The question, stated honestly
Every federal cloud project eventually gets asked: Moderate or High. The sales pitch from vendors is "go High to future-proof." The sales pitch from integrators is "stay Moderate to control scope." Both are wrong as defaults. The answer is driven by FIPS 199 impact analysis of your specific system, not by the comfort preference of anyone billing for the decision.
This post walks the decision the way an engineer should walk it: start with FIPS 199, look at the 96-control delta, price the engineering reality, and only then pick a baseline. If you end up at High, you will have earned it. If you end up at Moderate, you will be able to defend it.
FIPS 199 in one page
FIPS 199 is the federal standard for categorizing information systems. It assigns an impact level (Low, Moderate, High) to each of three security objectives — Confidentiality, Integrity, Availability — and the system inherits the highest of the three. That high-water mark drives the control baseline.
| Objective | Moderate | High |
|---|---|---|
| Confidentiality | Serious adverse effect on operations, assets, or individuals if disclosed. | Severe or catastrophic effect. |
| Integrity | Serious adverse effect if modified or destroyed. | Severe or catastrophic effect. |
| Availability | Serious adverse effect if access disrupted. | Severe or catastrophic effect. |
The word that matters is "catastrophic." If your system going down for a day loses a field-office productivity slice, that is serious, not catastrophic. If your system going down interrupts emergency response or law-enforcement operations, that is catastrophic. The distinction is not rhetorical — a CISO will write a memo that reads exactly that way when they categorize the system.
The 96-control delta, concretely
The difference between Moderate (325) and High (421) is not 96 brand-new control families. It is deeper parameter values and additional enhancements in the families you already have to implement. The concentration:
| Family | Delta at High | What actually changes |
|---|---|---|
| AC — Access Control | +14 controls/enhancements | Stricter separation of duties (AC-5), automated account management (AC-2(1-13)), stronger session termination (AC-12). |
| AU — Audit and Accountability | +10 | More frequent audit review cycles, centralized audit management (AU-3(2)), cross-organization audit (AU-16). |
| CM — Configuration Management | +8 | Automated configuration enforcement (CM-6(1)), more restrictive change windows, testing requirements (CM-4(1)). |
| CP — Contingency Planning | +9 | Alternate processing and storage sites (CP-7, CP-8), 72-hour RTO, 24-hour RPO common. |
| IR — Incident Response | +6 | Automated response support (IR-4(1)), dynamic reconfiguration (IR-4(2)). |
| SC — System and Communications Protection | +18 | FIPS 140-3 validated crypto at higher levels, boundary protection (SC-7) enhancements, separation of information flows. |
| SI — System and Information Integrity | +14 | Automated flaw remediation (SI-2(2)), integrity checks on boot (SI-7(9)), centralized malware protection. |
| Other families | +17 | Physical, personnel, awareness & training, media protection, risk assessment. |
The headline numbers (325 vs 421) understate the engineering. Many of the High-baseline enhancements require automation where Moderate accepted procedural compliance. "Automated configuration enforcement" is a very different engineering investment than "documented configuration procedure reviewed quarterly."
High vs Moderate — Additional Controls by Family
96 additional controls/enhancements at High baseline. Red = primary impact families. Bars proportional to delta within each family.
Who actually needs High
After several years of watching real projects categorize, the pattern is clear. High is mandatory for some workloads and a scope trap for others.
High is genuinely required
- Law-enforcement investigative data (FBI, DEA, IRS-CI case management)
- Healthcare PHI at national scale (CMS claims, VA longitudinal records)
- Financial data with market impact (SEC EDGAR, Treasury debt operations)
- Identity and credentialing at population scale (SSA, USCIS)
- National-security-adjacent intelligence or operations support
- Critical infrastructure control or monitoring (FERC, TSA operational)
High is a scope trap (Moderate is correct)
- Internal agency collaboration tools handling ordinary CUI
- Grant management, case tracking, and administrative systems
- Most research-data platforms (even with sensitive data, impact is often Moderate)
- Public-facing agency websites and citizen-service portals
- Training and learning management systems
- Most SBIR Phase I and Phase II prototypes
The question to ask for each category: "If this data were disclosed, altered, or unavailable for 24 hours, would the effect on the mission be catastrophic?" Most of the time, the honest answer is serious, which is Moderate. Only a fraction of federal systems legitimately carry catastrophic impact.
Cost delta, the way budgets actually get written
The cost of FedRAMP is not the 3PAO invoice. It is the engineering investment behind the 3PAO invoice. A useful decomposition:
| Line item | Moderate | High |
|---|---|---|
| 3PAO initial assessment | $150K - $300K | $250K - $500K |
| Annual 3PAO continuous monitoring | $80K - $150K | $130K - $250K |
| Internal engineering build | 12 - 18 person-months | 22 - 36 person-months |
| SSP and body-of-evidence authoring | 4 - 6 person-months | 7 - 10 person-months |
| Remediation buffer (POA&M burn) | 10 - 20 percent of build | 15 - 30 percent |
| Tooling (HSM, FIPS crypto, SIEM tier) | Commodity tier | FIPS 140-3 L2+ HSM, premium SIEM, 24x7 SOC |
These ranges are the ones I have seen hold across several projects. The variance within each cell depends on how much of your baseline you inherit from the underlying platform (AWS GovCloud, Azure Government, Google Assured Workloads) and how disciplined your engineering shop is about documenting as they build. Teams that write the SSP as the system is constructed pay half of what teams that "document it after" pay.
The decision tree
Here is the walk, in order. Do not skip steps.
flowchart TD
A([Start: What data does your system handle?]) --> B{FIPS 199: Any criterion = High impact?}
B -->|Yes| C[FedRAMP High\n421 controls]
B -->|No| D{All three criteria = Low?}
D -->|Yes – low-impact SaaS| E[FedRAMP Li-SaaS\n156 controls]
D -->|No – at least one Moderate| F[FedRAMP Moderate\n325 controls]
C --> G{Agency is DoD?}
G -->|Yes| H{IL4 or IL5 required?}
G -->|No| I[High baseline complete]
H -->|IL5| J[High + CC SRG overlay]
H -->|IL4| K[Moderate or High + overlay]
H -->|No IL| I
style C fill:#dc2626,color:#fff,stroke:#dc2626
style F fill:#3b82f6,color:#fff,stroke:#3b82f6
style E fill:#0d9488,color:#fff,stroke:#0d9488
style J fill:#7c3aed,color:#fff,stroke:#7c3aed
- Run FIPS 199 honestly. For each of confidentiality, integrity, availability, assign Low/Moderate/High based on worst-case-disclosure or worst-case-disruption impact on the mission. Write it down. Defend each rating in one sentence.
- Take the high-water mark. If any of the three is High, your baseline is High. Period. This is not a negotiation with your PM.
- If all three are Moderate or below, you are at Moderate. Even if the agency prefers High "for safety," Moderate is defensible and significantly cheaper.
- If any is Low and none is higher, consider Li-SaaS — the 156-control subset designed for low-impact SaaS. Faster and much cheaper. See our separate post on Li-SaaS.
- Check DoD Impact Level separately. If the agency is DoD and will require IL4 or IL5, you need FedRAMP Moderate or High plus the DoD CC SRG overlay. IL5 effectively requires FedRAMP High as its floor.
- Check CUI overlays. CUI Specified categories (export-controlled, tax-return information, law-enforcement sensitive) may impose additional overlays regardless of FIPS 199 rating.
Common miscategorizations
Treating "sensitive" as "High"
Sensitivity is not impact. CUI is routinely handled at Moderate. The test is not "is this data private" but "what happens to the mission if it leaks."
Treating agency preference as categorization
Some agencies default to asking for High because their CISO prefers the posture. FIPS 199 is the categorization authority. If your FIPS 199 analysis says Moderate, write the memo, show the analysis, and ask the agency CISO to sign off on the categorization before you quote the project at High. Many will sign off on Moderate when shown the work.
Treating a High parent system as automatic High for the child
A system that reads a sanitized, aggregated, or de-identified extract from a High system may itself be Moderate. The categorization travels with the data actually in the child system, not with its upstream source.
Under-categorizing availability
The mistake runs both ways. Teams focused on confidentiality sometimes forget availability. An outage of an emergency-dispatch adjacent system might be the catastrophic impact even though the data itself is unclassified. Run all three objectives every time.
Upgrading later
You can start at Moderate and upgrade to High. It is not a trivial uplift. The practical path:
- Reopen the SSP and map the additional 96 controls.
- Implement the deltas — most of the pain is crypto uplift (FIPS 140-3 Level 2 or higher), boundary protection hardening, and automation of configuration enforcement.
- Engage the 3PAO for a gap assessment focused on the delta.
- Remediate findings, re-test.
- Resubmit for reauthorization at the new baseline.
Typical timeline: six to nine months of additional engineering for a stable, well-documented Moderate system. Longer if your original body of evidence was thin.
What this means for small firms and SBIR
Most SBIR prototypes do not need FedRAMP at all during Phase I and Phase II — they run inside a sponsor's already-authorized environment or use research enclaves. When the prototype transitions toward a Phase III product, the categorization conversation starts. If you are a small firm, plan for Moderate unless your topic is explicitly law-enforcement, national-security, or catastrophic-impact adjacent. Do not volunteer for High you do not need. The engineering cost will break the economics of a small-firm commercial transition.
Bottom line
FedRAMP Moderate is the right baseline for most federal CUI work. FedRAMP High is mandatory for a specific set of catastrophic-impact workloads and a costly mistake when it is not. The decision is categorical, driven by FIPS 199, and documentable in a memo of less than a page. Write that memo first. Everything downstream is just execution.
Frequently asked questions
Moderate is 325 controls across 17 NIST 800-53 Rev 5 families. High is 421. The 96-control delta concentrates in AC, AU, CM, CP, IR, SC, and SI, with stricter parameter values and more automation expected.
Only if FIPS 199 analysis puts any of confidentiality, integrity, or availability at High — meaning severe or catastrophic impact on the mission if compromised. Most federal CUI work is correctly categorized at Moderate.
3PAO costs are 30 to 60 percent higher. Engineering effort is typically 1.5 to 2 times Moderate, driven by crypto uplift, automation requirements, and deeper continuous-monitoring evidence.
Yes. Plan six to nine months: map the 96-control delta, implement it, 3PAO gap assessment, remediation, reauthorization. Much cheaper than starting at High when you did not need to.
No. DoD Impact Levels are a separate layer. FedRAMP High is a prerequisite for IL5 but you also need to satisfy the DoD Cloud Computing SRG.
Low-impact Li-SaaS (156 controls) — 6 to 9 months. Moderate — 12 to 18 months. High — 18 to 24 months. Agency ATO is faster than JAB P-ATO in most real projects.