Skip to main content
U.S. Department of Homeland Security CISO Hemant Baidwan joins Knox as CISO

FedRAMP Moderate and High: Two Pathways to the Federal Market

Written by: 
Team Knox
Published on: 
March 31, 2026

FedRAMP authorization is how SaaS companies access the federal market. The decision most vendors face is between Moderate and High, two pathways designed for different data environments.

The right one depends entirely on which agencies the vendor wants to serve and what data those agencies handle.

This guide explains each pathway on its own terms, what determines which one a vendor needs, how the requirements differ, and how to avoid common planning mistakes along the way.

Key Takeaways

  • FedRAMP Moderate and High are two authorization pathways designed for different federal data environments, not different tiers of quality.
  • Moderate covers standard Controlled Unclassified Information (CUI); High covers the most sensitive unclassified data, such as law enforcement, healthcare, and national security information.
  • Under FIPS 199's high watermark rule, if any data type in scope is rated High for any security objective, the entire system requires FedRAMP High.
  • Switching from Moderate to High later is costly. The move requires a new authorization package, a full reassessment, and often significant infrastructure migration, not just additional controls.

What Is FedRAMP Moderate?

FedRAMP Moderate is a security authorization level for cloud services handling Controlled Unclassified Information (CUI). It applies to systems that process, store, or transmit federal data where a breach could cause "serious adverse effects" on an agency's operations, assets, or individuals. Such effects could include operational damage, financial loss, or individual harm that doesn't involve loss of life or serious physical harm.

Moderate covers many common federal cloud use cases, including financial records, HR data, personally identifiable information of citizens, and public-facing agency applications. It accounts for nearly 80% of cloud service offerings that receive FedRAMP authorization, making it by far the most common impact level.

FedRAMP Moderate is often the correct and complete authorization required of SaaS vendors targeting civilian agencies handling standard CUI, such as GSA procurement systems, Department of Education administrative systems, EPA regulatory systems, HHS general administration, Treasury general administration, or State Department administrative functions.

What Is FedRAMP High?

FedRAMP High is a security authorization level for cloud services handling the government's most sensitive unclassified data. It applies to systems that process, store, or transmit federal data where a compromise could cause "severe or catastrophic adverse effects" on an agency's operations, assets, or individuals. These adverse effects include threats to human life, national security, critical infrastructure, or severe financial harm.

High covers use cases involving the most sensitive categories of unclassified government data, including law enforcement records, emergency services data, healthcare records, financial enforcement data, and critical infrastructure information.

FedRAMP High is often the correct and required authorization for SaaS vendors targeting agencies and programs such as the Department of Justice, FBI law enforcement systems, CMS Medicare/Medicaid data, or VA veteran health records.

How FIPS 199 Determines the Authorization Pathway

Both FedRAMP Moderate and FedRAMP High are governed by the Federal Information Processing Standard (FIPS) 199, which provides the standards for categorizing federal information and information systems. The categorization is based on the potential impact that a security event would have on an organization's ability to accomplish its mission, maintain its day-to-day functions, and protect individuals.

FIPS 199 evaluates that impact across three security objectives:

  • Confidentiality: protecting personal privacy and proprietary information from unauthorized access and disclosure.
  • Integrity: guarding stored information against unauthorized modification or destruction.
  • Availability: ensuring timely and reliable access to information.

Each of these objectives is rated at an impact level (Low, Moderate, or High) for the data in scope. The categorization follows a high watermark rule: if any single data type processed by the system has a security objective rated High under FIPS 199, the entire system becomes a High-impact system requiring FedRAMP High. There's no partial categorization and no way to architect around it within a single authorization boundary.

Differences Between FedRAMP Moderate and FedRAMP High

Because data environments differ, the controls required to protect them vary. The table below summarizes the key requirement differences under the current National Institute of Standards and Technology (NIST) 800-53 baselines:

Requirement FedRAMP Moderate FedRAMP High
Total controls 325+ 421+
Supply chain risk management (SCRM) Not required SCRM control family required
Authentication Authenticator Assurance Level 2 (AAL2); 30-minute inactivity timeout; single-factor re-authentication Authenticator Assurance Level 3 (AAL3); 15-minute inactivity timeout; both factors required for re-authentication; verifier-impersonation and verifier-compromise resistance
Network architecture Standard boundary protections Deny-by-default network posture; deny all traffic, permit by exception
Personnel requirements No citizenship requirement for admin access; four-hour access revocation window upon termination U.S. citizens required for admin access; one-hour access revocation window upon termination
Continuous monitoring Standard continuous monitoring deliverables More stringent continuous monitoring expectations
Cloud infrastructure Standard cloud environments Often requires a more restrictive cloud environment in traditional deployments, introducing additional infrastructure and operational burden

The cost and timeline differences are proportional to these requirements. Moderate and High carry different initial authorization and annual maintenance burdens, with High generally requiring more investment in both.

Why Switching Pathways Later Is Harder Than It Sounds

Some SaaS companies start with FedRAMP Moderate with the assumption that they can move to FedRAMP High later if the business demands it. This assumption is reasonable in most software contexts, where higher tiers build incrementally on lower ones. In FedRAMP, it's a misunderstanding of how impact levels work.

Moving from Moderate to High requires a new authorization package, a full reassessment by a 3PAO, and implementation of every additional control. But the compliance work isn't even the primary obstacle. The infrastructure migration is.

A company authorized at Moderate can't assume the same environment can simply be reassessed against the High baseline. In many traditional cloud patterns, the move to High means changes in cloud partitioning, service availability, networking, personnel operations, and continuous monitoring design. Those changes can trigger reassessment of infrastructure-dependent controls across the entire security package.

The result is that each pathway locks in infrastructure decisions, personnel structures, and monitoring architectures that are expensive to unwind. If the three-year roadmap includes agencies or programs that require High, it's often more efficient to start on the High pathway from the beginning rather than migrating later.

How a Pre-Authorized Boundary Simplifies Either Pathway

Much of the cost differential between Moderate and High is due to infrastructure, not compliance documentation. A pre-authorized boundary can remove that infrastructure burden entirely from the vendor's responsibility.

Knox Systems is a FedRAMP-as-a-Service platform that holds both FedRAMP Moderate and FedRAMP High authorizations and also supports DISA IL4, meaning it can serve vendors pursuing either pathway. It operates a multi-cloud boundary across AWS, Azure, and Google Cloud Platform (GCP).

Vendors deploy their applications inside the Knox boundary, inheriting the infrastructure-level controls that Knox has already authorized. The decisions that normally define the pathway choice, such as cloud environment, continuous monitoring architecture, and automated access revocation systems, are already made and authorized. Instead of making those irreversible commitments upfront, the vendor's engineering team focuses on application-level controls while the Knox boundary handles the infrastructure layer, whether the target is Moderate or High.

Companies like BigID have used this model to target FedRAMP authorization in about 90 days, timelines that would be difficult to achieve on the traditional path for either pathway. For prime contractors assembling proposals with SaaS subcontractors, this also eliminates one of the most persistent bid-risk factors: whether a preferred technology component can reach the required authorization level before the contract timeline demands it.

The pathway-switching problem becomes more manageable as well. A vendor authorized at Moderate through the Knox boundary doesn't face a cloud migration or continuous monitoring rebuild if High becomes necessary. The Knox boundary already operates at High. The re-assessment scope narrows to the delta in application-level controls rather than a full infrastructure re-architecture.

The Right Pathway Is a Market Alignment Decision

The Moderate-versus-High decision isn't about choosing a "better" or "higher" tier. It's a market alignment decision: which agencies does the vendor want to serve, and what data do those agencies handle?

With the Joint Authorization Board (JAB) shut down and authorization now centered on agency sponsorship, the sponsoring agency's data classification directly determines which pathway a vendor must pursue. Contract solicitation language is the definitive source: if a solicitation specifies FedRAMP High, that's the requirement regardless of whether a vendor believes Moderate would suffice.

The Department of Defense (DoD) operates on a separate but related framework. The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide uses Impact Levels rather than FedRAMP designations. IL5 builds on FedRAMP High, adding DoD requirements. A FedRAMP High authorization doesn't automatically confer IL5. Vendors must separately obtain a DoD Provisional Authorization or an Authority to Operate (ATO) from DISA.

Three factors should drive the choice:

  1. The data types the application will touch. If any data type triggers a High categorization under FIPS 199, the High pathway is required. No amount of architectural creativity changes it.
  2. The target agencies. If the pipeline includes DoD, VA, DHS, DOJ, CMS, IRS, or SSA use cases involving High-impact data, FedRAMP High is the pathway. If the pipeline is civilian agencies handling standard CUI, FedRAMP Moderate is the pathway.
  3. The three-year roadmap. If agencies requiring High are on the horizon, starting on the High pathway avoids a costly migration later. If they're not, Moderate is the right fit, and there's no reason to overbuild.

FedRAMP High remains a constrained part of the market — a supply gap that's a federal security problem. For vendors whose target agencies require High, the competitive field is thinner, and the opportunity is real.

Neither the FedRAMP Moderate nor the High pathway is inherently better. Moderate is the right answer for vendors serving civilian agencies with standard CUI. High is the right answer for vendors targeting agencies that handle law enforcement, healthcare, national security, or critical infrastructure data. The only wrong choice is the one that doesn't match the market a vendor actually wants to serve.

The pathway decision is the first step. Once the data types, target agencies, and three-year roadmap are clear, the rest of the authorization process has a foundation to build on. 

Knox can help vendors move through either pathway — reach out to talk through how you can get started in the right direction.

Book a Meeting