In RMF, what is the purpose of assigning impact levels (low/medium/high) to a system?

Impact levels in RMF indicate how severe a potential breach could be for a system’s confidentiality, integrity, and availability. This drives which security controls are required and how rigorously those controls must be assessed and authorized. A high impact level means stronger, more comprehensive controls and a more thorough assessment and authorization process; moderate and low impact levels scale the controls and the evaluation effort accordingly. The whole purpose is to tailor protections to the level of risk, ensuring resources match potential harm. This focus isn’t about network addressing, password policy specifics, or database indexing strategies, which are separate considerations.