Schellman Announces Strategic Partnership with Goldman Sachs Alternatives

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

FedRAMP Baselines Explained: A Guide to Low, Moderate, and High Levels
Nick Rundhaug

By: Nick Rundhaug

Print/Save as PDF

FedRAMP Baselines Explained: A Guide to Low, Moderate, and High Levels

FedRAMP | Federal Assessments

Published: Apr 6, 2026

As federal agencies increasingly rely on cloud technologies to support mission-critical operations, ensuring those systems meet consistent security standards is essential. The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach for assessing, authorizing, and continuously monitoring cloud services used by the U.S. government.

A core component of the FedRAMP program is its baseline framework, which determines the minimum-security requirements (controls) cloud service providers (CSPs) must implement based on the potential impact to the Confidentiality, Integrity, and Availability (CIA). Understanding how these levels work is essential for organizations pursuing FedRAMP authorization or supporting federal cloud environments.

In this blog post, we’ll detail the FedRAMP baselines, how to determine which applies to your system, and how those classifications map to the program’s required security requirements. This way you can better understand the controls your cloud environment must implement to achieve authorization.

What Are FedRAMP Baselines?

The FedRAMP baselines are Low, Moderate, and High, and progressively reflect the sensitivity of the data and systems involved. These levels directly influence the number and rigor of required security controls CSPs must implement to support federal systems.

Each baseline corresponds to a specific security baseline (outlined below), which defines the minimum set of controls organizations must implement in order to achieve FedRAMP authorization. As baselines increase from low to high, so do the security requirements, documentation expectations, and ongoing monitoring obligations for the CSP.

Essentially, FedRAMP baselines determine the scope, complexity, and effort required to demonstrate compliance.

FedRAMP Low Baseline

The FedRAMP Low baseline applies to cloud systems where a security breach would result in limited adverse effects on government operations, assets, or individuals. This level is intended for systems that handle non-sensitive government information or support public-facing services.

Key characteristics of Low baseline systems include those with:

  • Minimal sensitive or confidential data
  • Limited operational disruption if compromised
  • Basic confidentiality, integrity, and availability requirements

Common use cases of Low baseline systems include public websites, open government data portals, informational platforms and low-risk SaaS applications.

FedRAMP Moderate Baseline

The FedRAMP Moderate baseline applies to cloud systems where a security breach could cause serious adverse effects on government operations, assets, or individuals. Most federal cloud systems fall under this category because it covers sensitive but unclassified data, often referred to as Controlled Unclassified Information (CUI).

Key characteristics of Moderate baseline systems include:

  • Systems that handle sensitive government information that requires protection
  • Systems in which operational disruption could have meaningful consequences
  • Those that require stronger controls than Low baseline systems, including detailed monitoring and risk management

Common use cases of Moderate baseline systems include case management and workflow systems used by federal agencies, collaboration platforms and internal productivity tools, and cloud environments hosting government data with moderate confidentiality or integrity requirements.

FedRAMP High Baseline Level

The FedRAMP High baseline level applies to cloud systems where a security breach could have severe or catastrophic effects on government operations, assets, or individuals. This level is reserved for systems that handle highly sensitive or mission-critical federal data, requiring the most rigorous security measures.

Key characteristics of High baseline systems include systems that:

  • Process highly sensitive government information, such as national security, law enforcement, or critical infrastructure data
  • Compromises could cause severe operational, financial, or personal harm
  • Demand advanced security controls, continuous monitoring, and robust risk management

Common use cases of High baseline systems include law enforcement and criminal justice systems, financial and tax systems, healthcare systems managing protected health information (PHI), and critical infrastructure and national security applications.

What Determines FedRAMP Security Baselines?

FedRAMP security baselines define the minimum set of security controls CSPs must implement to achieve authorization at each impact level. These baselines are derived from NIST Special Publication (SP) 800-53, which established standardized security and privacy controls for federal information systems and organizations.

Each FedRAMP baseline, described above, maps to a corresponding set of requirements for controls, documentation, and continuous monitoring activities. As baselines increase, the security requirements expand to include additional controls and more rigorous implementation minimums, as follows:

Low Security Baseline

FedRAMP Low baseline includes roughly 150 security controls, focused on foundational security measures such as:

  • Access management and authentication
  • Basic incident response procedures
  • System configuration and change management.

FedRAMP also offers a Low Impact SaaS (LI-SaaS) baseline, specifically designed for software-as-a-service providers hosting low-risk government data. This baseline reduces documentation requirements and simplifies continuous monitoring, enabling a faster, lower-cost authorization process.

Moderate Security Baseline

FedRAMP Moderate baseline includes over 320 security controls, covering a broad range of domains such as:

  • Identity and access management
  • Incident response and recovery planning
  • Continuous Monitoring and vulnerability management
  • System and configuration management

Because Moderate systems handle sensitive information, CSPs must demonstrate more robust policies, processes, and monitoring compared to Low systems. This makes Moderate the default authorization level for many federal cloud services, balancing security rigor with implementation feasibility.

High Security Baseline

The FedRAMP High baseline includes over 400 security controls, extending those required for Moderate systems with additional emphasis on:

  • Strong identity and access management (e.g., multi-factor authentication, privileged access monitoring, etc.)
  • Advanced system monitoring, logging, and continuous risk assessment
  • Enhanced incident response and disaster recovery procedures
  • Strict configuration management and audit controls

Because of the complexity and sensitivity of High systems, obtaining FedRAMP High authorization typically requires significant investment in security operations, documentation, and ongoing compliance activities, but it enables CSPs to serve agencies with the most critical data requirements.

Together, FedRAMP baselines and security baselines provide a standardized framework that allows federal agencies to consistently evaluate whether cloud services meet the government’s security requirements.

Comparing FedRAMP Baselines

The table below summarizes the key characteristics, security control counts, and typical use cases for each FedRAMP baseline.

FedRAMP Baseline Potential Impact of Breach Approximate Security Controls Count FedRAMP Controls Typical Use Case
Low Limited adverse effects ~150 Low Baseline: Foundational controls
  • Public websites
  • Open data portals
  • Informational platforms
  • Low-risk SaaS
Moderate Serious adverse effects ~320 Moderate Baseline: Expanded controls
  • Case management systems
  • Collaboration platforms
  • Cloud environments with sensitive but unclassified data
High Sever or catastrophic effects ~400+ High Baseline: Most rigorous controls
  • Law enforcement systems
  • Financial systems
  • Healthcare systems
  • Critical infrastructure applications

How to Determine the Right FedRAMP Baseline

Selecting the appropriate FedRAMP baseline is a critical step in planning your cloud system’s authorization journey as it determines which security baseline applies and the scope of required controls needed to achieve and maintain compliance.

To determine the right FedRAMP baseline level, CSPs should:

  1. Assess Data Sensitivity: Start by identifying the types of data your system will handle, determine if it will process CUI, and consider what the potential impact of a breach would be.
  2. Apply the FIPS 199 Categorization: FedRAMP uses FIPS 199 to evaluate potential impacts across confidentiality, integrity, and availability (CIA).
  3. Use the High-Water Mark Principle: The system’s overall categorization of low, moderate, or high is determined by the highest impact rating across confidentiality, integrity, and availability.
  4. Confirm Agency Requirements: Some federal agencies may mandate a specific baseline based on the system’s function or the type of data processed. Confirm requirements with the sponsoring agency before finalizing your categorization.
  5. Map to the Appropriate FedRAMP Baseline: Once you determine your baseline, map it to the corresponding FedRAMP baseline to determine the specific security controls and requirements your system must meet to achieve authorization.

Correctly determining your FedRAMP baseline early helps streamline compliance, avoid unnecessary costs, and ensures your cloud system meets federal security expectations.

FedRAMP Impact Levels vs. DoD Impact Levels: An Important Distinction

It's worth noting that the term "impact level" means something different depending on the context. Within FedRAMP, baseline levels including Low, Moderate, and High are derived from the FIPS 199 categorization process and describe the potential consequences of a security breach of confidentiality, integrity, and availability.

This is separate from the DoD Impact Levels (ILs) defined in the Department of Defense Cloud Computing Security Requirements Guide (CC SRG), which uses a different framework (IL2, IL4, IL5, and IL6) to classify DoD data and mission types for cloud environments. While FedRAMP authorization is often a prerequisite for serving DoD workloads, the two classification systems are not interchangeable.

The Importance of FedRAMP Baselines

Understanding FedRAMP baseline security levels is essential for any CSP seeking to work with federal agencies. The determined baseline level determines the scope and rigor of required security controls, impacting timeline, cost, and complexity of the authorization process.

Accurately assessing your system’s data sensitivity and applying the appropriate FedRAMP baseline enables you to ensure compliance with federal security requirements, reduce the risk of gaps or delays during authorization, and align resources effectively to meet documentation, monitoring, and operational obligations.

Whether your system falls under Low, Moderate, or High, a clear understanding of impact levels and baselines allows providers to plan strategically, implement controls efficiently, and confidently support mission-critical federal operations. In short, mastering FedRAMP baselines is a foundation for building secure, reliable cloud services that agencies can trust.

Schellman is the #1 service provider for FedRAMP 3PAO assessments. If you’re ready to begin your authorization journey or have any other questions around baselines, security controls and requirements, or the authorization process, contact us today.

About Nick Rundhaug

Nick Rundhaug is a Managing Director and Federal Practice Leader with Schellman. Nick has over 20 years of experience in the information technology field with 15 years’ experience in Federal frameworks for information technology. With a background as a network engineer and assessor, Nick specializes in the areas of cryptography, networking, and security mechanisms in cloud environments.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

 

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.