would have a serious — but not catastrophic — impact on an organization. Information about the security controls required for this designation can be found here
  • High Impact Level: High includes approximately 425 cybersecurity controls. Organizations that should seek a High ATO most commonly include those working in law enforcement and emergency services systems, financial systems, and health systems. However, any organization can achieve the High impact level authorization, and they should especially pursue this level if any loss of confidential information could be expected to have a catastrophic impact on the organization. Information about the security controls required for this designation can be found here

Please note, the approximate number of controls per impact level are expected to change when FedRAMP transitions to 800-53 revision 5 at the end of this year.  

The Process of Moving from FedRAMP Moderate to FedRAMP High 

The process of moving impact levels is relatively straightforward and is also simpler than achieving initial FedRAMP authorization. The three main steps that organizations need to take to move up an impact level include: 

  1. Receive approval from your sponsor. To begin the process of moving to a higher impact level, you first need permission from your sponsor. Identify a new sponsoring agency if the existing sponsor does not want to maintain sponsorship for a High authorization. 
  1. Complete the Significant Change Request (SCR) Form. This document, which is published on the FedRAMP website, outlines all of the additional control requirements that would need to be met to move up an impact level. The form includes a checklist of the new controls required when changing from Moderate to High impact levels and identifies those Moderate controls that change under a High impact level.  
  1. Undergo a Significant Change Assessment. Finally, an organization should complete a Significant Change Assessment with a third-party authorization organization (3PAO). It is suggested, if applicable, to perform the Significant Change Assessment during your Annual Security Assessment for continued Authorization. This would help reduce audit fatigue that can result from doing an out-of-cycle assessment and help control time and cost. 

How A-LIGN Can Help You Move from FedRAMP Moderate to FedRAMP High 

Even if an organization isn’t actively handling federal data, it can still use FedRAMP’s impact levels as a baseline to evaluate cloud security standards. Moving from FedRAMP Moderate to FedRAMP High means an organization has increased the number of controls it uses to keep sensitive information secure — something that can be attractive to clients.  

As an accredited 3PAO, A-LIGN is one of the top FedRAMP assessors in the world. We help organizations achieve FedRAMP Authorized and move to a higher impact level.  

If you are a Cloud Service Provider (CSP) looking to move from a Moderate to High FedRAMP authorization, A-LIGN can make your FedRAMP process seamless. Contact us today.