What are Impact Levels in StateRAMP Compliance?

StateRAMP Impact Levels Featured

As Cloud Service Providers (CSPs) work with State agencies, many of them are undergoing StateRAMP certification. Fortunately, StateRAMP is much like FedRAMP in that it follows several of the same guidelines, requirements, and process structures.

Here, we’ll break down one of the basic aspects of StateRAMP Impact Levels. The StateRAMP Impact level directly relates to the security required from an agency, and the kinds of controls that a CSP must implement. 

StateRAMP Impact Levels Article

What are StateRamp Impact Levels?

In federal security compliance, “impact levels” refer to the type of data that a system stores and the “impact” a breach of that data may have. Outlined in NIST SP 800-53, the impact levels associated specifically with FedRAMP certification and outlines the controls and safeguards that a CSP must have in place to meet certification requirements. StateRAMP adopts these requirements with a more limited scope.

There are three impact levels in StateRAMP:

  1. Low Impact: Low Impact is the base level of requirements that any CSP must meet. Additionally, if a CSP will handle information that could negatively impact an agency’s people, assets, or constituents, but the data itself is public. This level covers 125 required controls for compliance. At this level, a CSP will provide one of two levels of security. The first, low baseline, is appropriate for most CSPs working in government space and will complement a government’s mission. The second, low impact for SaaS systems which has lower requirements and targets specific platforms or features rather than entire cloud systems.
  2. Low Impact+: This level includes all requirements that fall under the Low Impact designation, with additional (but limited) controls from Moderate Impact included.
  3. Moderate Impact: This control level encompasses CSPs that will work with agencies handling private, unclassified data. With a baseline of 325 security controls to account for, including automation for managing IT systems like email or texts, or administrative tasks like transferring or terminating employees with access to data.


What are the Security Controls in StateRAMP and FedRAMP?

When we talk about “controls” in relation to StateRAMP or FedRAMP, we refer to a specific set of security measures outlined in NIST 800-53 and grouped into logical units:

  • Access Control (AC): This family of controls details requirements for logging access to assets, account management, privileges, and remote access logging.
  • Audit and Accountability (AU): Pertains to a CSP’s security auditing capabilities, including procedures, logging, etc.
  • Awareness and Training (AT): Protocols on security training and administrative educational measures.
  • Configuration Management (CM): Controls related to configuration policies, including policies around inventories, upgrades, and future builds.
  • Contingency Planning (CP): Relates to contingency plans in the event of a cybersecurity breach, including testing and training.
  • Identification and Authentication (IA): Controls for identifying and authenticating users and user management.
  • Incident Response (IR): Incident response training, testing, and monitoring.
  • Maintenance (MA): Relates to the upkeep and continued maintenance of tools and systems, as outlined in NIST 800-53 Rev. 5.
  • Media Protection (MP): Specifics controls the safe transport, storage, destruction/sanitation, and protection of storage media like hard drives.
  • Personnel Security (PS): Controls over personnel protection, including screening, hiring and termination procedures, and any NDA or access agreements.
  • Physical and Environmental Protection (PE): Physical security measures related to physical access to data stores, servers, workstations, mobile devices, etc. Also covers procedures for natural disasters and backup.
  • Planning (PL): Controls for security planning policies, including scope, responsibilities, management, and coordination among relevant departments.
  • Program Management (PM): Planning and controls for managing security like infrastructure plans and plans of action with milestones.
  • Risk Assessment (RA): Controls risk assessment politics and vulnerability scanning capabilities. Also includes any potential automation for that purpose.
  • Security Assessment and Authorization (CA): Pertains to items that supplement security assessments, including monitoring and maintenance assessments.
  • System and Communications Protection (SC): Protection for communication, including data-at-rest and in-transit protections, cryptography, encryption, denial of service protection, and so on.
  • System and Information Integrity (SI): Regulates information integrity, such as data remediation, protection against malware, monitoring and alerts, spam protection, and firmware integrity.
  • System and Services Acquisition (SA): Controls that manage the allocation of security resources, documentation, development, and configuration management. 


What are the StateRAMP Impact Levels?

Because StateRAMP is based on FedRAMP protocols, it uses several of the same categories but is mapped into numbered categories. Furthermore, StateRAMP doesn’t include FedRAMP High Impact categorization. Typically, a state government wouldn’t necessarily manage the same level of data that a federal agency would (for example, anything that would impact national security) so having that level of security would be unnecessary. 

Instead, StateRAMP utilizes three categories of security:

  1. Category 1, which aligns with FedRAMP Low Impact baselines.
  2. Category 2, which aligns with FedRAMP Low Impact baselines with some additional security from the Moderate Impacts baseline category for additional security.
  3. Category 3, which aligns fully with FedRAMP Moderate Impact baselines. 

Category 2 is currently in development, and its intended use is to provide flexibility for CSPs that don’t entirely call for a Category 3 control structure but need more than Category 1. 

While StateRAMP doesn’t include a Category 4 for High Impact security, StateRAMP and all participating organizations can require additional security measures that derive from High Impact designation depending on the needs of the agency. 


How Do I Determine My Impact Level and Security Controls for StateRAMP Certification?

A CSP must know its Impact Level before entering into the certification process because that impact level will shape the testing and assessment used during that process. 

The Impact Level is determined by the type of data used by the agency that will be part of the relationship with the CSP. A designation of Impact level works in accordance with FIPS Publication 199. More likely than not, a CSP will work closely with StateRAMP professionals and their 3PAO to determine their required security level.



These StateRAMP Impact Levels are there to guarantee that State agencies receive the most secure cloud services available as befits the data they manage. It also protects the CSP and the citizens represented by that agency by forcing the implementation of effective physical, technical, and administrative safeguards in place. 

A critical part of all of this is the 3PAO. If you’re a CSP working through the StateRAMP process, then your 3PAO can help you better understand your Impact Level, required controls, and how those play into the certification process. 

Want to learn more about how you can automate your StateRAMP and FedRAMP compliance efforts?  Call Continuum GRC at 1-888-896-6207 or contact us with the form below.

Continuum GRC