BLOG
July 13, 2026
decorative
Travis Good

FedRAMP 20x Class B vs.Class C: Which Is the Right Fit?

Low and Moderate are now Class B and Class C. What separates them under FedRAMP 20x, and how to decide which is the right fit for your business. 

If you're a cloud service provider (CSP) selling to federal agencies or looking to open up to the federal market, you need FedRAMP certification.

FedRAMP has four classes that are replacing the previous impact levels: Class A (a new entry-level class), B (Low), C (Moderate), and D (High). The class impacts your complete compliance scope.

If you're looking at the new FedRAMP 20x guidelines and aren't quite sure where you'll land, this guide will help you.

FedRAMP Low and Moderate Are Now Class B and Class C

FedRAMP launched the Consolidated Rules for 2026 (CR26) on June 25, 2026, and one of the key changes replaced impact levels with FedRAMP certification classes.

There are four certification classes that replace the Low, Moderate, and High impact levels. Class A is a new entry-level path onto the Marketplace, Class B covers what used to be Low, Class C is the equivalent of Moderate, and Class D covers High.

The reason FedRAMP made the switch is that the old FIPS 199 impact-level labels caused some confusion with Department of War Impact Levels. Another change from CR26 switched FedRAMP authorization to FedRAMP certification.

Class A, B, and C can be achieved via the new 20x pathway, with Class D (High) still running through Rev5, though a 20x High pilot is targeted for FY27.

What FedRAMP Class B Covers

Class B is for services where a breach would do limited harm, where data is generally publicly available (like public-facing websites), or SaaS that stores minimal personally identifiable information (PII) beyond login credentials. It's the equivalent of the old Low impact level, with the LI-SaaS (Low-Impact SaaS) level included.

Under Rev5, Low meant 156 NIST SP 800-53 controls. Under 20x you're required to meet a baseline set of Key Security Indicators (KSIs), and compliance is demonstrated through automated, code-based validation rather than an SSP and a one-off audit.

Under Rev5, fewer than 5% of authorized businesses sat at Low, and that's likely to continue as FedRAMP 20x rolls out.

What FedRAMP Class C Covers

Class C is the most common certification level for businesses in the FedRAMP Marketplace, so if you're looking to scale your business in the public sector, achieving Class C certification could open up a much larger market.

Class C is the default for companies handling CUI, financial records, or personal information beyond login credentials. It's for data that, if compromised, could cause serious harm. As such, the Class C requirements involve more KSIs and technical requirements than Class B.

Under 20x, there are five additional KSIs that need to be met at Class C. Class C also requires greater depth, maturity, and automated validation across each KSI. So the gap between Class B and Class C is more about the evidence behind your KSIs than implementing additional KSIs.

How to Determine Your Impact Level

Your impact level really comes down to the level of data your business will be required to handle and the potential impact a breach of that data could have.

Under FedRAMP 20x, both Class B and C require automated, continuous validation. But as you move from Class B to C the requirements become more stringent, requiring greater depth, maturity, and automation across KSIs. At Class B automated validation should be in place, while at Class C it must be in place. As you move from Class B to C the requirements become more stringent, requiring greater depth, maturity, and automation across KSIs.

Class BLow Class CModerate
Data impact Limited harm Serious harm
Automated, continuous compliance Should be in place Must be in place
KSIs 41 mandatory 46 mandatory
Authentication MFA Phishing-resistant MFA

For an example of how a KSI can differ at Class B and C, let's look at KSI-IAM-APM: Adopting Passwordless Methods. For both classes the KSI is the same. It requires passwordless authentication where feasible, or strong passwords with phishing-resistant MFA. But the way you validate it is different:

Class BLow Class CModerate
The provider should have at least one automated method validating the KSI. The provider must have at least two automated validation methods for the KSI.
Historical KSI metrics are recommended. At least six months of historical metrics from persistent validation are mandatory.
Example: an identity-provider report showing that all workforce accounts have phishing-resistant MFA enabled. Example: that same identity-provider report, plus an independent configuration or access-analysis tool confirming that no accounts, applications or authentication paths bypass the policy.

A business meeting Class B could demonstrate phishing-resistant MFA through an automated report from its identity provider. But at Class C, you'd need stronger, independently corroborated evidence.

So, while on the surface implementing five more KSIs may seem straightforward, there's a lot of extra work that goes into proving compliance at Class C. Opting to pursue FedRAMP 20x Class C is a big decision that can impact how your business handles data and proves compliance.

But I also feel this is where security is heading. Continuous compliance and machine-led validation feel like the future we're building toward, with or without FedRAMP. The companies building toward Class C now will be in a great position to win the federal world, but they'll also come out with stronger security practices, which is a win all around.

When FedRAMP Class A Is the Better Starting Point

If you're completely new to federal compliance, FedRAMP just introduced Class A as a starting point. Class A is an entry-level certification that enables cloud service providers to list on the FedRAMP Marketplace off the back of a SOC 2 Type II report, alongside 25 mandatory FedRAMP rules and a set of KSIs.

Class A will still require significant work on top of your SOC 2. And it's more of an on-ramp to federal work than anything else, as it gives you a listing in the Preparation phase of the Marketplace and opens a two-year window to reach a full Class B, C, or D certification and stay in the Marketplace.

But Class A can make sense if you hold a current SOC 2 Type II and you're planning to expand into the federal market through FedRAMP 20x. (Check out our full SOC 2 to FedRAMP 20x mapping here.)

If you're already chasing large contracts that demand Class B (Low) or C (Moderate) authorization, then you should skip Class A and go directly to B or C.

The Class B and Class C Pipelines Are Opening Up

FedRAMP is opening up the 20x Class B and C submission pipelines on August 31, 2026.

If you're choosing between Class B and C, the data you handle will almost certainly make the decision for you, with the vast majority of organizations landing in Class C.

FedRAMP 20x also removes the need for an agency sponsor, so if the federal market is one you're keen to pursue, the doors are opening up. If you're weighing up FedRAMP certification and want to know what achieving Class B or C would take for your company specifically, talk to our team. Workstreet is the fastest, most automated, and most cost-effective route to FedRAMP.

Turn compliance into a growth engine: Workstreet delivers full-stack solutions that transform security and compliance into growth accelerators. Talk to an expert →
Build trust, accelerate growth.
Workstreet offers Al-first security solutions that help high growth technology companies get compliant, scale securely, and close bigger deals.
Get started
Ready to Transform Security into a Growth Advantage
Schedule a consultation with our trust solutions experts to see how we can accelerate your security program and compliance journey.
Talk to an engineer
Travis Good

Architect of security and privacy programs for 1,000+ hypergrowth companies. Author of "Complete Cloud Compliance," HITRUST 3rd Party Council member, and recognized speaker on startup security.