FedRAMP Levels Explained: Low, Moderate, and High Impact

Choosing the right FedRAMP impact level is one of the most consequential decisions a cloud service provider makes when entering the federal market. Target too low and you limit your addressable market. Target too high and you burn through budget and timeline on controls you may not need. This guide breaks down the three FedRAMP levels so you can make an informed decision.

The Federal Risk and Authorization Management Program organizes its security requirements into three impact levels — Low, Moderate, and High — derived from the FIPS 199 standard for categorizing federal information systems. Each level represents a different degree of rigor, a different volume of security controls, and a different set of federal use cases. Understanding these levels in detail is essential for cloud service providers planning their FedRAMP authorization strategy, budgeting for FedRAMP costs, and positioning their products for the right segment of the federal market.

How FedRAMP Levels Are Determined: FIPS 199 Categorization

FedRAMP impact levels are not arbitrary tiers. They are derived from FIPS Publication 199, the Federal Information Processing Standard for categorizing information and information systems based on the potential impact of a security breach. FIPS 199 evaluates three security objectives:

• Confidentiality — The impact if information were disclosed to unauthorized individuals
• Integrity — The impact if information were modified or destroyed without authorization
• Availability — The impact if access to information or the system were disrupted

For each security objective, the potential impact is rated as Low, Moderate, or High. The overall system categorization takes the high-water mark — the highest impact level across all three objectives. This means a system with Low confidentiality impact, Moderate integrity impact, and Low availability impact would be categorized as Moderate overall.

The High-Water Mark Principle

The high-water mark approach is one of the most misunderstood aspects of FIPS 199 categorization. Cloud service providers sometimes assume they can achieve a Low categorization because most of their data is non-sensitive, but even a small amount of PII or CUI processed by the system can elevate the entire categorization to Moderate.

In our experience, this discovery often happens late in the planning process. A provider targeting FedRAMP Low realizes during agency discussions that one data field — a user's email address combined with their agency affiliation, for example — constitutes PII under federal definitions, bumping the system to Moderate.

What we tell clients: inventory every data element your system will touch before committing to an impact level. Include data generated by the system (logs, metadata, analytics) in addition to data explicitly stored.

FedRAMP Low: Limited Adverse Effect

FedRAMP Low is the entry-level authorization baseline, designed for cloud services where the loss of confidentiality, integrity, or availability would have a limited adverse effect on organizational operations, assets, or individuals.

Control Requirements

FedRAMP Low requires approximately 125 security controls drawn from the NIST SP 800-53 catalog. These controls cover fundamental security practices:

• Access control and authentication (including multi-factor authentication for privileged users)
• Audit logging and monitoring
• Configuration management and change control
• Contingency planning (basic backup and recovery)
• Incident response planning
• System and communications protection (encryption in transit)
• Vulnerability scanning and remediation

While 125 controls is the smallest FedRAMP baseline, it still represents a significant engineering and documentation effort. Each control must be implemented, documented in the System Security Plan, and validated by a 3PAO assessor.

Appropriate Data Types and Use Cases

FedRAMP Low is appropriate for systems that handle:

• Publicly available government data (open data, public records)
• Non-sensitive operational data (scheduling tools, project tracking without sensitive content)
• Systems where temporary unavailability would be inconvenient but not harmful
• Collaboration tools used for non-sensitive discussions

Who Pursues FedRAMP Low

In practice, relatively few cloud providers pursue FedRAMP Low as their authorization target. The reason is market size: most federal cloud use cases involve at least some sensitive data, which pushes the categorization to Moderate. FedRAMP Low is most commonly pursued by:

• Providers of public-facing government websites and content management systems
• Basic collaboration and scheduling tools
• Open data platforms and analytics tools operating on publicly releasable datasets

Aspect	FedRAMP Low
Control count	~125
Typical timeline	6–10 months
Typical cost	Varies based on scope and complexity
Market coverage	~15% of federal cloud use cases
Key distinguishing controls	Basic MFA, standard encryption in transit, annual vulnerability scanning

FedRAMP Moderate: Serious Adverse Effect

FedRAMP Moderate is the most widely adopted baseline, appropriate for systems where the loss of confidentiality, integrity, or availability would have a serious adverse effect on organizational operations, assets, or individuals. This is the baseline that covers the vast majority of federal cloud computing.

Control Requirements

FedRAMP Moderate requires approximately 325 security controls — more than two and a half times the Low baseline. The additional controls address more sophisticated threats and provide deeper protections:

• Enhanced access control — Role-based access control, session management, remote access restrictions, and mobile device management
• Advanced audit capabilities — Centralized log management, automated audit review, correlation and analysis, and protection of audit information
• Comprehensive configuration management — Automated configuration monitoring, software whitelist enforcement, and developer configuration management
• Robust contingency planning — Alternate processing sites, system backup at defined frequencies, full disaster recovery testing
• Encryption at rest and in transit — FIPS 140-2 validated cryptographic modules for all federal data
• Enhanced incident response — Automated incident handling, correlation with threat intelligence, chain of custody for forensic evidence
• Personnel security — Background screening requirements, third-party personnel controls, access agreements
• Supply chain risk management — Assessment of third-party components, software provenance tracking

Appropriate Data Types and Use Cases

FedRAMP Moderate covers systems that handle:

• Personally Identifiable Information (PII) — employee records, citizen data, benefit information
• Controlled Unclassified Information (CUI)
• Financial data — budget information, procurement records, payment data
• Sensitive but unclassified (SBU) information
• Medical information not subject to additional regulatory regimes
• Law enforcement sensitive information (some categories)
• Proprietary government information — pre-decisional policy documents, acquisition-sensitive data

Why Moderate Is the Default

Approximately 80 percent of federal cloud use cases fall within the FedRAMP Moderate baseline. This is not because agencies are conservative — it is because almost any system that federal employees use in their daily work touches at least some data that qualifies as PII, CUI, or SBU. Employee names, email addresses, organizational affiliations, and work product almost always elevate a system beyond the Low threshold.

In our experience, cloud providers that initially target FedRAMP Low often end up pivoting to Moderate during the categorization process. If there is any possibility your system will handle PII — and there almost always is — plan for Moderate from the beginning.

Aspect	FedRAMP Moderate
Control count	~325
Typical timeline	12–18 months
Typical cost	Varies based on scope and complexity
Market coverage	~80% of federal cloud use cases
Key distinguishing controls	FIPS 140-2 encryption, comprehensive RBAC, disaster recovery, automated monitoring, supply chain risk management

FedRAMP High: Severe or Catastrophic Effect

FedRAMP High is the most rigorous baseline, designed for systems where a security breach could have a severe or catastrophic adverse effect on organizational operations, assets, or individuals — including loss of life, significant financial harm, or damage to national security.

Control Requirements

FedRAMP High requires approximately 421 security controls, adding roughly 100 controls beyond the Moderate baseline. These additional controls address the most sophisticated threat actors and provide the deepest protections available under FedRAMP:

• Advanced access control — Dual authorization for critical operations, dynamic privilege management, and information flow enforcement at granular data-element levels
• Comprehensive audit and accountability — Cross-organizational audit processing, real-time alerting, and non-repudiation mechanisms
• Stringent configuration management — Automated response to unauthorized changes, integrity verification of software and firmware, and hardware provenance controls
• High-availability contingency planning — Zero or near-zero recovery time objectives, geographic separation of backup sites, and full operational redundancy
• Advanced incident response — Coordination with law enforcement and intelligence community, automated incident response actions, and dynamic reconfiguration capability
• Enhanced system protection — Boundary protection with deep packet inspection, protection against advanced persistent threats, covert channel analysis, and heterogeneous computing environments

Appropriate Data Types and Use Cases

FedRAMP High is required for systems that handle:

• Law enforcement investigation data
• Emergency services and public safety information
• Critical infrastructure control data (energy, transportation, water systems)
• Healthcare data subject to heightened protection beyond HIPAA
• Immigration and border security information
• Information that, if compromised, could directly endanger lives
• Sensitive financial regulatory data

Who Pursues FedRAMP High

FedRAMP High is pursued by a relatively small number of cloud providers, typically large infrastructure and platform companies serving the most sensitive federal missions. As of early 2026, fewer than 50 cloud services hold FedRAMP High authorization, compared to more than 300 at the Moderate level.

The agencies that most commonly require FedRAMP High include the Department of Defense, Department of Homeland Security, Department of Justice, Department of Health and Human Services (for certain programs), and intelligence community-adjacent organizations.

Aspect	FedRAMP High
Control count	~421
Typical timeline	18–24+ months
Typical cost	Varies; substantially higher than Moderate
Market coverage	~5% of federal cloud use cases
Key distinguishing controls	Dual authorization, real-time alerting, geographic redundancy, APT protection, covert channel analysis

Side-by-Side Comparison

Dimension	Low	Moderate	High
Security controls	~125	~325	~421
FIPS 199 impact	Limited adverse effect	Serious adverse effect	Severe or catastrophic
Data sensitivity	Public, non-sensitive	PII, CUI, SBU	Law enforcement, critical infrastructure, life-safety
Encryption standard	Encryption in transit	FIPS 140-2 at rest and in transit	FIPS 140-2 with additional key management
MFA requirement	Privileged users	All users accessing federal data	All users, with hardware token or equivalent
Recovery objectives	Best effort	Defined RTO/RPO	Near-zero RTO, geographic redundancy
Vulnerability scanning	Monthly	Monthly with automated remediation tracking	Continuous or near-continuous
3PAO assessment scope	4–6 weeks	6–10 weeks	10–16 weeks
Annual continuous monitoring cost	Lower	Moderate	Higher
Typical authorization timeline	6–10 months	12–18 months	18–24+ months

FedRAMP Authorization Paths

Understanding FedRAMP levels is inseparable from understanding the authorization paths available. The FedRAMP Authorization Act of 2022 codified two primary paths, both available at any impact level.

Agency Authorization Path

Under the Agency Authorization path, a specific federal agency sponsors your cloud service and works with you through the authorization process. The sponsoring agency's Authorizing Official issues an ATO for your service, and you then submit the authorization package to the FedRAMP PMO for review and listing in the FedRAMP Marketplace.

Advantages:

• Faster than the JAB path — you work directly with one agency
• The sponsoring agency has a vested interest in your success (they want to use your product)
• More flexibility in timeline and milestone negotiation

Considerations:

• Requires finding an agency sponsor willing to be the first adopter
• The initial ATO applies to that agency; other agencies still must issue their own ATOs (though the reusable package streamlines this)
• Quality and rigor of the authorization depend on the sponsoring agency's practices

Joint Authorization Board (JAB) Path

The JAB path involves review by the Joint Authorization Board, which includes representatives from the Department of Defense, Department of Homeland Security, and General Services Administration. A JAB P-ATO (Provisional Authority to Operate) represents the highest level of FedRAMP vetting.

Advantages:

• Most widely recognized authorization in the federal market
• Reviewed by security experts from three major agencies
• Strongest signal of security maturity to prospective agency customers

Considerations:

• Competitive process — the JAB prioritizes cloud services with demonstrated federal demand
• Longer timeline than Agency Authorization
• More rigorous review process with less flexibility for negotiation

Choosing Your Path

For most cloud providers new to FedRAMP, we recommend the Agency Authorization path. Finding an agency sponsor provides a concrete customer relationship, a defined timeline, and a partner invested in your authorization success. The JAB path is most appropriate for established cloud providers with existing federal traction and a product that serves cross-government needs.

How to Choose the Right FedRAMP Level

Selecting your FedRAMP level is fundamentally a business decision informed by technical requirements. Here is the decision framework we use with clients:

Step 1: Inventory Your Federal Data

Before choosing a level, understand what data your system will touch. Map every data element to its sensitivity category. If any data element qualifies as PII, CUI, or SBU, you are looking at Moderate at minimum.

Step 2: Identify Your Target Agencies

Different agencies have different baseline requirements. If your target customers are civilian agencies processing PII, Moderate is sufficient. If you are targeting DOD, DHS, or DOJ for sensitive mission applications, High may be required regardless of the data types.

Step 3: Assess Your Market Opportunity

FedRAMP Low limits you to roughly 15 percent of the federal cloud market. Moderate opens approximately 80 percent. High covers the remaining 5 percent but at dramatically higher cost. For most commercial cloud providers, Moderate offers the optimal cost-to-market-coverage ratio.

Step 4: Evaluate Your Budget and Timeline

Be honest about your resources. FedRAMP High requires a substantial multi-year investment and 18 to 24 months. If your company cannot sustain that investment, targeting Moderate with a future upgrade path to High is a more pragmatic strategy. See our FedRAMP cost breakdown for detailed planning considerations.

Step 5: Plan for Growth

If you are currently targeting Low but expect to handle PII within the next 12 to 18 months, pursuing Moderate now avoids a costly re-authorization later. The incremental cost of achieving Moderate upfront is significantly less than the cost of upgrading from Low to Moderate after authorization.

Recent Changes: The FedRAMP Authorization Act

The FedRAMP Authorization Act of 2022, signed into law as part of the FY2023 National Defense Authorization Act, codified FedRAMP into federal law for the first time. Key implications for impact levels include:

• Presumption of adequacy — Once a cloud service achieves FedRAMP authorization at any level, agencies must presume the authorization is adequate for their needs at that level, reducing duplicative assessments
• Automation and modernization — The Act directs GSA to automate FedRAMP processes, which is expected to reduce timelines and costs across all impact levels
• Reciprocity enforcement — Agencies are more strongly encouraged to accept existing FedRAMP authorizations rather than imposing additional requirements
• Pilot programs — New pilot programs aimed at reducing the burden on small cloud providers are being developed, particularly for the Low and Moderate baselines

These changes benefit cloud providers at all levels by reducing the time and cost of authorization and making existing authorizations more portable across agencies.

How Agency Can Help

At Agency, we help cloud service providers navigate the FedRAMP level selection process and build toward authorization efficiently. Whether you are a startup evaluating FedRAMP for the first time or an established provider considering an upgrade from Moderate to High, our team can guide you through categorization, control selection, and the authorization path that best fits your business objectives and federal market strategy. For SBIR companies entering the federal space, we offer tailored programs that align with the unique constraints of grant-funded development.