Join top executives and thought leaders at A-LIGN’s Cybersecurity Summit NYC.
Learn more and register now to secure your seat at the table.

FISMA Certification: Understanding Low, Moderate and High-Impact Systems

FISMA Certification: Understanding Low, Moderate and High-Impact Systems

FISMA, or the Federal Information Security Management Act of 2002, assesses the controls outlined in NIST 800-53. You can review those requirements in Figure 1, below.

One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.FISMA established security guidance for federal entities and their agencies to adhere to, and thus organizations looking to win government contracts must adhere to the standards. The focus of this program is to improve the security of information through the creation of clear standards that can be used by all deferral agencies, in order to protect the security of information and information systems.


Low-impact systems are systems that, if compromised in some way, would only have limited adverse effects on the organization or individuals.


Moderate-impact systems with a breach in security result in a serious adverse effect on an organization’s operations, organizational assets or individuals.


High-impact systems are of critical importance to a government entity. A breach of any kind would result in severe or catastrophic amounts of damage to the organization, and could potentially result in a shutdown of operations, significant fiscal loss, physical damage to individuals, or a severe loss of intellectual property.

Achieving FISMA Certification

For organizations looking to win government contracts, FISMA compliance provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure.