Understanding the 3 FISMA Compliance Levels: Low, Moderate, and High

by Tori Thurmond / January 31st, 2024

What is FISMA?

The Federal Information Security Management Act (FISMA) is a piece of United States legislation, enacted as part of the Electronic Government Act of 2002. FISMA’s intent is to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. FISMA is the law; NIST Special Publication 800-53, Security Controls for Federal Information Systems and Organizations, is the standard that contains the individual security controls required to comply with FISMA.

In addition to this, NIST developed FIPS Publication 199, which explains the standards for categorizing information and information systems to comply with FISMA. According to FIPS 199, information and information systems are defined by three security objectives: confidentiality, integrity, and availability. Should there be a loss of confidentiality, integrity, and availability, organizations must determine the potential impact according to the three FISMA compliance levels: low impact, moderate impact, and high impact.

3 FISMA Compliance Levels

To decide which of the three FISMA compliance levels applies to your organization, you’ll need to determine whether the potential impact to your organization would be limited, serious, or severe. NIST defines the three levels FISMA compliance levels as low impact, moderate impact, and high impact.

Low Impact

Low impact indicates that the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Examples of low impact incidents include:

  • A breach that causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
  • A breach that results in minor damage to organizational assets
  • A breach that results in minor financial loss
  • A breach that results in minor harm to individuals

Moderate Impact

Moderate impact indicates that the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Examples of incidents with moderate impact include:

  • A breach that causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced
  • A breach that results in significant damage to organizational assets
  • A breach that results in significant financial loss
  • A breach that results in significant harm to individuals

High Impact

High impact indicates the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Examples include:

  • A breach that causes a severe degradation in mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions
  • A breach that results in major damage to organizational assets
  • A breach that results in major financial loss
  • A breach that results in severe or catastrophic harm to individuals, involving loss of life or serious life-threatening injuries

Achieving FISMA Compliance

Determining which of the three FISMA compliance levels applies to your organization is the first step on your FISMA compliance journey. Once you determine your impact level, you can move on to deriving the information system impacted level in accordance with FIPS 200. Then you can apply the appropriately tailored set of baseline security controls in NIST SP 800-53.

This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation. Certification is achieved when an Authorization to Operate (ATO) is signed by a federal agency’s senior management official.

Partner with KirkpatrickPrice for Your FISMA Audit

At KirkpatrickPrice, we understand that trying to navigate the intricacies of audit frameworks is difficult, and, at times, overwhelming. Our senior-level experts can walk you through your FISMA compliance journey from audit readiness to final report. If you’re eager to get started on your FISMA audit or if it’s just something on your radar, let KirkpatrickPrice help you get started. Connect with one of our experts today.

More FISMA Resources

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

Security Awareness Training Requirements: SOC 2, PCI, FISMA, and More

About the Author

Tori Thurmond

Tori Thurmond has degrees in both professional and creative writing. She has over five years of copywriting experience and enjoys making difficult topics, like cybersecurity compliance, accessible to all. Since starting at KirkpatrickPrice in 2022, she's earned her CC certification from (ISC)2 which has aided her ability to contribute to the company culture of educating, empowering, and inspiring KirkpatrickPrice's clients and team members.

Share Tweet Share Email

Related Posts