One of the most common questions we hear from agencies and cloud service providers is: “What exactly does it take to go from FedRAMP Moderate to High?” The answer isn’t just “more controls”; it’s a fundamentally different security posture built around one question: what happens if this system fails? UberEther CEO Matt Topper put together this complete control delta to give teams a precise, actionable picture of every additional requirement at the High baseline, and the reasoning behind each one.
323
Moderate Controls
410
High Controls
87
High-Only Controls
15
Families Impacted
27%
Increase in Control Count
The FedRAMP High baseline contains 410 controls versus the Moderate baseline’s 323 controls, yielding 87 controls and control enhancements unique to the High baseline. These additional requirements span 15 of the 20 control families and represent the incremental security posture demanded when a system processes data where loss of confidentiality, integrity, or availability could cause severe or catastrophic harm to organizational operations, assets, or individuals.
The baselines were officially released May 30, 2023, aligned with NIST SP 800-53 Revision 5, and remain current as of February 2026. The authoritative machine-readable sources are the FedRAMP OSCAL resolved-profile catalog files maintained in the GSA/fedramp-automation GitHub repository.
Delta by Control Family
| Family | Full Name | Moderate | High | Delta | Key Theme |
|---|---|---|---|---|---|
| AC | Access Control | 43 | 50 | +7 | Conditional access, privilege restriction, wireless hardening |
| AT | Awareness & Training | 6 | 6 | 0 | No delta |
| AU | Audit & Accountability | 16 | 27 | +11 | Non-repudiation, centralized forensics, audit protection |
| CA | Assessment, Authorization & Monitoring | 14 | 16 | +2 | Specialized assessments, transfer authorization |
| CM | Configuration Management | 27 | 34 | +7 | Automated change control, signed components |
| CP | Contingency Planning | 23 | 35 | +12 | Near-zero-downtime recovery, alternate sites, provider resilience |
| IA | Identification & Authentication | 27 | 30 | +3 | Cached authenticator controls, in-person identity proofing |
| IR | Incident Response | 17 | 24 | +7 | Dynamic reconfiguration, insider threat, deployable teams |
| MA | Maintenance | 10 | 12 | +2 | Automated maintenance records, comparable-security remote maintenance |
| MP | Media Protection | 7 | 10 | +3 | Verified sanitization, equipment testing, portable media controls |
| PE | Physical & Environmental Protection | 19 | 26 | +7 | System-level physical controls, long-term power, placement |
| PL | Planning | 7 | 7 | 0 | No delta |
| PS | Personnel Security | 10 | 11 | +1 | Automated termination notifications |
| RA | Risk Assessment | 11 | 13 | +2 | Attack surface reduction, retrospective vuln analysis |
| SA | System & Services Acquisition | 20 | 24 | +4 | Developer screening, security architecture, pre-hardened delivery |
| SC | System & Communications Protection | 29 | 35 | +6 | Security function isolation, fail-safe, exfiltration prevention |
| SI | System & Information Integrity | 24 | 35 | +11 | Encrypted traffic visibility, privileged user monitoring |
| SR | Supply Chain Risk Management | 12 | 14 | +2 | Tamper resistance throughout development lifecycle |
| TOTAL | 323 | 410 | +87 | ||
AC
Access Control
+7 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| AC-2(11) | Account Management — Usage Conditions | Enforce circumstances and usage conditions for system accounts (e.g., restricting to certain hours, days, locations, or connection types). | Enables granular conditional access beyond basic authentication — critical when unauthorized account use on a High system could cause catastrophic harm. |
| AC-4(4) | Information Flow — Flow Control of Encrypted Information | Prevent encrypted information from bypassing content-checking mechanisms by decrypting it, blocking the flow, or terminating sessions. | Ensures DLP and content inspection cannot be circumvented by encryption, preventing covert exfiltration from High systems. |
| AC-6(3) | Least Privilege — Network Access to Privileged Commands | Authorize network access to privileged commands only for compelling operational needs; document rationale in the security plan. | Restricts remote execution of privileged commands — a key attack vector — to only documented, justified cases on High-impact systems. |
| AC-6(8) | Least Privilege — Privilege Levels for Code Execution | Prevent software from executing at higher privilege levels than the users executing the software. | Blocks privilege-escalation attacks where malicious code attempts to run with elevated permissions on High systems. |
| AC-10 | Concurrent Session Control | Limit the number of concurrent sessions for each system account to an organization-defined number. | Prevents credential-sharing and limits blast radius of compromised accounts by capping simultaneous sessions. |
| AC-18(4) | Wireless Access — Restrict Configurations by Users | Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. | Prevents unauthorized wireless configuration changes that could create rogue access points or weaken wireless security on High systems. |
| AC-18(5) | Wireless Access — Antennas and Transmission Power Levels | Select radio antennas and calibrate transmission power levels to reduce the probability that signals can be received outside organization-controlled boundaries. | Limits the physical RF footprint to prevent eavesdropping and unauthorized access from outside the facility perimeter. |
AU
Audit & Accountability
+11 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| AU-5(1) | Audit Failures — Storage Capacity Warning | Provide a warning when allocated audit log storage volume reaches an organization-defined percentage of maximum capacity. | Prevents loss of audit data from storage exhaustion — complete audit trails are legally required for High systems. |
| AU-5(2) | Audit Failures — Real-Time Alerts | Provide an alert within a real-time period to designated personnel when organization-defined audit failure events occur. | Ensures immediate awareness of audit system failures so that compensating measures can be activated before events go unrecorded. |
| AU-6(4) | Audit Review — Central Review and Analysis | Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. | Enables correlation of events across a distributed High system, essential for detecting multi-stage attacks spanning components. |
| AU-6(5) | Audit Review — Integrated Analysis of Audit Records | Integrate analysis of audit records with vulnerability scanning information, performance data, and system monitoring information. | Fuses multiple telemetry sources for holistic threat detection — necessary for APTs targeting High systems. |
| AU-6(6) | Audit Review — Correlation with Physical Monitoring | Correlate information from audit records with information obtained from monitoring physical access to identify suspicious activity. | Links cyber and physical access events, detecting insider threats who combine physical and logical access. |
| AU-6(7) | Audit Review — Permitted Actions | Specify the allowed actions for each audit record review, analysis, and reporting process. | Enforces least-privilege on the audit analysis function itself, preventing abuse of powerful audit access on High systems. |
| AU-9(2) | Audit Protection — Separate Physical Systems | Store audit records on a repository that is part of a physically different system or system component than the system being audited. | Ensures attackers who compromise the primary system cannot tamper with audit evidence — critical for forensic integrity. |
| AU-9(3) | Audit Protection — Cryptographic Protection | Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. | Provides mathematical assurance that audit records have not been modified, supporting legal admissibility and non-repudiation. |
| AU-10 | Non-Repudiation | Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions. | Foundational High-only control. Ensures actions cannot be denied — essential for legal accountability in systems processing law enforcement, financial, or national security data. |
| AU-12(1) | Audit Generation — System-Wide Time-Correlated Trail | Compile audit records from multiple system components into a system-wide audit trail that is time-correlated to within an organization-defined tolerance. | Enables comprehensive forensic reconstruction of multi-stage incidents across an entire High system with synchronized timestamps. |
| AU-12(3) | Audit Generation — Changes by Authorized Individuals | Provide the capability for authorized individuals to change auditing on specific components based on selectable event criteria within defined time thresholds. | Allows dynamic increase of audit granularity during active incident response — essential for hunting advanced threats. |
CA
Assessment, Authorization & Monitoring
+2 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| CA-2(2) | Control Assessments — Specialized Assessments | Include specialized assessment forms such as in-depth monitoring, malicious user testing, penetration testing, or red team exercises. | High systems require adversary-simulation testing beyond standard assessments to validate defenses against sophisticated threat actors. |
| CA-3(6) | Information Exchange — Transfer Authorizations | Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations. | Prevents unauthorized data movement between interconnected systems — vital when High-impact data crosses system boundaries. |
CM
Configuration Management
+7 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| CM-3(1) | Config Change Control — Automated Documentation & Prohibition | Use automated mechanisms to document proposed changes, notify approval authorities, highlight unapproved changes, and prohibit changes until approvals are received. | Eliminates manual change-management errors and enforces strict change governance via automation on High systems. |
| CM-3(6) | Config Change Control — Cryptography Management | Ensure that cryptographic mechanisms used to provide security safeguards are under configuration management. | Prevents unauthorized or untracked changes to cryptographic implementations that protect High-impact data. |
| CM-4(1) | Impact Analyses — Separate Test Environments | Analyze changes to the system in a separate test environment before implementation in the operational environment. | Prevents untested changes from destabilizing production High systems — mandatory isolation of test and production environments. |
| CM-6(2) | Configuration Settings — Respond to Unauthorized Changes | Take organization-defined actions in response to unauthorized changes to organization-defined configuration settings. | Mandates active response (not just detection) to configuration drift, ensuring High systems maintain their hardened state. |
| CM-8(2) | Inventory — Automated Maintenance | Maintain the currency, completeness, accuracy, and availability of the system component inventory using automated mechanisms. | Manual inventory tracking cannot keep pace with High system complexity — automation ensures complete asset visibility. |
| CM-8(4) | Inventory — Accountability Information | Include in the system component inventory information to achieve effective component accountability (unique identifiers, type, manufacturer, serial number, location, responsible individuals). | Establishes clear ownership and traceability for every component in a High system, enabling rapid incident scoping and supply chain verification. |
| CM-14 | Signed Components | Prevent the installation of software and firmware components without verification that the component has been digitally signed using an approved certificate. | Blocks deployment of tampered or counterfeit software/firmware, directly countering supply chain attacks against High systems. |
CP
Contingency Planning
+12 Controls — Largest Delta
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| CP-2(2) | Contingency Plan — Capacity Planning | Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. | High systems must not suffer performance degradation during failover — full-capacity alternate operations are required. |
| CP-2(5) | Contingency Plan — Continue Mission Functions | Plan for the continuance of essential mission functions with minimal or no loss of operational continuity and sustain that continuity until full system restoration at primary sites. | Demands near-continuous operations — High systems cannot tolerate significant service interruption during a contingency event. |
| CP-3(1) | Contingency Training — Simulated Events | Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. | Realistic training exercises ensure staff can execute contingency procedures under pressure for High systems. |
| CP-4(2) | Plan Testing — Alternate Processing Site | Test the contingency plan at the alternate processing site to evaluate the site’s capabilities to support contingency operations. | Validates that the alternate site can actually sustain High system operations before a real disaster occurs. |
| CP-6(2) | Alternate Storage Site — RTO/RPO Configuration | Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. | Ensures backup storage meets aggressive RTO/RPO targets required for High systems. |
| CP-7(4) | Alternate Processing Site — Preparation for Use | Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. | Requires a “warm” or “hot” standby site ready for immediate failover, not merely a cold site. |
| CP-8(3) | Telecom Services — Separation of Primary/Alternate Providers | Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. | Eliminates telecom single points of failure by mandating provider diversity for High system connectivity. |
| CP-8(4) | Telecom Services — Provider Contingency Plan | Require primary and alternate telecommunications service providers to have contingency plans; review the plans to ensure they meet organizational requirements. | Extends resilience requirements to third-party telecom providers supporting High system operations. |
| CP-9(2) | System Backup — Test Restoration Using Sampling | Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. | Validates that backups are actually restorable — untested backups are a critical risk for High system recovery. |
| CP-9(3) | System Backup — Separate Storage for Critical Information | Store backup copies of critical system software and security-related information in a separate facility or fire-rated container not collocated with the operational system. | Protects recovery capability from the same physical threat (fire, flood, sabotage) that could destroy the primary High system. |
| CP-9(5) | System Backup — Transfer to Alternate Storage Site | Transfer system backup information to the alternate storage site within an organization-defined time period consistent with recovery time and recovery point objectives. | Ensures backup data reaches the alternate site fast enough to meet aggressive RPO targets. |
| CP-10(4) | Recovery — Restore Within Time Period | Provide the capability to restore system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state. | Mandates time-bound recovery to a known-good state, ensuring High systems return to operations within defined windows. |
IA
Identification & Authentication
+3 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| IA-5(8) | Authenticator Mgmt — Multiple System Accounts | Implement organization-defined security controls to manage the risk of compromise due to individuals having accounts on multiple systems. | Addresses credential reuse risk — a compromised credential on one system must not cascade to compromise a High system. |
| IA-5(13) | Authenticator Mgmt — Expiration of Cached Authenticators | Prohibit the use of cached authenticators after an organization-defined time period. | Prevents stale cached credentials from granting unauthorized access to High systems after a session should have expired. |
| IA-12(4) | Identity Proofing — In-Person Validation | Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. | Highest-assurance identity proofing — eliminates remote identity fraud for users who will access High-impact systems. |
IR
Incident Response
+7 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| IR-2(1) | IR Training — Simulated Events | Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. | Realistic incident simulations prepare staff for the high-stakes, high-pressure response required when High systems are compromised. |
| IR-2(2) | IR Training — Automated Training Environments | Provide an incident response training environment using automated mechanisms. | Enables repeatable, scalable training exercises using automated simulation platforms for High system incident response teams. |
| IR-4(2) | Incident Handling — Dynamic Reconfiguration | Include the capability for dynamic reconfiguration of the system as part of incident response (e.g., automatically disabling components, rerouting traffic, isolating segments). | Allows automated containment actions during incidents — critical for High systems where manual response may be too slow to prevent catastrophic damage. |
| IR-4(4) | Incident Handling — Information Correlation | Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. | Enables detection of coordinated, multi-vector attacks against High systems by correlating incidents across the enterprise. |
| IR-4(6) | Incident Handling — Insider Threats | Implement an incident handling capability for incidents involving insider threats. | Dedicated insider-threat incident procedures address the elevated risk insiders pose to High-impact systems and data. |
| IR-4(11) | Incident Handling — Integrated Response Team | Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in an organization-defined time period. | Provides a deployable, cross-functional response team for High system incidents requiring on-site investigation and remediation. |
| IR-5(1) | Incident Monitoring — Automated Tracking & Analysis | Track incidents and collect and analyze incident information using automated mechanisms. | Automated incident tracking reduces human error and accelerates analysis during high-volume or complex incidents on High systems. |
MA
Maintenance
+2 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| MA-2(2) | Controlled Maintenance — Automated Maintenance Activities | Employ automated mechanisms to schedule, conduct, and document maintenance and repairs, and to produce up-to-date, complete records of all maintenance actions. | Ensures complete, tamper-resistant maintenance records and eliminates scheduling gaps on High systems. |
| MA-4(3) | Nonlocal Maintenance — Comparable Security | Require that nonlocal maintenance and diagnostic services be performed from a system that implements comparable security to the system being serviced; or remove and sanitize the component before nonlocal maintenance. | Prevents exposure of High system components to lower-security maintenance environments that could introduce vulnerabilities. |
MP
Media Protection
+3 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| MP-6(1) | Media Sanitization — Review, Approve, Track & Verify | Review, approve, track, document, and verify media sanitization and disposal actions. | Establishes formal chain-of-custody and verification for media destruction — prevents data recovery from improperly sanitized High-system media. |
| MP-6(2) | Media Sanitization — Equipment Testing | Test sanitization equipment and procedures to ensure that the intended sanitization is being achieved. | Validates that sanitization tools actually work — a failed wipe on High system media could expose catastrophically sensitive data. |
| MP-6(3) | Media Sanitization — Nondestructive Techniques | Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system. | Prevents malware introduction via USB and portable media — a common attack vector against High-security environments. |
PE
Physical & Environmental Protection
+7 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| PE-3(1) | Physical Access — System Access | Enforce physical access authorizations to the system in addition to the physical access controls for the facility at organization-defined physical spaces containing system components. | Adds system-level physical access control beyond facility-level — not everyone with building access should touch High system hardware. |
| PE-6(4) | Physical Access Monitoring — Monitoring Physical Access to Systems | Monitor physical access to the system in addition to the physical access monitoring of the facility. | Provides component-level physical access monitoring, detecting unauthorized interaction with specific High system hardware. |
| PE-8(1) | Visitor Access Records — Automated Maintenance & Review | Maintain and review visitor access records using automated mechanisms. | Automated visitor logging enables pattern analysis and reduces human error in tracking who accessed High system facilities. |
| PE-11(1) | Emergency Power — Long-Term Alternate Power Supply | Provide an alternate power supply for the system that is self-contained and not reliant on external power generation, capable of maintaining minimally required operational capability during extended loss of primary power. | High systems require long-duration backup power (generators, not just UPS) to maintain operations through extended outages. |
| PE-14(2) | Environmental Controls — Monitoring with Alarms | Employ environmental control monitoring capable of detecting changes potentially harmful to personnel or equipment and provide alarm notification to designated personnel. | Proactive environmental alerting (temperature, humidity) prevents equipment failure and data loss on High systems. |
| PE-15(1) | Water Damage Protection — Automation Support | Detect the presence of water near the system and alert designated organizational personnel using automated mechanisms. | Automated water detection provides early warning to protect High system hardware from water damage. |
| PE-18 | Location of System Components | Position system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. | Strategic physical placement of High system components reduces exposure to natural hazards and physical attack vectors. |
PS
Personnel Security
+1 Control
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| PS-4(2) | Personnel Termination — Automated Actions | Use automated mechanisms to notify designated personnel or roles upon termination of an individual. | Ensures immediate, automated notification when personnel with High system access are terminated, preventing delayed access revocation. |
RA
Risk Assessment
+2 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| RA-5(4) | Vuln Monitoring — Discoverable Information | Determine what information about the system is discoverable by adversaries and take organization-defined corrective actions to reduce the information footprint. | Requires proactive OSINT/attack-surface analysis — High systems must minimize their discoverable footprint to reduce targeting. |
| RA-5(8) | Vuln Monitoring — Review Historic Audit Logs | Review historic audit logs to determine if a vulnerability identified in the system has been previously exploited within an organization-defined time period. | Mandates retrospective analysis when new vulnerabilities are discovered — critical for determining if High systems were already compromised. |
SA
System & Services Acquisition
+4 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| SA-4(5) | Acquisition — System/Component Configurations | Require the developer to deliver the system, component, or service with organization-defined security configurations implemented and to document any known deviations from approved configurations. | Ensures components arrive pre-hardened for integration into High systems, reducing configuration risk at deployment. |
| SA-16 | Developer-Provided Training | Require the developer to provide training on the correct use and operation of the implemented security and privacy functions, controls, and mechanisms. | Ensures operational staff can correctly use security features of components deployed in High systems — misconfigured security functions are a leading vulnerability. |
| SA-17 | Developer Security Architecture and Design | Require the developer to produce a design specification and security/privacy architecture consistent with the organization’s security architecture, accurately describing required security functionality. | Mandates formal security architecture documentation, ensuring High system components are designed — not just tested — for security. |
| SA-21 | Developer Screening | Require that the developer of organization-defined systems, components, or services satisfy organization-defined personnel screening requirements. | Background checks on developers building High system components mitigate insider and supply chain threats at the source. |
SC
System & Communications Protection
+6 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| SC-3 | Security Function Isolation | Isolate security functions from nonsecurity functions via an isolation boundary that controls access to and protects the integrity of the hardware, software, and firmware performing security functions. | Foundational High-only control. Prevents compromise of nonsecurity components from cascading to security mechanisms — essential trust anchor for High systems. |
| SC-7(10) | Boundary Protection — Prevent Exfiltration | Prevent the unauthorized exfiltration of information across managed interfaces (e.g., implement DLP technologies, block unauthorized data transfers). | Directly addresses the catastrophic consequences of data loss from High systems through active exfiltration prevention at boundaries. |
| SC-7(20) | Boundary Protection — Dynamic Isolation and Segregation | Provide the capability to dynamically isolate organization-defined system components from other system components. | Enables real-time containment during active incidents by dynamically segmenting compromised portions of High systems. |
| SC-7(21) | Boundary Protection — Isolation of System Components | Employ boundary protection mechanisms to isolate organization-defined system components supporting organization-defined missions and/or business functions. | Compartmentalizes High system functions so that compromise of one mission component does not automatically expose others. |
| SC-12(1) | Cryptographic Key Management — Availability | Maintain availability of information in the event of the loss of cryptographic keys by users. | Prevents permanent data loss if keys are lost — essential for High systems where encrypted data must remain recoverable under all circumstances. |
| SC-24 | Fail in Known State | Fail to an organization-defined known system state for organization-defined types of system failures, ensuring that the system preserves organization-defined system state information in failure. | Signature High-only control. Ensures High systems fail safely and predictably, never entering an insecure state that could expose data or create attack opportunities. |
SI
System & Information Integrity
+11 Controls — Joint Largest Delta
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| SI-4(10) | Monitoring — Visibility of Encrypted Communications | Make provisions so that organization-defined encrypted communications traffic is visible to system monitoring tools and mechanisms. | Prevents adversaries from hiding attack traffic within encrypted channels — High system monitoring must see inside encrypted flows. |
| SI-4(11) | Monitoring — Analyze Communications Traffic Anomalies | Analyze outbound communications traffic at external interfaces and at organization-defined interior points to discover anomalies. | Detects data exfiltration and command-and-control communications through behavioral analysis of traffic patterns on High systems. |
| SI-4(12) | Monitoring — Automated Organization-Generated Alerts | Use automated mechanisms to alert security personnel of organization-defined inappropriate or unusual activities with security or privacy implications. | Reduces detection-to-alert time to near-zero — critical for the rapid response demanded when High systems are under attack. |
| SI-4(14) | Monitoring — Wireless Intrusion Detection | Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. | Detects unauthorized wireless access points and wireless attacks in High-impact facilities where rogue RF could enable covert exfiltration. |
| SI-4(19) | Monitoring — Risk for Individuals | Implement additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk. | Enables targeted monitoring of higher-risk individuals on High systems. |
| SI-4(20) | Monitoring — Privileged Users | Implement additional monitoring of privileged users. | Privileged insiders are the greatest threat to High systems — enhanced monitoring detects abuse of elevated access that standard monitoring would miss. |
| SI-4(22) | Monitoring — Unauthorized Network Services | Detect network services that have not been authorized or approved and audit and alert designated organizational personnel. | Discovers shadow IT, backdoors, and unauthorized services running on High systems that could serve as attacker footholds. |
| SI-5(1) | Security Alerts — Automated Alerts and Advisories | Broadcast security alert and advisory information throughout the organization using automated mechanisms. | Ensures critical vulnerability advisories reach all responsible parties immediately, accelerating patch response for High systems. |
| SI-7(2) | Integrity — Automated Notifications of Integrity Violations | Employ automated tools that provide notification to designated personnel upon discovering discrepancies during integrity verification. | Automates tamper detection alerting — manual integrity checks are too slow for the response demands of High systems. |
| SI-7(5) | Integrity — Automated Response to Integrity Violations | Automatically shut down the system, restart the system, or implement organization-defined controls when integrity violations are discovered. | Enables autonomous containment — High systems must automatically respond to integrity failures rather than waiting for human intervention. |
| SI-7(15) | Integrity — Code Authentication | Implement cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation. | Blocks execution of unsigned or tampered code, directly countering supply chain and malware attacks on High systems. |
SR
Supply Chain Risk Management
+2 Controls
| Control ID | Title | Description | High-Impact Rationale |
|---|---|---|---|
| SR-9 | Tamper Resistance and Detection | Implement a tamper protection program for the system, system component, or system service. | High systems must detect physical and logical tampering of components — nation-state supply chain attacks are a primary threat at this impact level. |
| SR-9(1) | Tamper Resistance — Multiple Stages of SDLC | Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle. | Extends tamper protections from deployment back through development, addressing supply chain threats at every stage for High system components. |
Five Strategic Themes Driving the High Delta
The 87 High-only controls cluster around five strategic security themes that answer a fundamental question: what additional protections are necessary when system compromise could cause severe or catastrophic harm?
12
Resilience & Continuity
Hot-standby alternate sites, tested backup restoration, diversified telecom providers, and time-bound recovery objectives. High systems must maintain near-continuous operations through any contingency. (CP family)
11
Forensic Depth & Non-Repudiation
Complete, tamper-proof, time-correlated audit trails that can withstand legal scrutiny. AU-10 Non-Repudiation is the signature High-only control, enabling irrefutable accountability. (AU family)
11
Advanced Monitoring & Automated Response
Visibility into encrypted traffic, privileged user monitoring, wireless intrusion detection, and autonomous integrity violation response. Addresses sophisticated APT actors. (SI family)
13
Hardened Configuration & Supply Chain
Signed components, developer screening, separate test environments, and anti-tamper programs from development through deployment. Directly counters nation-state supply chain attacks. (CM + SA + SR)
21
Defense-in-Depth Access & Physical
Concurrent session limits, system-level physical access monitoring, insider threat incident handling, and dynamic isolation capabilities. Addresses both external actors and trusted insiders. (AC + PE + IR)
SC-3 & SC-24
Signature High Controls
SC-3 Security Function Isolation and SC-24 Fail in Known State are the two controls most emblematic of High — they ensure the security fabric itself is inviolable, and the system never fails into an insecure condition.
Ready to Elevate Your Authorization?
Moving from FedRAMP Moderate to High
is complex. We make it navigable.
Those 87 additional controls represent real engineering work, documentation effort, and organizational change. UberEther has guided agencies and CSPs through every step of the High authorization process, from gap analysis to ATO.