FedRAMP Moderate has 324 controls. FedRAMP High has 411. The delta is 87 controls and control enhancements spanning 15 of 20 control families. That number, 87, is the headline every comparison article cites. The number says something accurate about scope but says nothing useful about cost, because the dollar difference between FedRAMP Moderate vs High is mostly infrastructure, not documentation, and the contractors who get burned are the ones who treat re-baselining as a System Security Plan rewrite instead of a cloud-partitioning decision.
A SaaS Chief Technology Officer who chose Moderate two years ago to ship faster now has a customer requesting High and a board that does not understand why “just adding controls” is a six-figure infrastructure project, not a documentation sprint. The mental model is wrong, and the budget that follows the wrong model is wrong by a factor of three to five.
This article names the 87-control delta family by family, separates the infrastructure costs from the documentation costs, and shows the pre-authorized-boundary architecture pattern that lets a Moderate vendor scope a future High re-baseline to application controls only. It is written for the cloud service provider whose customer is asking the question and for the board member who has to sign the budget.
Bottom Line Up Front. The FedRAMP Moderate vs High decision is an 87-control change on paper and a six-figure infrastructure project in practice. The contractors who stay on budget treat the re-baseline as a cloud-partitioning decision; the ones who blow through it treat it as an SSP rewrite. This article names the 87-control delta family by family, separates the infrastructure cost line items from the documentation line items, and shows the pre-authorized-boundary pattern that scopes any future High re-baseline to application controls only.
The 87-Control Delta, Family by Family
The 87 additional controls and enhancements at the High baseline are not distributed evenly. Five control families absorb most of the delta, and three of those five are the families that drive infrastructure cost. Documentation-heavy families absorb a smaller share. The cost asymmetry is the part most comparison articles miss.
| Control Family | Approximate Delta (Mod to High) | Cost Center | Driver |
|---|---|---|---|
| SC (System and Communications Protection) | ~14 controls/enhancements | Infrastructure | Cryptographic protection, network partitioning, key management |
| SI (System and Information Integrity) | ~11 controls/enhancements | Infrastructure + Operations | Continuous monitoring depth, malicious code protection, flaw remediation cadence |
| AU (Audit and Accountability) | ~9 controls/enhancements | Infrastructure + Operations | Log volume, retention, real-time analysis, log integrity |
| CP (Contingency Planning) | ~8 controls/enhancements | Infrastructure | Geographic redundancy, recovery time objective, backup strategy |
| AC (Access Control) | ~8 controls/enhancements | Operations | Privilege restriction, separation of duties, session management |
| IR (Incident Response) | ~6 controls/enhancements | Operations | IR team capacity, response timeline, testing cadence |
| RA (Risk Assessment) | ~5 controls/enhancements | Documentation | Vulnerability scanning frequency, threat intelligence integration |
| PE (Physical and Environmental Protection) | ~5 controls/enhancements | Infrastructure | Inherited from cloud provider, but FedRAMP+ overlays apply |
| Other 11 families combined | ~21 controls/enhancements | Mixed | Distributed across IA, MP, CM, SA, PS, AT, MA, PL, SR, CA, PM |
System and Communications Protection is the family that drives the most expensive infrastructure changes. SC-7 enhancements at High require deeper boundary protection, segmented networks, and explicit traffic management policies. SC-8 and SC-13 cryptographic protection requirements demand FIPS 140-2 or FIPS 140-3 validated cryptographic modules end-to-end. Most Moderate environments use FIPS-validated modules at the perimeter and standard cryptographic libraries elsewhere; High pushes FIPS-validated modules throughout, which often requires a re-architecture rather than a configuration change.
System and Information Integrity at High demands continuous monitoring with real-time analysis. Most Moderate environments operate continuous monitoring at a daily or hourly cadence with batch analysis. High demands streaming telemetry, real-time correlation, and incident escalation. The change is a SIEM tier upgrade, additional log sources, and operational headcount in the security operations center. The annual operating cost rises substantially.
Audit and Accountability at High requires log retention measured in years, log integrity protection through cryptographic mechanisms, and real-time analysis. Log volume in a High environment can be five to ten times the Moderate environment because more events are loggable and retention is longer. Storage and SIEM ingest costs scale accordingly.
Contingency Planning at High demands recovery time objectives and recovery point objectives that often require geographic redundancy. A Moderate environment may operate from a single region with backup; High frequently requires active-active or active-passive multi-region architecture. The cloud bill rises by the duplication factor, plus the inter-region data-transfer costs, plus the operational complexity premium.
Access Control at High imposes operational changes more than infrastructure. Privileged access management with just-in-time provisioning, separation of duties documented and enforced, and session management with timeouts and re-authentication are the operational additions. The cost is in tooling (privileged access management platforms) and in operations (the team that runs the platforms).
Infrastructure Cost vs Documentation Cost: The Real Ratio
The 87-control delta produces costs in three categories: infrastructure, operations, and documentation. The ratio is roughly 60 percent infrastructure, 30 percent operations, and 10 percent documentation. Most contractor budgets reverse this distribution because the documentation work is visible and the infrastructure work is buried in the cloud-services line item.
Infrastructure costs are the architecture changes that High requires: cryptographic re-architecture, geographic redundancy, network segmentation, log volume scaling, and FIPS-validated module deployment. These costs land in the cloud-services bill, in third-party tooling subscriptions, and in one-time professional-services engagements for re-architecture work.
Operations costs are the increased operational discipline that High requires: continuous monitoring with real-time analysis, expanded incident response capacity, more frequent vulnerability scanning, and tighter privilege management. These costs land in headcount and in tooling subscriptions.
Documentation costs are the System Security Plan rewrites, additional control narratives, expanded risk assessments, and updated continuity plans. These costs land in compliance team time and in third-party advisory engagements. They are real but small relative to infrastructure and operations.
For a representative cloud service offering, a Moderate-to-High re-baseline might run $1.2 million to $2.8 million in first-year incremental cost: $720K to $1.7M infrastructure, $360K to $840K operations, and $120K to $280K documentation and assessment. The annual run-rate increase is $400K to $900K against the Moderate baseline.
Why Mid-Authorization Re-baseline Is Brutal
The cost discussion above describes a clean Moderate-to-High path with adequate planning runway. The actual contractor experience is often a mid-authorization re-baseline, which is roughly two to three times more expensive than a clean path because it requires the architecture changes plus a re-assessment plus the operational disruption of running the changes through a live authorization.
The re-assessment scope is the multiplier. A Moderate authorization at FedRAMP includes the Authorizing Official’s risk acceptance based on the Moderate control set. Moving to High requires re-testing the entire control inventory under the High baseline because some Moderate control implementations do not satisfy the High control implementation, even where the control number is the same. SC-8 cryptographic protection at Moderate may accept TLS 1.2 in transit; at High the implementation may need TLS 1.3 with specific cipher suites, FIPS-validated, with explicit certificate management. The scope of the re-assessment is the entire authorization boundary, not just the 87 delta controls.
The continuous monitoring change is the second multiplier. The Moderate continuous monitoring posture is locked into the existing authorization. High continuous monitoring is materially different in cadence, depth, and reporting. The transition requires running both monitoring postures in parallel until the High authorization is granted, then retiring the Moderate posture.
The infrastructure change disrupts the production environment. Customer-facing changes require coordinated deployment windows, customer communications, and rollback plans. Some changes are not deployable without service interruption. The operational cost of the change exceeds the infrastructure cost in many re-baseline projects.
The Pre-Authorized Boundary Pattern
The architectural pattern that mitigates re-baseline risk is the pre-authorized boundary. A vendor authorized at Moderate through a pre-authorized boundary does not face cloud migration or continuous monitoring rebuild if High becomes necessary. The re-assessment scope narrows from “the entire authorization boundary” to “the delta in application-level controls.”
The pattern has four characteristics. First, the cloud service provider hosts the offering on a cloud platform whose underlying infrastructure is already authorized at FedRAMP High (AWS GovCloud, Azure Government, Google Cloud Assured Workloads, IBM Cloud for Government). The vendor inherits the cloud provider’s High-baseline infrastructure controls.
Second, the vendor architects the offering using cloud-native services that are themselves on the cloud provider’s High-authorized service list. Most major clouds maintain catalogs of services authorized at High; offerings built on those services inherit the authorization.
Third, the vendor implements cryptographic protection, logging, monitoring, and contingency planning at the High baseline from the start, even when authorizing at Moderate initially. The incremental cost at the Moderate stage is real but smaller than the cost of retrofitting to High during a re-baseline.
Fourth, the vendor documents the boundary in the System Security Plan to anticipate a future High re-baseline. The boundary should explicitly address which controls inherit from the cloud provider, which the vendor implements at High already, and which would need to be uplifted in a re-baseline. A boundary documented this way scopes the future re-baseline cleanly.
For a vendor adopting this pattern from initial authorization, the eventual Moderate-to-High re-baseline cost typically runs 30 to 50 percent of a re-baseline without the pattern. The infrastructure work was front-loaded; the re-baseline becomes a documentation and re-assessment exercise rather than an architecture project.
When Each Baseline Is Right
The choice between Moderate and High is not always a customer demand. The agency or program determines the impact level based on FIPS 199 categorization. A vendor can offer at Moderate and decline to pursue High if the addressable market does not justify the investment.
Moderate is the right baseline for offerings whose addressable market is dominated by civilian agencies handling moderate-impact data. The cost of High is unjustified if the vendor’s pipeline does not include High-impact opportunities. Most Software-as-a-Service offerings used for general business workflows in federal agencies operate at Moderate.
High is the right baseline for offerings handling national security, law enforcement, financial systems, healthcare data at federal scale, and critical infrastructure. The DoD and intelligence community frequently demand High or higher (DoD Impact Levels 5 and 6 are above FedRAMP High). Vendors with pipeline in these markets must commit to High and absorb the cost.
The split decision is the most common situation: an offering that operates at Moderate today and may face a High customer in the future. The right architectural posture is the pre-authorized boundary. The right business posture is to track the potential High pipeline and budget the re-baseline against the realistic probability of a High customer landing.
Frequently Asked Questions
What is the all-in cost of a Moderate-to-High re-baseline?
For a representative cloud service offering, the first-year incremental cost ranges $1.2 million to $2.8 million in a clean re-baseline path with adequate planning, and substantially more in a mid-authorization re-baseline under deadline pressure. The ongoing run-rate increase is $400K to $900K annually against the Moderate baseline. Vendors using the pre-authorized boundary pattern see costs at the lower end or below.
Can I authorize at High initially and downgrade later?
Operationally, you can. Practically, this is rare because the cost of authorizing at High is materially higher than at Moderate, and downgrading does not recover the cost. Vendors who authorize at High and then find their pipeline shifts to Moderate-only typically maintain High to preserve the option of High customers.
Does FedRAMP 20x change this calculus?
FedRAMP 20x is targeting compressed authorization timelines, not lower control burden. The Moderate-to-High control delta remains 87 controls and enhancements regardless of authorization process. 20x may make the re-baseline path faster, but the underlying cost categories (infrastructure, operations, documentation) do not change.
Do I need a separate environment for High?
Most vendors maintain a single FedRAMP-authorized environment at the highest baseline they need to serve. Operating separate Moderate and High environments doubles infrastructure costs and audit scope. The exception is vendors with substantial commercial business who maintain a separate FedRAMP environment from their commercial environment.
How long does a clean Moderate-to-High re-baseline take?
Six to twelve months in a typical clean re-baseline. Architecture changes require three to six months. Re-assessment requires three to six months including documentation refresh and assessor engagement. The Authorizing Official decision adds variable time on top.
What is the smallest viable High customer?
The smallest viable High customer is one whose multi-year contract value covers the re-baseline cost and provides margin. For most vendors, that threshold is $5 million to $10 million in committed multi-year revenue. Below that, the re-baseline does not justify itself financially even if the customer is otherwise attractive.
The verdict. The 87-control delta is a real number that obscures the real cost story. The infrastructure rebuild required to satisfy SC, SI, AU, and CP at High is the budget item that dominates everything else, and the contractors who treat the re-baseline as a documentation project blow through their budget within the first 60 days. The pre-authorized boundary pattern is the operational answer for vendors who anticipate any High pipeline at all; front-loading the infrastructure work at Moderate is materially cheaper than retrofitting it during a re-baseline. The board question is not “can we afford to go to High.” The board question is “do we have any High pipeline at all in the next 36 months,” and if the answer is yes, the cheapest path to High starts at Moderate with the boundary already designed for the uplift.
