background

FedRAMP Moderate: Requirements & How to Prepare

  • fedrampangle-right
  • FedRAMP Moderate: Requirements & How to Prepare

Accounting for nearly three-quarters (73%) of all authorized cloud service offerings (CSOs) as of July 31, 2025, FedRAMP Moderate is the most common authorization level under FedRAMP.

FedRAMP Moderate applies to systems where a security breach could result in serious adverse effects on an agency's operations, assets, or individuals. This impact level strikes a balance between security and scalability, making it the default authorization tier for cloud systems handling Controlled Unclassified Information (CUI).

In this guide, we’ll explore:

  • What qualifies as FedRAMP Moderate
  • Who needs FedRAMP Moderate
  • What the Moderate baseline requires
  • How it compares to FedRAMP Low
  • How to prepare for authorization

What is FedRAMP Moderate?

FedRAMP Moderate applies to systems where the potential loss of confidentiality, integrity, or availability could result in a moderate adverse effect on government operations or individuals. This definition comes from the Federal Information Processing Standards (FIPS) 199, which is used to categorize information systems based on risk.

A moderate-impact system is one in which at least one security objective (confidentiality, integrity, or availability) is rated as Moderate, and none are rated as High:

  • Confidentiality: Unauthorized disclosure of data could result in significant harm, such as violating privacy or damaging trust.
  • Integrity: Unauthorized modifications could lead to substantial errors in processing, analysis, or decision-making.
  • Availability: Disruptions in access could impact operations or mission success, though not to a catastrophic degree.

Moderate-impact cloud services are typically used for handling sensitive but unclassified information where compromise could lead to financial loss, mission disruption, or harm to individuals—but not to the extent of causing loss of life or catastrophic damage.

Let’s look at specific examples below.

Who needs FedRAMP Moderate?

FedRAMP Moderate is the most common authorization level because it covers a wide range of cloud services used across government agencies. It's required for cloud systems that store or process Controlled Unclassified Information (CUI) and other types of sensitive data.

CSPs that commonly fall under the Moderate impact level include those providing:

  • Financial management tools
  • Human resources and payroll systems
  • Case tracking and grant management platforms
  • Document management and collaboration solutions

As a general rule of thumb, any CSP that supports federal customers or contracts involving the handling of CUI will likely need to meet the FedRAMP Moderate baseline.

To better understand who needs or may benefit from FedRAMP Moderate authorization, let’s look at the CSOs that have achieved a FedRAMP designation at this level. As of July 31, 2025, there are 585 CSOs listed in the FedRAMP Marketplace. 424 are FedRAMP Authorized, FedRAMP Ready, or working toward a FedRAMP Authorization at the Moderate level. That means moderate-impact systems make up about 73% of the products listed in the FedRAMP marketplace. 

Here are some examples of CSOs that have achieved a FedRAMP Moderate designation and are listed in the marketplace:

  • Accenture Federal Cloud ERP
  • Adobe Connect Managed Services
  • AWS US East/West
  • Atlassian Government Cloud 
  • Cisco Webex for Government
  • Cloudflare for Government
  • Deloitte Evidence Management System
  • IBM Data Services
  • Kiteworks Federal Cloud
  • KnowBe4 Platform
  • Ramp for Government
  • Slack
  • Zoom for Government

These CSOs have achieved a FedRAMP Moderate designation by implementing the Moderate baseline. Let’s take a closer look at these baseline requirements below.

FedRAMP Moderate baseline: What’s required?

Cloud service providers pursuing FedRAMP Moderate must implement 323 security controls, including both base controls and control enhancements from the NIST SP 800-53 Rev. 5 catalog. These controls ensure that moderate-impact systems maintain robust protections around identity, access, auditing, vulnerability management, and more.

Here’s a breakdown of how those 323 controls are distributed across the 17 control families:

The most heavily weighted control families include:

  • Access Control (43 controls)
  • System and Communications Protection (29)
  • Configuration Management (27) 

These areas reflect a strong emphasis on safeguarding access, securing communication channels, and maintaining consistent system configurations.

How FedRAMP Moderate compares to FedRAMP Low

To better understand the scope and rigor of FedRAMP Moderate, let’s take a closer look at how it compares to FedRAMP Low. 

FedRAMP Low applies to systems where the potential impact of a breach is minimal, such as public websites, scheduling tools, or systems that don’t process sensitive data. Because of this low impact, it requires the least number of controls (157) and CSPs pursuing this authorization may qualify for streamlined options like the LI-SaaS or FedRAMP 20x baselines.

FedRAMP Moderate, on the other hand, is required for systems that process CUI or other mission-sensitive federal data. At 323 controls, it more than doubles the number of required controls of the Low baseline. There is no streamlined path for Moderate (yet—this will be the focus of Phase Two of the FedRAMP 20x Pilot program).

Overall, FedRAMP Moderate covers a broader range of threats and requires more extensive control implementation, documentation, testing, and monitoring.

Organizations that initially received a Low authorization may find they need to transition to Moderate as they expand to handle more sensitive data or pursue new contracts with federal agencies. This adds more incentive to the FedRAMP 20x Phase One pilot program, which grants successful participants a 12-month FedRAMP Low authorization and priority for Moderate authorization in future phases of the program.

Let’s take a closer look at how to prepare for FedRAMP Moderate authorization. 

FedRAMP Baselines Control Allocation Spreadsheet

To get a sense of how comprehensive the Moderate baseline is compared to other baselines and to the different areas of cybersecurity represented by each control family, we've broken down the number of controls per family across the FedRAMP Low, Li-SaaS, Moderate, and High baselines.

How to prepare for FedRAMP Moderate authorization

Preparing for a FedRAMP Moderate authorization requires a more rigorous approach than the Low baseline. CSPs should expect a significant investment of time, resources, and personnel. 

Key preparation steps are below. You can find a more detailed overview of these steps in the FedRAMP High article

  • Partner with a federal agency sponsor that is willing to support your Moderate-level authorization effort.
  • Allocate a full compliance team, including technical writers, subject matter experts, security engineers, and a dedicated project manager.
  • Engage a FedRAMP-accredited 3PAO (Third Party Assessment Organization) to conduct an independent security assessment.
  • Develop a comprehensive System Security Plan (SSP) that maps how your organization meets each of the 323 Moderate baseline controls.
  • Complete FedRAMP training courses available on the FedRAMP YouTube channel or through virtual sessions.
  • Work closely with your agency sponsor to determine their review model and set clear expectations on deliverables and timelines.

Given the increased scope and complexity of Moderate-level requirements, preparation can take several months. Starting early and staying in close coordination with your sponsoring agency can significantly improve your chances of success. 

Using automation tools like Secureframe where possible to streamline evidence collection, SSP and POA&M management, and continuous monitoring can also improve your chances while speeding up your timeline.

Learn more about how to simplify this process in our FedRAMP requirements checklist or dive deeper into how automation can reduce the manual burden of compliance.