Section 5.4 - CSP Scenario Brief
DOC-REF: FRC-CSP-MOD2HIGH-001
FedRAMP Moderate to High Cost: $1.2M to $2.5M for the Upgrade Path
CSPs that hold a Moderate ATO and want to expand into FedRAMP High territory typically use an upgrade path rather than pursuing High from scratch. The upgrade leverages existing Moderate documentation, the established 3PAO relationship, and mature ConMon discipline to deliver High authorization at meaningfully lower cost than a greenfield High pursuit. For 2026, plan for $1.2M to $2.5M of incremental cost and 9 to 14 months of additional timeline. This brief covers the upgrade budget, the dimensions that change between Moderate and High, and the practices that make the upgrade succeed.
Headline
The Moderate to High upgrade typically adds $1.2M to $2.5M of incremental cost and 9 to 14 months of timeline. Plus annual ConMon at the upgraded High level: $300K to $600K per year.
Section A
What changes between Moderate and High
| Dimension | Moderate | High | Delta | Note |
|---|---|---|---|---|
| Applicable controls | 325+ | 421+ | 96+ additional controls | Roughly 30% more |
| SSP page count (main document) | 300 - 600 pages | 500 - 900 pages | +200 to 300 pages | Reflects deeper narrative per control |
| 3PAO fieldwork duration | 12 - 16 weeks | 16 - 22 weeks | +4 to 6 weeks | Deeper testing methodology |
| Annual ConMon cost | $150K - $350K / yr | $300K - $600K / yr | +$150K to $250K / yr | Roughly doubles |
| Total authorization cost | $800K - $2M | $2.5M - $5M+ | Roughly doubles | Greenfield High; upgrade is cheaper |
Section B
Why the upgrade path is cheaper than starting at High
Pursuing High via the Moderate to High upgrade path typically costs $1.2M to $2.5M of incremental investment, while greenfield High pursuit costs $2.5M to $5M+. The roughly 50 percent reduction in incremental cost reflects four reusable assets that the upgrade leverages but greenfield High pursuit must build from scratch.
First, the SSP foundation. The existing Moderate SSP already documents the system, the boundary, the data flows, and the implementation of all shared controls. The upgrade adds the High-only controls and updates the existing control narratives for High parameter values. This is significantly cheaper than authoring the High SSP from scratch.
Second, the 3PAO relationship. The 3PAO that performed the Moderate assessment already knows the system. The High assessment can be scoped efficiently around the High delta rather than performing a full from-scratch assessment. The 3PAO's institutional knowledge of the CSP's evidence quality, inheritance model, and POA&M history accelerates the High assessment by 4 to 6 weeks.
Third, the operational discipline. CSPs that have successfully run a year or more of Moderate ConMon have mature processes for evidence collection, change management, vulnerability remediation, and POA&M tracking. Greenfield High pursuit must build these processes simultaneously with the High assessment.
Fourth, the agency sponsor relationship. The sponsoring agency that issued the Moderate ATO is typically willing to also sponsor the High upgrade, eliminating the sponsor search cost that greenfield High pursuit would incur. The JAB vs Agency ATO cost page covers sponsor relationship economics in detail.
Section C
Upgrade budget breakdown
| Cost Component | Indicative Range | Notes |
|---|---|---|
| SSP Enhancement for High Controls | $200K - $400K | Adding the 96+ High-only controls and parameter updates |
| Additional Infrastructure (HSMs, SIEM expansion) | $200K - $500K | Hardware security modules, expanded monitoring |
| Implementation of High-only Controls | $150K - $400K | Engineering work to satisfy High requirements |
| 3PAO High Assessment | $350K - $600K | Delta assessment focused on High controls and deeper testing of shared controls |
| Additional Penetration Testing | $30K - $80K | Increment over Moderate pen test |
| Remediation Effort | $150K - $400K | Findings on the High delta |
| ConMon Year 1 Uplift (Moderate to High) | $80K - $200K | Incremental cost over existing Moderate ConMon |
| Consulting and Advisory | $100K - $250K | High-specific consulting and program management |
| Total Upgrade Range | $1.26M - $2.83M (typical $1.7M) | Incremental cost above pre-existing Moderate ATO |
Section D
When the upgrade is worth doing and when to stay at Moderate
The upgrade is worth doing when three conditions hold. First, the CSP's target federal market includes workloads that require High impact: law enforcement sensitive systems, life-safety health records, certain DoD-adjacent workloads, IRS-1075 tax data systems. Without High-requiring workloads in the addressable market, the High premium produces capacity that is never used.
Second, the CSP's three-year federal addressable revenue at High includes at least $20M to $40M of revenue that is contingent on High authorization. Below that threshold, the $1.2M to $2.5M incremental investment plus ongoing $150K to $250K per year of incremental ConMon does not produce attractive ROI.
Third, the CSP's Moderate authorization is operationally stable. Pursuing the upgrade while the Moderate ATO still has unresolved instability (missed ConMon milestones, ongoing agency POA&M concerns, recent SCR complications) compounds risk. The right time for upgrade pursuit is after at least one full annual assessment cycle of clean Moderate operation.
Staying at Moderate is right when the federal addressable market does not include High-requiring workloads, when the High investment cannot be supported by current commercial trajectory, or when the existing Moderate authorization is still consuming significant organizational attention. The FedRAMP High cost page and Moderate cost page help model the absolute economics; this page focuses on the upgrade delta specifically.
Section E
Frequently asked questions
What does upgrading from FedRAMP Moderate to High cost?
The incremental cost of upgrading from a Moderate ATO to a High ATO typically runs $1.2M to $2.5M, with a typical mid-point around $1.7M. The upgrade is meaningfully cheaper than pursuing High from scratch (which would cost $2.5M to $5M) because the existing Moderate documentation, 3PAO relationship, and operational discipline carry forward.
Why pursue the upgrade rather than starting fresh at High?
The Moderate to High upgrade leverages existing assets: the Moderate SSP becomes the foundation for the High SSP rather than starting from scratch, the 3PAO knows the system and can target assessment effort efficiently, the operational discipline of running Moderate ConMon is already in place, and the agency sponsor relationship continues. These compound to make sequential Moderate then High meaningfully cheaper than starting at High directly.
How long does the upgrade take?
Typically 9 to 14 months from executive decision to High ATO. Months 1 to 4: SSP enhancement and documentation gap closure for High controls. Months 4 to 8: implementation of additional controls and tooling required at High. Months 6 to 12: 3PAO High assessment. Months 12 to 14: SAR finalization, agency review, and High ATO issuance.
What are the 96 additional controls about?
The High baseline adds roughly 96 controls beyond Moderate, concentrated in audit and accountability, system and information integrity, system and communications protection, and physical and environmental protection. The additional controls also include higher parameter values for many shared controls (longer log retention, deeper encryption requirements, stricter access controls).
Will the same 3PAO handle both authorizations?
Typically yes. CSPs almost always continue with the same 3PAO for the upgrade. Switching 3PAOs at the upgrade point would forfeit most of the efficiency the upgrade path is designed to deliver, since a new 3PAO would have to rebuild familiarity with the system before assessing the High delta.
What new infrastructure is required at High that was not required at Moderate?
Common additions include Hardware Security Modules (HSMs) for cryptographic key management, dedicated SIEM tooling with extended retention, more rigorous network segmentation, expanded logging coverage, and richer incident response tooling. Total infrastructure additions typically run $200K to $500K depending on what the CSP already has in place from Moderate.
Section F