FISMA impact level selection is one of the most consequential early decisions in a federal cloud program. It determines the control baseline, the authorization boundary, the FedRAMP level your cloud service provider must hold, and ultimately the cost and timeline of your ATO. Get it wrong — either by underestimating and under-protecting sensitive information, or by overcorrecting into High controls for a Low-impact system — and you've created problems that are expensive to fix post-ATO.
This article covers the impact level selection process, what each level means for cloud architecture, and the GovCloud boundary implications that affect where and how your system can run.
What FISMA Impact Levels Are
FISMA (Federal Information Security Modernization Act) requires agencies to categorize their information systems using FIPS Publication 199. The categorization applies three security objectives — Confidentiality, Integrity, and Availability — to the types of information the system processes.
Each objective is rated Low, Moderate, or High based on the potential impact of a security failure:
| Impact Level | Definition |
|---|---|
| Low | Loss could have limited adverse effect on operations, assets, or individuals |
| Moderate | Loss could have serious adverse effect |
| High | Loss could have severe or catastrophic adverse effect |
The overall system impact level is the high-water mark across all three objectives and all information types the system handles. A system that handles Moderate-confidentiality data and High-integrity data has an overall High impact level.
NIST SP 800-60 provides detailed guidance on mapping information types to impact levels — it's the reference document used during system categorization in the NIST RMF process.
Impact Level Characteristics for Cloud Systems
FISMA Low
Typical information: Publicly available information, non-sensitive research data, public-facing websites with no authentication.
Control baseline: NIST SP 800-53 Low baseline (~100 controls)
Cloud implication:
- Commercial cloud providers (AWS, Azure, GCP) with FedRAMP Low authorization are generally acceptable
- Data can typically reside in commercial regions (not GovCloud required)
- Lightweight ATO process — many agencies use FedRAMP Low P-ATOs and issue ATOs quickly
Reality check: Very few systems that hold any form of CUI, PII, or government business data qualify as Low impact. Agencies sometimes try to classify systems as Low to reduce compliance burden, but if the system processes any CUI, it almost certainly requires Moderate.
FISMA Moderate
Typical information: CUI (Controlled Unclassified Information), PII, most federal business systems, grant management, acquisition systems, healthcare data (non-classified).
Control baseline: NIST SP 800-53 Moderate baseline (~300+ controls)
Cloud implication:
- Most production federal systems run at Moderate
- FedRAMP Moderate authorization required for CSP
- AWS GovCloud or equivalent GovCloud regions typically required for systems with CUI
- Additional controls around encryption, access management, incident response, and continuous monitoring
- Three-year ATO cycle, with annual assessments and ConMon deliverables
The majority of Rutagon's federal cloud work operates at the Moderate boundary. This is where most agencies' operational systems live — it's the practical middle ground between low-impact utility and classified sensitivity.
FISMA High
Typical information: Law enforcement data, financial systems with large transaction volumes, emergency preparedness, systems where compromise could affect critical infrastructure.
Control baseline: NIST SP 800-53 High baseline (~400+ controls)
Cloud implication:
- Only a small subset of CSPs hold FedRAMP High authorizations
- AWS GovCloud (US) and Azure Government hold FedRAMP High authorizations; most commercial regions do not
- Physical security, personnel security, and supply chain controls become significantly more stringent
- Authorization timelines are longer and assessment costs are higher
- Many High-impact systems are operated on-premise or in government-owned data centers rather than commercial cloud
Note on IL4/IL5: DoD uses Impact Levels (IL) rather than FISMA Low/Moderate/High. IL4 maps roughly to FISMA Moderate for controlled unclassified DoD information; IL5 covers higher-sensitivity CUI and some national security information. These require cloud infrastructure accredited through the DoD Cloud Computing Security Requirements Guide (CC SRG).
The Categorization Process
Impact level selection follows the NIST RMF Step 1 (Categorize) process:
- Identify information types: What categories of data does the system store, process, or transmit? Use NIST SP 800-60 Volume 2 to look up the provisional impact ratings for each information type.
- Adjust impact levels: Agencies may adjust the provisional ratings up (but typically not down) based on local factors. A system processing mission-critical operations may have its Availability rating increased to High even if the provisional rating would be Moderate.
- Determine overall system impact: Take the high-water mark across all objectives and all information types.
- Document in the SSP: The system impact level determination is documented in the System Security Plan (SSP) and reviewed by the AO (Authorizing Official) during the ATO process.
Common mistakes in the categorization step:
- Scope creep: Including information that the system doesn't actually process, resulting in inflated impact levels
- Scope narrowing: Excluding information types to reduce impact level — this backfires at assessment time when assessors find the information in the system
- Ignoring third-party data flows: A system that passes data to or from other systems inherits characteristics of the data it handles
GovCloud Architecture Implications
The GovCloud question — whether a system must run in AWS GovCloud, Azure Government, or equivalent — is often the first architecture decision tied to impact level selection.
GovCloud requirements by impact level:
| Impact Level | Typical Cloud Requirement |
|---|---|
| Low | Commercial cloud acceptable if CSP holds FedRAMP Low P-ATO |
| Moderate | GovCloud generally required for systems handling CUI |
| High | Only FedRAMP High-authorized cloud environments |
| DoD IL4/IL5 | DoD-specific CC SRG-compliant environments only |
AWS GovCloud architecture differences from commercial:
- Separate partition (
aws-us-gov) — not all AWS services are available - GovCloud accounts are not linked to commercial AWS organizations
- Some services (like AWS AI/ML services) have limited or no GovCloud availability — plan for this early
- Pricing is typically 15–25% higher than equivalent commercial regions
- Support and service launch timelines lag commercial by weeks to months
Designing a production system for GovCloud requires knowing the service availability matrix early. Systems designed in commercial AWS and later migrated to GovCloud often discover that 2–3 services they rely on are not available, requiring re-architecture.
Impact Level and ATO Timeline
Impact level directly affects ATO timeline and cost:
| Level | Typical Initial ATO Timeline | Annual ConMon Cost |
|---|---|---|
| Low | 3–6 months | Low ($20K–$50K/year) |
| Moderate | 9–18 months | Moderate ($80K–$200K/year) |
| High | 18–36 months | High ($250K–$500K+/year) |
These timelines assume competent preparation. Systems with poor documentation, incomplete security controls, or unresolved POA&M items take significantly longer.
Accelerating ATOs with strong architecture:
Systems designed with NIST 800-53 controls mapped to the architecture from the start — rather than retrofitted — consistently authorize faster. Infrastructure as Code with security controls embedded (SCPs, Config rules, GuardDuty policies) reduces manual assessment effort and produces machine-verifiable compliance evidence.
Rutagon's Approach to Government Cloud Architecture →
Cloud-Native Application Compliance Strategy →
Frequently Asked Questions
What happens if I select the wrong FISMA impact level?
Selecting too low a level creates security and compliance risk — your control baseline won't adequately protect the information, and assessors may reject the ATO or require control additions. Selecting too high a level doesn't create a security problem, but it creates cost and timeline problems, potentially delaying deployment significantly. The right answer is to do the categorization properly using NIST SP 800-60 rather than gaming the outcome.
Does a system's FISMA impact level change over time?
Yes — and it requires an ATO update. If a system adds a new information type that increases the impact level (e.g., a Moderate system starts processing law enforcement data that's rated High), the SSP must be updated, the control baseline must be expanded, and re-authorization is required. This is why scoping the authorization boundary carefully at the start matters — unanticipated information type additions are expensive.
Can a cloud system share a FedRAMP authorization between multiple agencies?
Yes — this is the purpose of the FedRAMP P-ATO (Provisional Authorization to Operate) issued by the JAB (Joint Authorization Board). Agencies can leverage P-ATOs and issue their own ATO based on the JAB's assessment. This significantly reduces agency-specific assessment burden. However, agencies must still review the FedRAMP package and determine that the CSP's controls adequately address agency-specific requirements.
What is the relationship between FedRAMP and FISMA impact levels?
FedRAMP authorizations map directly to FISMA impact levels. A FedRAMP Moderate authorization means the CSP has demonstrated implementation of the NIST 800-53 Moderate control baseline for that cloud service. When an agency operates a FISMA Moderate system on a FedRAMP Moderate-authorized cloud, they can inherit the cloud provider's controls and focus their assessment on the application-layer controls they own.
How does FISMA High differ from classified information systems?
FISMA High is the highest level for unclassified federal systems. Classified information (Confidential, Secret, Top Secret/SCI) is governed by different authorities (CNSS Policy 22, ICD 503) and typically cannot be processed on commercial cloud infrastructure, even FedRAMP High. Classified workloads require government-owned or government-dedicated infrastructure processed under different authorization frameworks.