How are StateRAMP Categories Determined for Certification?

StateRAMP categories determination featured

One of the earliest tasks that Cloud Service Providers, 3PAOs, and state agencies complete are determining the security levels required to protect data in a cloud environment. FedRAMP uses federal standards and documentation to outline Impact Levels based on the importance of the data. StateRAMP follows suit by defining Impact Categories based on FedRAMP.

Here, we’ll break down just how these categories are determined to help you get a leg up on understanding what some of your responsibilities may be under StateRAMP regulations. 

StateRAMP categories determination

What are FedRAMP Impact Levels and How Do They Related to StateRAMP?

We’ve already written an article on the Impact Levels used in StateRAMP, but as a framing device for this article, we’ll briefly refresh you on what Impact Levels are for StateRAMP. 

StateRAMP data classification is based on FedRAMP Impact Levels, which are broken into three categories based on the importance of the data and the necessary controls needed to protect that data:

  1. Low Impact, referring to data that is generally public and that will not significantly impact citizens or the operation of the government agency in question.
  2. Moderate Impact, referring to data that is private and that could have a significant impact on citizens and agencies if stolen or modified.
  3. High Impact, referring to data that is private and that could be devastating to citizens or government agencies (including data like medical or financial data). 

Accordingly, StateRAMP organizes its own data classifications into three categories mapping onto some of these Impact Levels:

  1. Category 1: Low Impact
  2. Category 2: Low Impact with additional controls required
  3. Category 3: Moderate Impact

However, it’s probably obvious at this point that some of the language here is rather vague. It’s hard for non-technical individuals to understand what the differences are between these levels and how to determine the kinds of data that fall into each category. This is why the categorization of Impact Levels and StateRAMP Categories are governed by state and federal law. 


What are the Factors Used to Determine Impact Level?

FedRAMP Impact Levels are determined by factors outlined in the Federal Information Processing Standards (FIPS) 199 publication. This document standardizes how agencies and providers categorize data and related security requirements for information systems. 

FIPS 199 defines three security objectives:

  • Confidentiality: The need for relevant data to remain private and protected from unauthorized disclosure. This includes private citizen information or proprietary information related to an agency’s operations.
  • Integrity: The requirement that stored data remain unaltered, and that any alteration can be prevented, reported/logged, and reversed.
  • Availability: That data remains reliably accessible without compromising security. 

With these objectives, it’s easier to define the needs of each FedRAMP Impact Level. 

The Low Impact Level is appropriate for data where any breach in confidentiality, integrity, or accessibility would have a minimal impact on individuals or the agency. Many cloud offerings in the Low Impact category don’t store Personal Identifiable Information (PII) outside of some authentication information (passwords, usernames). Accordingly, the number of security controls required for this level of protection is lower (125). At this level, a breach won’t halt the operations of an agency. 

At the Moderate Impact Level, the agency in question most likely handles PII of some sort, and unauthorized disclosure or theft of sensitive information could significantly harm the privacy or well-being of individuals and hamper the operations of the agency in question. The Moderate Level includes more necessary controls to match the importance of the data (325 ). At this level, data breaches could cause severe operational or financial loss or personal harm that is not life-threatening. 

At the High Impact Level, you’re talking about data where a breach could constitute a devastating loss of privacy for an individual, if not direct personal or financial harm to them. The data at this level, if stolen, damaged, or disclosed, could result in the failure of an agency in continuing with its mission or serious, even life-threatening harm to individuals affected. At this level, a cloud provider will implement the most controls (421) to protect against a breach. 


Unique StateRAMP Categorization

As you can see, StateRAMP does not apply to agencies in the highest category. It does have documentation in place to help CSPs and 3PAOs understand how to map categories onto data without having to completely understand FedRAMP Impact Level:

  1. While StateRAMP Categories 1 and 3 map onto FedRAMP Impact Levels Low and Moderate, respectively, Category 2 falls somewhere in between. Depending on the data needs of an agency, Category 2 can include a selection of additional controls that don’t push the CSPs compliance demands fully into Category 3. This distinction gives many cloud providers some flexibility in working with agencies who effectively fall into a middle ground.
  2. StateRAMP can require, if deemed necessary, additional controls beyond Category 3. This is also a way to give CSPs flexibility to adapt to security demands without having to invest completely into the High Impact Level of controls.

Helpfully, StateRAMP provides a checklist/flowchart to help providers and 3PAOs define their category level. As a baseline, every CSP working with a state or local agency will default to a Category 1 classification. If any of the following are true, they graduate to Category 3:

  • The CSP will handle PII data.
  • The CSP will handle Private Health Information (PHI) as defined by HIPAA regulations.
  • The CSP will handle credit cards or other payment information (PCI data) as defined by PCI-SSC regulations.
  • The CSP will handle data that, if lost, stolen, or damaged, will disrupt the operations of their partner government agency.
  • The CSP will handle any data that will undermine the public trust of the partner government agency, or the government more broadly.

There are some caveats to this list:

  • Depending on the requirements of the agency, in coordination with StateRAMP officials, the CSP will adopt Category 2.
  • If the CSP handles any data related to criminal justice, foreign affairs, federal infrastructure, global trade, or national security, then they automatically graduate to FedRAMP High Impact regardless of any other information managed. 



When it comes to StateRAMP Categories and Impact Levels, the overlap between FedRAMP and StateRAMP is clear. Some of the gray areas between local, state, and federal agencies come to the forefront, and the proper controls and classifications must be used to protect citizens and governance more broadly. StateRAMP accommodates this mission by maintaining a flexible security categorization system that augments but ultimately falls back on, FedRAMP regulations.

Don’t undertake your StateRAMP or FedRAMP certification journey alone. Call Continuum GRC at 1-888-896-6207 or contact us with the form below to learn about automation and cloud tools to simplify complex compliance demands.

Continuum GRC