Section 6.01 - Reference Brief
DOC-REF: FRC-LVL-001
FedRAMP Impact Levels: Low, Moderate, High
FedRAMP uses three impact levels derived from FIPS 199 and NIST SP 800-60 to categorize federal information systems. The impact level determines which control baseline applies, the scope of 3PAO assessment, and your ongoing continuous monitoring obligations.
Section A. Level Register
Cost and scope by impact level
Each level entry below is a self-contained reference. Costs reflect 2026 U.S. market rates.
Impact Tier
FedRAMP Low
NIST SP 800-53 Rev 5 Low baseline
Initial cost
$350,000 - $500,000
Annual ConMon
$60,000 - $120,000 / yr
Controls
Up to 125 controls
Timeline
9 - 12 months
Typical data types
- Publicly available information
- Administrative data with no PII
- General government business functions
- Non-sensitive collaboration tools
Example use cases
- Public-facing informational websites
- General productivity and collaboration platforms
- Non-sensitive CRM systems
- Public document management
Impact Tier
FedRAMP Moderate
NIST SP 800-53 Rev 5 Moderate baseline
Initial cost
$800,000 - $2,000,000
Annual ConMon
$150,000 - $350,000 / yr
Controls
325+ controls
Timeline
12 - 18 months
Typical data types
- Personally Identifiable Information (PII)
- Sensitive but Unclassified (SBU) data
- Law enforcement information (non-classified)
- Financial and procurement data
Example use cases
- HR and payroll systems
- Case management and workflow tools
- Financial management platforms
- Healthcare record systems for civilian agencies
Impact Tier
FedRAMP High
NIST SP 800-53 Rev 5 High baseline
Initial cost
$2,500,000 - $5,000,000+
Annual ConMon
$300,000 - $600,000+ / yr
Controls
421+ controls
Timeline
18 - 24 months
Typical data types
- Law enforcement sensitive data
- Emergency services critical data
- Financial systems affecting national security
- Health records with life safety implications
Example use cases
- Law enforcement databases
- Emergency response coordination systems
- Critical infrastructure management
- Defense health record systems
Section B. Control Family Comparison
Selected NIST 800-53 control counts
Higher impact levels add both more controls and more stringent parameter values within each control.
| Control Family | Low | Moderate | High |
|---|---|---|---|
| Access Control (AC) | 15 | 25 | 31 |
| Audit and Accountability (AU) | 9 | 16 | 16 |
| Configuration Management (CM) | 6 | 13 | 14 |
| Identification and Authentication (IA) | 8 | 12 | 13 |
| Incident Response (IR) | 6 | 10 | 10 |
| Risk Assessment (RA) | 5 | 6 | 9 |
| System and Communications Protection (SC) | 20 | 39 | 44 |
| System and Information Integrity (SI) | 12 | 17 | 20 |
Next step
Calculate your authorization cost by level
Use the cost worksheet to estimate total cost for your specific impact level, security posture, and organization size.