FedRAMP High: Which Organizations Need It and What Authorization Requires

If you're a Cloud Service Provider (CSP) selling into the US federal market, FedRAMP is the price of admission.

FedRAMP High is the highest impact level and is generally only required for CSPs that handle sensitive government data related to national security, public health, law enforcement, or other critical functions where a breach could threaten public safety or national security. 

Only around 16% of organizations that require FedRAMP authorization land in the High baseline. For the vast majority, Moderate or Low is sufficient, as confirmed by FedRAMP marketplace data that shows around 73% of FedRAMP-authorized CSPs are Moderate, about 11% are Low or LI-SaaS, and only 16% are High.

If your organization needs FedRAMP High, this guide covers what's required, how High compares to Moderate, and what the path to authorization looks like.

What FedRAMP High Is and Which Organizations Need It

FedRAMP High is the baseline for cloud systems where a breach would cause severe harm to government operations, federal assets, or public safety. It's the most rigorous of the three FedRAMP impact levels, with around 410 controls drawn from NIST SP 800-53 Rev. 5.

The level is set using FIPS 199, which evaluates a system against three security objectives — confidentiality, integrity, and availability — and applies the high-water-mark principle. If any one of those three objectives is High, the entire system is High.

High is generally reserved for CSPs handling data related to: 

• Law enforcement
• Emergency services
• Federal financial systems
• Healthcare systems handling Protected Health Information (PHI)
• Systems touching Controlled Unclassified Information (CUI)
• Critical infrastructure 

How FedRAMP High vs. Moderate

The FedRAMP High baseline requires organizations to meet 410 controls, compared to 323 for Moderate. However, the difference isn’t just the number of controls. High also introduces additional control enhancements for areas like audit logging, incident response, and integrity. 

A few control families absorb most of the additional weight:

• System and Communications Protection (SC)
• Audit and Accountability (AU)
• Access Control (AC)
• Contingency Planning (CP)
• System and Information Integrity (SI)

At the High baseline organizations are required to maintain more complex systems that come under continuous scrutiny. While penetration testing and incident response testing are required at Moderate and Low baselines as well, High introduces expectations that generally leads to more frequent testing and deeper validation. 

Tooling can also change at FedRAMP High, most CSPs at this baseline will need to run on FedRAMP High authorized infrastructure like AWS GovCloud or Azure Government. If you rely on Microsoft 365 you may also need to look at  Microsoft GCC High rather than commercial GCC. 

When Moderate Will Do

As we’ve established, most CSPs requiring FedRAMP will be at the Moderate level. Often, the decision comes down to the type of data your systems store or process for federal customers. If any data triggers the High baseline, then High is required. If not, Moderation is the way to go. 

A CSP that builds to High when Moderate would have done is potentially looking at two to three times the cost and a much longer timeline to authorization. With 20x reshaping the economics and timeline for Low and Moderate (more on that below), the case for confirming your baseline before you commit is stronger than ever.

The Path to FedRAMP High Authorization

Only around 400 organizations have completed FedRAMP authorization since the program was introduced, and only a small percentage of those have achieved High authorization.

The reasons? First, High isn’t required by many CSPs. But secondly, the traditional FedRAMP Rev5 process is cost and time intensive. Starting from scratch, FedRAMP authorization can take 12-18 months and cost $500K to $1M+ all-in. Plus, CSPs need an agency sponsor to open the door in the first place. 

Beyond implementing the NIST SP 800-53 controls, the current FedRAMP Rev5 process is very document-heavy. CSPs will need to produce the following documents:

• System Security Plan (SSP) 
• Security Assessment Plan (SAP)
• Security Assessment Report (SAR) 
• Plan of Actions and Milestones (POA&M)

At the High baseline, each document is substantially larger than Low and Moderate due to the number of controls and deeper evidence expectations. 

The costs concentrate in a few places. The 3PAO assessment itself is the obvious line item, but the biggest drives of cost tend to be on staffing and/or consultants to help build the controls and documentation and infrastructure. 

For a deeper breakdown, our guide on the cost of FedRAMP certification walks through both Rev5 costs and likely costs for the FedRAMP 20x route when that opens up. 

FedRAMP 20x and the High Baseline

FedRAMP 20x is the program's new authorization path. It’s currently in the pilot phase with Low and Moderate authorizations set to open up by the end of 2026 — though the High pilot isn’t planned until 2027. 

FedRAMP 20x completely changes the way FedRAMP authorization works with machine-readable evidence, continuous monitoring, and Key Security Indicators (KSIs) replacing the narrative-heavy Rev5 process. It also removes the need for agency sponsors. 

Here’s where 20x stands today:

• Phase 1 (FY25 Q3-Q4): The 20x Low pilot is complete.
• Phase 2 (FY26 Q1-Q2): The 20x Moderate pilot is in progress.
• Phase 3 (FY26 Q3-Q4): The wide-scale 20x Low and Moderate is planned. 
• Phase 4 (FY27 Q1-Q2): 20x High pilot.
• Phase 5 (FY27 Q3-Q4): FedRAMP stops accepting new Rev5 agency authorizations.

During the 20x Low and Moderate pilots CSPs are getting through authorizations much faster. But this route likely won’t be open to High authorizations until 2027. The Phase 4 pilot is also aimed at hyperscalers first, so even when 20x reaches the High baseline, it's likely to be a narrow door at the start.

Is Your Organization Looking at FedRAMP High?

Most CSPs targeting the federal market will require the Moderate baseline. But if High is the right answer for your organization, it's worth committing to the process with a clear-eyed view of the timeline, the cost, and the fact that 20x won't reach the High baseline until well into 2027.

Choosing the appropriate level for your organization is the biggest decision you'll make on the road to authorization. It impacts everything from the cost and timeline to the work required to meet the baseline.

Workstreet's public sector practice is built around helping cloud companies open up to the federal market. If you're weighing up FedRAMP authorization and want to discuss which baseline meets your needs and the roadmap to authorization, talk to our team.