FedRAMP Levels Explained: Low vs. Moderate vs. High
Learn what each level covers, where the complexity lives, and how 20x changes the process.
If you’re a Cloud Service Provider (CSP) and you want to work with US federal agencies, you need FedRAMP authorization.
FedRAMP classifies every CSP as either Low, Moderate, or High impact. These classification determine your entire compliance scope and the number of controls you'll need to implement. Pick the wrong impact level and you're either over-investing in controls you don't need or pivoting part way through the process when you realize the data your organization handles requires a higher baseline.
In this guide, we'll cover what each FedRAMP impact level requires, what it takes to get authorized, and how FedRAMP 20x will change the way CSPs will prove compliance.
What Are FedRAMP Impact Levels?
FedRAMP impact levels categorize cloud services based on what would happen if the data in that system were compromised. The framework comes from FIPS 199, which evaluates security based on three key objectives:
- Confidentiality: Keeping sensitive government information safe.
- Integrity: Ensuring data is accurate and systems are secure.
- Availability: Making sure that systems remain operational and accessible when needed.
Each organization will be rated across all three objectives to define where your baseline should be, with the highest rating setting your level (FedRAMP calls this the high water mark principle). So if your system mostly handles low-sensitivity data but one category of moderate-impact information, you'll be required to meet FedRAMP Moderate standards.
Impact levels are set based on security requirements from NIST SP 800-53 Rev. 5, which outlines the necessary security controls. The FedRAMP Low baseline requires 156 controls, Moderate requires 323, and High requires 410. All three share the same 17 control families, the key difference is how deep you go within each.
Here’s what you need to know about each FedRAMP impact level:
Low Impact
FedRAMP Low covers systems where a breach would cause limited adverse effects — public-facing websites, non-sensitive collaboration tools, SaaS applications that store only login credentials.
The Low baseline requires 156 controls across the 17 families, and is designed primarily for systems not handling sensitive information. There's also an LI-SaaS variant with fewer testing requirements for low-impact SaaS that doesn't store sensitive Personally Identifiable Information (PII) beyond login data.
Under 5% of FedRAMP-authorized products sit at Low because low doesn't align with how most SaaS products or CSPs handle data — the moment you're processing anything beyond public information, you need a higher baseline.
Moderate Impact
Moderate is the default for most organizations selling to the federal government. It covers controlled unclassified information (CUI), financial records, and personal data beyond basic login credentials. If a breach of your system would cause serious harm to agency operations, assets, or individuals, highlighting a critical vulnerability, this is your level.
The FedRAMP Moderate baseline requires 323 controls, more than double the Low baseline. The increase is spread across nearly every control family, but a few stand out:
- System and Communications Protection goes from 10 controls at Low to 20 at Moderate.
- Physical and Environmental Protection jumps from 10 to 16.
- Access Control goes from 11 to 18.
Data from the FedRAMP Marketplace shows that around three quarters (73%) of FedRAMP authorized CSPs are Moderate.
High Impact
FedRAMP High is for systems where a breach could cause threats to life, national security, or severe financial issues, making it the high impact level. Law enforcement databases, emergency services platforms, financial systems, and healthcare infrastructure fall here.
The High baseline requires 410 controls (87 more than Moderate). But the gap between Moderate and High isn't just about count — High also requires more evidence and the implementation demands are much higher.
Currently, around16% of FedRAMP-authorized CSPs are High Impact.
How FedRAMP 20x Will Change FedRAMP Authorization
Achieving traditional FedRAMP Rev. 5 authorization is time and cost prohibitive for many fast-growing, innovative companies. Since its introduction only around 400-500 businesses have completed the authorization process.
FedRAMP 20x is being introduced to change that.
Traditional FedRAMP required writing a System Security Plan (SSP) — hundreds of pages explaining how you meet each NIST 800-53 control — then going through an assessment with a 3PAO that could stretch past a year.
Under 20x, you design your systems upfront for continuous monitoring through Key Security Indicators (KSIs). Your infrastructure produces machine-readable evidence in formats like OSCAL automatically, with assessors verifying your automated outputs instead of reading through static documents.
We've talked to assessors from the Phase 1 and Phase 2 pilots who completed 20x Low assessments in a matter of weeks. Compare that to the traditional route: 12 to 18 months and $500K to over $1M all-in, and you can see how 20x could open the door to federal agency contracts for many more organizations.
FedRAMP 20x also flips how you spend your time when preparing for authorization. Once 20x is rolled out to all Low and Moderate authorizations (Phase 3), organizations will need to invest much more upfront designing continuous compliance and meeting KSIs, with much less spent on the supporting documentation and the audit itself, because your systems are collecting evidence around the clock.
Currently, the FedRAMP 20x rollout is on schedule. Phase 1 (Low pilot) is complete with 12 authorizations from 26 submissions. Phase 2 (Moderate pilot) ran through March 2026, with broader Low and Moderate openings targeted for Q3 2026. High is planned for Phase 4 in FY27.
Note: As 20x rolls out, FedRAMP is also consolidating its naming. All authorizations (both Rev5 and 20x) will carry a single FedRAMP Certified designation, with marketplace filters distinguishing the assessment method.
Which Level Does Your Organization Need?
To figure out what level your organization requires, you should first identify every type of information your system processes (for example: PII, CUI, health records, law enforcement data) and then rate the potential impact to confidentiality, integrity, and availability for each type. The highest rating across all data types and all three objectives becomes your system's impact level.
In practice, most CSPs will require Moderate. High is required fro systems related to critical government infrastructure — law enforcement platforms, emergency response systems, and classified-adjacent data. Whereas Low suits products that handle only publicly available or non-sensitive data..
Companies that already have commercial compliance frameworks likeSOC 2 or ISO 27001 in place have a head start. There is some overlap between commercial frameworks and FedRAMP but there’s still significant work that needs to be done to meet all the required NIST 800-53 controls and to build out the required infrastructure to support FedRAMP 20x’s continuous monitoring.
Is Your Organization Thinking About FedRAMP?
When it comes to defining which FedRAMP impact level your organisation needs, most will fall in Moderate. But there are, of course, still situations where Low and High will be required.
FedRAMP is on track to stop accepting new Rev5 authorizations at the end of FY27, with the focus switching to authorizations through FedRAMP 20x — 20x is designed to be faster, less expensive, and built for cloud companies that already run modern security tooling. If you're starting a FedRAMP program today, 20x is the path to plan around.
What excites me about 20x is how it changes the way companies think about compliance and cybersecurity more broadly. With SOC 2, the conversation is often "how do we generate the evidence we need?" With 20x, it shifts to "how do we build security that continuously proves itself?" That investment carries over to every framework you touch afterward.
Workstreet's public sector practice is built around helping modern cloud companies open up to the federal market. If you're exploring FedRAMP and want to understand what it would look like for your company,talk to our team. We'll walk you through which level applies and what it would take to get authorized.
