Elevate

FedRAMP Levels Explained: High vs Moderate vs Low (and the New Certification Classes)

Selling your SaaS to federal agencies gets complex fast when you have to choose the right FedRAMP level. Your choice between Low, Moderate, and High impact tiers shapes your entire compliance requirement, potentially adding hundreds of security controls and several months to your preparation time. This guide explains the differences between FedRAMP High, Moderate, and Low clearly, helps you pick the right tier for your SaaS, and brings you up to date on an important 2026 change: FedRAMP is replacing the Low/Moderate/High labels with new lettered Certification Classes. We cover both, so you understand the levels as they exist today and where they are headed.

FedRAMP Levels at a Glance: High vs Moderate vs Low

Before diving into detail, here is the side-by-side comparison most providers come here for. This table covers the three impact levels as the market still refers to them today, with the new Certification Class shown alongside each.

Dimension Low Impact Moderate Impact High Impact
Breach consequence Limited adverse effect Serious adverse effect Severe or catastrophic effect
Approx. security controls ~125–156 ~323–325 ~410
Data handled Public or minimal-PII data CUI, PII, financial records Most sensitive unclassified data
Typical use cases Public websites, collaboration tools, training platforms HR, finance, CRM, document management Law enforcement, emergency services, healthcare, financial
Marketplace share ~11% ~73–80% (most common) ~16%
New Certification Class (CR26) Class B (with Li-SaaS) Class C Class D

The short version: most SaaS providers land on Moderate, which dominates the marketplace because it balances strong security with practical implementation. Low is the entry tier for non-sensitive data, and High is reserved for systems where a breach could be catastrophic. The rest of this guide explains how to know which one fits you, and how the new classes change the labels without changing the underlying baselines much.

A 2026 Update: Low, Moderate, and High Are Becoming Classes B, C, and D

Before going deeper, it is worth understanding a terminology change underway, because you will encounter both vocabularies for a while. This image visualize the core business decision and how current labels are about to change.

One of the most consequential changes in FedRAMP’s Consolidated Rules for 2026 (CR26) is the replacement of FIPS 199 impact level terminology, Low, Moderate, and High, with a new Certification Class structure. The change is anchored in NTC-0004, published February 25, 2026. CR26 is scheduled to be released at the end of June 2026 and to remain in effect through December 2028. As of this writing, the legacy Low, Moderate, and High labels are still the operative terminology, with the class system arriving as a transition.

Here is the official mapping. Under CR26, Class A will be a new pilot baseline, Class B will include the current Li-SaaS and Low baselines, Class C will include the current Moderate baseline, and Class D will include the current High baseline. Note the nuance: Low does not become Class A. Class A is a new pilot tier, and Low folds into Class B alongside Li-SaaS.

Two points keep this from being alarming. First, this is mostly a relabeling. Expect changes in language, not substance; for the most part, Certification Classes map one-to-one to the impact levels, and the main reason for the change is to create unique terminology that does not overlap or conflict with DoW/DoD Impact Levels, which use confusingly similar words. Second, existing authorizations carry over. A provider authorized at Moderate today simply becomes FedRAMP Certified at Class C without needing to re-authorize. Throughout the rest of this guide, we use the Low/Moderate/High terminology that remains current, and note the class equivalent where useful.

What Are FedRAMP Impact Levels and Why They Matter

FedRAMP places cloud services into security tiers based on how sensitive the government data is. These classifications tell cloud service providers (CSPs) how to protect federal information and which security measures to implement.

Definition of FedRAMP Levels: Low, Moderate, High

FedRAMP splits cloud service offerings into three security levels with increasingly strict requirements.

  • Low Impact covers cases where a breach would not seriously affect agency operations, assets, or people. It safeguards non-sensitive or public-facing information with minimal personally identifiable information (PII), and requires roughly 125 to 156 security controls. Public websites, simple collaboration tools, and apps that only store login details are typical examples.
  • Moderate Impact covers situations where a security problem could seriously affect operations or individuals. This is the most common choice, making up roughly 73 to 80% of all authorized CSPs. Moderate systems handle controlled unclassified information (CUI), PII, financial records, and other sensitive but unclassified data, and require approximately 323 to 325 controls.
  • High Impact is for critical systems where a breach could be catastrophic, leading to loss of life, major financial loss, or threats to national security. High systems protect the government’s most sensitive unclassified information, especially in law enforcement, emergency services, healthcare, and financial domains, and require the most comprehensive framework, approximately 410 controls.

A special Low Impact Software-as-a-Service (LI-SaaS) baseline exists as an optimized version of Low requirements for simple SaaS apps that do not store sensitive PII beyond login details.

FIPS 199 and the Role of Confidentiality, Integrity, Availability

This infographical diagram explain the recursive logical calculation that determines the final impact level.

The Federal Information Processing Standard (FIPS) 199 are the foundations of FedRAMP impact levels. It sets up three main security goals:

  • Confidentiality: Protecting authorized information access limits and preventing unauthorized information disclosure
  • Integrity: Protecting information from improper changes or destruction and ensuring it stays authentic
  • Availability: Making sure people can access and use information and systems reliably

Each objective is rated independently as Low, Moderate, or High based on what would happen if it were compromised. A system might need High confidentiality but only Moderate integrity and availability. FIPS 199 then uses the “high water mark” concept: the highest rating among the three objectives determines the overall impact level. So if any single objective needs High protection, the whole system becomes High impact, even if the other areas need less.

How FedRAMP Levels Affect SaaS Compliance Strategy

The level you choose shapes your entire compliance experience, and the differences go well beyond the control count, from about 125 for Low to roughly 410 for High. Each level demands different amounts of time, resources, and expertise. Authorization paths shift with levels too: simpler SaaS apps can use optimized pathways, while High impact systems usually need more thorough agency sponsorship.

Think about not just the data you handle now but what you might need later. Moving from Moderate to High later takes substantial extra work, so starting higher can open more contract types. But getting the category right matters in both directions: too few controls risks rejection during authorization, while too many creates compliance work you do not need. Most SaaS providers find Moderate works best, which is why it covers roughly 73% of authorized cloud services.

Understanding the Low Impact Level and LI-SaaS Baseline

FedRAMP Impact Levels showing Low with 155+ controls, Medium with 300+ controls, and High with 400+ controls.

FedRAMP Low Impact is where many cloud service providers start their journey to work with federal agencies. This baseline sets the minimum security requirements for cloud systems where any loss of confidentiality, integrity, or availability would only slightly disrupt government operations.

Use Cases: Public-Facing Apps and Minimal PII

Low Impact systems handle information that’s available to the public or data with minimal risk if compromised. These systems work best for:

  • Public-facing websites and content management systems
  • Non-sensitive collaboration and project management tools
  • Training and educational platforms
  • Development and test environments (without production data)
  • Simple workflow applications without sensitive information
  • Media editing tools like image or video editors

Low Impact systems can’t store personally identifiable information (PII) beyond what they need for simple login functionality (username, password, and email address). Any extra PII would rule out a system from Low Impact categorization.

A federal agency might use a Low Impact service to share public information, enable basic internal collaboration, or deliver workforce training, all cases where exposed data would cause minimal harm.

LI-SaaS vs Standard Low Baseline: Control Differences

This visual clarifies the technical differences between the full standard Low path and the optimized LI-SaaS framework.

FedRAMP created the LI-SaaS framework, also known as “FedRAMP Tailored,” to help simpler SaaS applications with minimal risk profiles move through authorization faster. To qualify as LI-SaaS, a service must operate in a cloud environment, be fully operational, meet the NIST definition of SaaS, contain no PII beyond login credentials, have a FIPS 199 Low categorization, and be hosted on already FedRAMP-authorized infrastructure.

Standard Low and LI-SaaS differ mainly in control implementation. Standard Low requires full documentation and assessment of all controls. LI-SaaS splits its controls into three categories:

  • 45 required controls that need full documentation and independent assessment,
  • 20 conditional controls documented and assessed only under specific conditions, and
  • 75 controls needing only attestation without documentation or independent assessment.

FedRAMP also found that 13 controls from the standard Low baseline do not affect SaaS security, and 3 typically remain the federal government’s responsibility.

Control Count: ~125–156 Controls for Low Impact

The number of security controls for Low Impact systems varies slightly between sources, mainly because of different counting methods and control enhancements. Most sources agree on approximately 125-156 controls.

By comparison, Moderate needs about 323 to 325 and High about 410, a progression that shows how risk levels shape security requirements.

Low Impact might be the entry-level tier, but it still demands solid security measures. Systems must meet relevant NIST 800-53 controls, undergo yearly assessments, and run monthly scans. On the FedRAMP Marketplace, Low Impact systems make up roughly 11% of offerings, which suggests most federal cloud systems handle information that needs higher tiers.

Moderate Impact Level: The Most Common FedRAMP Tier

Sitting at the center of the FedRAMP security spectrum, Moderate Impact level has become the predominant choice for cloud service providers seeking government authorization. This tier balances robust security with practical implementation requirements, making it suitable for a wide range of cloud services handling sensitive but unclassified federal information.

Why Most CSPs Choose Moderate Impact

Moderate dominates the FedRAMP landscape, accounting for roughly 73 to 80% of all authorized cloud service offerings. As of mid-2025, a large majority of the offerings listed in the marketplace were authorized, ready, or working toward authorization at the Moderate level.

This adoption happens because Moderate strikes an optimal balance between security and implementation complexity. It is designated for systems where a breach would cause serious adverse effects on operations, assets, or individuals, such as significant financial loss, mission disruption, or reputational damage, though not life-threatening consequences. The designation is especially appropriate for cloud services handling CUI or sensitive PII, and many agencies require it for operational systems, creating substantial demand.

Examples: HR Systems, Financial Apps, CRM Platforms

Moderate impact systems typically process information that requires protection beyond public data but falls short of critical national security concerns. Common examples include:

  • Financial management systems and accounting platforms
  • Human resources and payroll applications
  • Case management and grant tracking tools
  • Document management solutions
  • Collaboration platforms and project management tools

Presently, many recognizable cloud services have achieved FedRAMP Moderate authorization, such as:

  • Atlassian Government Cloud
  • AWS US East/West
  • Cisco Webex for Government
  • Cloudflare for Government
  • IBM Data Services
  • Slack
  • Zoom for Government

These systems typically handle sensitive unclassified data including HR records, financial information, trade secrets, and internal policy documents. Correspondingly, they require more comprehensive security measures than public-facing applications.

FedRAMP Moderate Baseline: ~325 Security Controls

The Moderate baseline demands substantially more controls than Low. Counts vary slightly across sources, ranging from 323 to 325, with consensus around 325. These NIST SP 800-53 Rev. 5 controls focus heavily on access management, encryption, audit logging, incident response, vulnerability management, and continuous monitoring.

Achieving Moderate authorization requires substantial documentation, including a comprehensive System Security Plan detailing every control’s implementation. CSPs must undergo independent assessment by a FedRAMP-accredited Third-Party Assessment Organization (3PAO) and maintain an ongoing continuous monitoring program with regular vulnerability scanning, incident response testing, and periodic security assessments.

High Impact Level: For Critical and Sensitive Systems

Comparison of FedRAMP High and Moderate Baselines by controls, data sensitivity, use cases, and marketplace share.

Image Source: Secureframe

FedRAMP High (the future Class D) sits at the top of the security hierarchy, covering cloud systems that handle the government’s most sensitive unclassified data. Its requirements go well beyond typical commercial security frameworks.

What is FedRAMP High and Who Needs It?

FedRAMP High covers systems where a breach could cause severe or catastrophic damage to operations, assets, or people. It protects the government’s most sensitive unclassified information, specifically data whose compromise could threaten life or cause financial ruin. This level aligns with a FIPS 199 categorization where at least one security objective rates as High.

High impact systems protect information where a breach could lead to loss of human life or serious injury, catastrophic mission failure, severe financial damage, or significant threats to national security. Earning High certification takes serious investment, with much tougher requirements than Moderate, and often a complete rethink of how systems are designed, documented, and operated.

Examples: Law Enforcement, Emergency Services, Healthcare

Several system types require High authorization:

Law Enforcement: Systems hold sensitive investigative data supporting criminal investigations and intelligence at agencies like the FBI, DHS, and DOJ.

Emergency Services: Systems that support disaster response and critical infrastructure. A breach could put public safety and national resilience at risk. These platforms must stay available and maintain data integrity.

Healthcare Systems: Platforms that process protected health information (PHI) for major federal healthcare programs. This includes systems at the Department of Veterans Affairs, Department of Defense health services, and Indian Health Service. Mental health records and clinical histories get extra protection at this level.

Financial Systems: Programs that handle sensitive taxpayer information or process critical government financial transactions. A breach could cause massive financial damage.

High impact systems make up roughly 16% of cloud services in the FedRAMP Marketplace. AWS GovCloud, Microsoft Office 365 GCC High, Google services, and Salesforce Government Cloud are notable examples.

FedRAMP High vs Moderate: Control Count and Risk Tolerance

The main difference between High and Moderate shows up in controls:

  • High needs roughly 410 while Moderate needs about 325.
  • Moving from Moderate to High takes more work than going from Low to Moderate.
  • High impact controls emphasize stronger authentication like phishing-resistant MFA, near real-time security monitoring with advanced threat detection, strict disaster recovery with rapid recovery times, tougher encryption for data at rest and in transit, tamper-resistant systems, and memory protection and information isolation.

These differences reflect very different risk tolerances. High-level systems also face stricter monitoring, with monthly vulnerability scans and prompt remediation, and an authorization process that usually needs strong agency support. The choice between Moderate and High ultimately comes down to data sensitivity: High exists for systems where a breach could be catastrophic.

How to Determine the Right FedRAMP Level for Your SaaS

Choosing the right FedRAMP impact level is crucial when you plan to offer cloud services to federal agencies. You need a systematic approach to meet government security requirements without overspending.

Using the FIPS 199 Categorization Template

The FIPS 199 Categorization Template, found in Appendix K of the System Security Plan, forms the basis of your decision. It helps you review each information type your system handles against the three security objectives, assigning each an impact rating. For a system handling sensor data for critical infrastructure, for example, a confidentiality breach might be Low impact while integrity compromise and availability loss are both High. The impact definitions guide you: Low means minor effects, Moderate means serious effects with mission capability taking a hit, and High means catastrophic effects up to possible loss of life or mission failure.

Applying the High-Water Mark Rule

After categorizing each information type, the high-water mark principle applies: your system’s overall impact level matches the highest rating across all objectives. If just one objective needs High protection, the whole system must meet FedRAMP High standards. FIPS 199 gives the example of an acquisition system handling both sensitive contract information and basic administrative data, which must use the highest impact level of any component.

Mapping Data Types with NIST SP 800-60

NIST Special Publication 800-60 Volume 2 Revision 1 helps you categorize information types accurately, showing categories and their suggested impact ratings. Law enforcement data typically needs High confidentiality, public-facing content might need only Low protection, and financial systems usually need at least Moderate integrity protection. Look at your target federal customers and business goals before picking your path: going too high wastes resources, while going too low limits your market reach.

FedRAMP Certification Levels and Authorization Pathways

This infographic will visualizes the distinct traditional vs accelerated authorization paths mentioned in your piece.

Your choice of authorization pathway will substantially affect timelines, costs, and complexity of your FedRAMP trip after determining the appropriate impact level.

FedRAMP 20x for Low Impact Without a Sponsor

The FedRAMP 20x initiative offers a breakthrough for providers seeking Low Impact authorization. This cloud-native approach allows CSPs to receive authorization without an agency sponsor, and early-phase participants reported authorization in under two months, far faster than traditional paths. FedRAMP 20x prioritizes automated validation over documentation, using Key Security Indicators (KSIs) to streamline assessment, with 56 KSIs for Low and 61 for Moderate.

Agency ATO and the Post-JAB Landscape

Historically, two traditional paths existed: the Joint Authorization Board (JAB) path issuing Provisional Authorizations, and Agency Authorization, where a specific agency sponsors your service. The JAB has since been rescinded, and agency authorization, which has long represented the large majority of FedRAMP authorizations, is now the primary traditional route. It tends to be faster and more flexible.

Role of 3PAOs in FedRAMP Authorization

Third-Party Assessment Organizations (3PAOs) are vital to all pathways. These independent firms must receive FedRAMP accreditation from the American Association for Laboratory Accreditation (A2LA) before conducting assessments. 3PAOs perform either assessment work (developing Security Assessment Plans, conducting evaluations, producing Security Assessment Reports) or advisory work to help prepare for authorization, but they cannot assess the same system they advised on.

How Elevate Can Help

Choosing the right FedRAMP level, and navigating the shift to Certification Classes, is exactly the kind of decision where early expert input saves months and budget. Elevate Consult helps SaaS providers categorize their systems with the FIPS 199 process, select the impact level (and corresponding class) that fits their data and target agencies, and build a realistic path to authorization. We also help existing providers understand how the CR26 transition affects their current authorization. Schedule a FedRAMP readiness consultation to find the right tier for your offering and map your path to certification.

Conclusion

Picking the right FedRAMP impact level is a crucial business decision for SaaS providers pursuing government contracts. Low impact systems need roughly 125 to 156 controls, Moderate around 325, and High about 410, and most providers land on Moderate, reflected in its roughly 73% marketplace share, because it balances strong security with practical implementation.

Determining your level calls for careful analysis using the FIPS 199 categorization template and the high-water mark rule, which together help you avoid both underprotecting sensitive data and overspending on unnecessary controls. Your tier choice affects your initial authorization and your ongoing continuous monitoring work, and each authorization path carries its own benefits depending on your needs.

One more thing to keep on your radar: the labels are changing. As CR26 takes effect, Low, Moderate, and High become Certification Classes B, C, and D, with a new Class A pilot tier on top. The underlying baselines stay largely the same, and existing authorizations carry over, but your customer-facing materials and procurement conversations will eventually need to speak both vocabularies. Providers who understand the levels today and prepare for the class transition will navigate the federal marketplace with confidence.

Key Takeaways

Understanding FedRAMP impact levels is essential for SaaS providers targeting federal contracts, since the wrong choice can cost months of preparation and hundreds of unnecessary controls.

Choose based on data sensitivity: Low Impact for public data (~125–156 controls), Moderate for CUI and PII (~325 controls), and High for life-critical systems (~410 controls). Moderate dominates the market at roughly 73% of authorized services because it balances security with practical implementation. Use FIPS 199 systematically, applying the high-water mark rule so your highest security objective rating determines your overall impact level. Consider streamlined pathways like FedRAMP 20x, which enables Low Impact authorization without an agency sponsor in under two months. And plan for the terminology change: under CR26, Low, Moderate, and High become Classes B, C, and D (with a new Class A pilot tier), a relabeling that maps closely to the existing baselines and does not require re-authorization.

The right level choice directly affects your authorization timeline, control burden, and federal market opportunities. Most SaaS providers find success with Moderate Impact, which provides access to the majority of government use cases while keeping compliance overhead reasonable.

FAQs

Q1. What are the main FedRAMP impact levels and what do they mean? FedRAMP has three primary impact levels: Low, Moderate, and High. Low is for systems with limited adverse effects if breached, Moderate for systems where a breach could cause serious effects, and High for systems where a breach could be severe or catastrophic. Each level requires an increasing number of NIST 800-53 security controls, roughly 125 to 156 for Low, 325 for Moderate, and 410 for High.

Q2. Are FedRAMP’s Low, Moderate, and High levels changing? Yes. Under the Consolidated Rules for 2026 (CR26), FedRAMP is replacing the Low, Moderate, and High labels with Certification Classes. Low (with Li-SaaS) becomes Class B, Moderate becomes Class C, and High becomes Class D, with a new Class A pilot tier added. The change is mostly terminology; the underlying baselines map closely, and existing authorizations carry over without re-authorization.

Q3. Why is the Moderate impact level the most common for cloud service providers? Moderate is chosen by roughly 73% of cloud service providers because it balances robust security with practical implementation. It suits sensitive but unclassified data, making it appropriate for a wide range of government applications without the extreme requirements of High impact systems.

Q4. How can a SaaS provider determine the right FedRAMP level? Providers should use the FIPS 199 Categorization Template to evaluate their system’s confidentiality, integrity, and availability for each information type they handle. The highest rating across all categories determines the overall impact level under the high-water mark rule. NIST SP 800-60 helps map specific data types to appropriate impact levels.

Q5. What is the FedRAMP 20x initiative and how does it benefit Low Impact systems? FedRAMP 20x is a streamlined authorization process that does not require an agency sponsor. It uses automated validation and Key Security Indicators (KSIs) to accelerate authorization, with early participants achieving authorization in under two months.