The FedRAMP High Supply Crisis Is a Federal Security Problem – Not a Procurement Footnote

Blogs

Mar 24, 2026 | 3:40 pm

Federal agencies spent $11 billion on cloud services in 2024. Roughly 40 percent of that spending supported high-impact systems, platforms carrying national security operations, law enforcement coordination, emergency services, healthcare records, and financial infrastructure. The data on those systems cannot tolerate compromise. And yet the cloud market built to protect it is dangerously thin.

As of early 2025, the FedRAMP Marketplace listed approximately 80 cloud service offerings at the High impact level. Only 48 held full authorization. That gap between what agencies need and what the market can actually deliver at the required security tier is not an abstract compliance concern. It is a procurement bottleneck that is forcing real tradeoffs with the federal government’s most sensitive data.

What FedRAMP High Actually Requires

The FedRAMP program classifies cloud services at three impact levels: Low, Moderate, and High, based on the potential consequences of a security breach. FedRAMP High authorization requires 421 security controls drawn from NIST SP 800-53 Rev 5, nearly 30 percent more than the 325 controls at the Moderate baseline. Those additional controls are not bureaucratic overhead. They address advanced encryption requirements, physical access restrictions, enhanced personnel security vetting, and continuous monitoring capabilities calibrated for sophisticated adversaries.

The gap between Moderate and High is not a paperwork gap. It reflects a fundamentally different threat model, one designed for data that, if compromised, could endanger lives, disrupt national security operations, or undermine critical infrastructure.

Because High-authorized options don’t exist across many use cases, agencies often default to general-purpose productivity tools operating at the Moderate tier. That workaround may solve a procurement problem. It creates a security one.

The Threat Environment Agencies Are Actually Operating In

The argument for FedRAMP High-level security is no longer theoretical. The threat data from the past year makes the case in operational terms.

The CrowdStrike 2026 Global Threat Report documented an 89 percent increase in AI-enabled adversary attacks year-over-year, with the average eCrime breakout time dropping to just 29 minutes. Cloud-conscious intrusions rose 37 percent. Perhaps most concerning, 82 percent of all detections were malware-free, meaning traditional signature-based defenses are insufficient against the methods adversaries are now using routinely. State-nexus actors, particularly China-aligned groups, increased targeting of edge devices by 38 percent, using valid credentials and native tools to blend into normal operations while moving laterally toward sensitive data.

For agencies operating at the High impact level, these are adversaries specifically targeting the types of data that FedRAMP High was designed to protect. The 2026 World Economic Forum Global Cybersecurity Outlook reinforces the picture: 65 percent of large organizations now identify third-party and supply chain vulnerabilities as their greatest barrier to cyber resilience, up from 54 percent the prior year. When agencies exchange sensitive data across fragmented platforms operating at different authorization levels, every seam between those systems becomes an attack surface.

General-purpose cloud tools authorized at the Moderate tier were not designed for this threat environment. Deploying them for high-impact workloads is a structural mismatch that no configuration policy can fully close.

The CMMC Dimension: A Defense Industrial Base in Distress

FedRAMP High’s significance extends well beyond federal agencies. For the defense industrial base, the authorization gap creates a compounding compliance crisis.

CMMC Level 2 requires defense contractors to demonstrate 110 security practices derived from NIST SP 800-171. FedRAMP High’s 421 controls map directly to those requirements, and when a vendor achieves FedRAMP High authorization, its customers inherit those validated controls rather than building and validating each one independently. That inheritance can compress CMMC compliance timelines by 50 percent or more. Given the state of DIB readiness, that compression is urgently needed.

A survey of 209 defense industrial base organizations found that only 46 percent consider themselves prepared for CMMC Level 2 certification. Fifty-seven percent have not completed a NIST 800-171 gap analysis. Sixty-two percent lack adequate governance controls. The CyberSheath 2025 State of the DIB report puts the broader picture in even starker terms: only 1 percent of defense contractors feel fully prepared for CMMC audits, down from 4 percent the previous year. The median SPRS score across the DIB sits at 60, a full 50 points below the required threshold of 110.

Critical controls remain widely undeployed. Seventy-nine percent of DIB organizations lack vulnerability management capabilities. Seventy-eight percent lack patch management. Seventy-four percent lack data loss prevention. Seventy-three percent have not implemented multi-factor authentication. These are not edge cases; they are the majority of organizations now operating under CMMC requirements embedded in active defense contracts.

FedRAMP High control inheritance does not solve every problem in this picture. But it changes the compliance calculus fundamentally, converting a multi-year infrastructure build into an architecture decision.

The Multi-Framework Compliance Argument

Federal agencies and defense contractors in 2026 are not confronting a single regulatory obligation. They are managing simultaneous compliance deadlines across CMMC 2.0 for defense contracts, HIPAA for healthcare data, PCI DSS 4.0 for payment processing, and ISO 27001 as a global baseline, among others. Addressing each framework independently multiplies cost, timeline, and implementation risk.

At the control level, the overlap is substantial. An encryption architecture validated for FedRAMP High simultaneously satisfies CMMC encryption practices, HIPAA’s technical safeguards, PCI DSS cryptographic requirements, and ISO 27001 Annex A controls. A platform that unifies these controls under a single architecture eliminates the redundancy inherent in framework-by-framework compliance programs. Survey data supports the operational difference this makes: organizations with completed gap analyses follow documented encryption standards at nearly twice the rate of those without, 77 percent versus 42 percent.

According to a 2025 data workflows survey, 75 percent of government respondents require FedRAMP for their data exchanges, and 69 percent use FIPS 140-3 validated cryptographic modules. When a single platform’s control inheritance satisfies requirements across multiple frameworks simultaneously, multi-framework compliance shifts from a program management problem to an architecture decision.

The FedRAMP 20x Factor: Why Waiting Is a Strategy With Real Costs

The FedRAMP program is undergoing significant modernization through the FedRAMP 20x initiative, and the timeline has direct implications for agencies and contractors making cloud security decisions today.

Phase 1 completed with a Low baseline pilot demonstrating authorization in under two months. Phase 2, active through Q1 2026, involves a Moderate pilot with 13 participants. Wide-scale adoption for Low and Moderate authorizations is expected in Phase 3, targeting Q3 through Q4 2026. But the FedRAMP 20x High baseline pilot is not expected until Q1 through Q2 2027, with the legacy Rev 5 authorization pathway expected to sunset in Q3 through Q4 2027.

Organizations that delay action are not waiting for a better option. They are accepting a multi-year gap in high-security cloud capabilities during the period when adversary activity is accelerating most rapidly.

What Agencies and Contractors Should Do Now

Audit your FedRAMP authorization landscape. Identify which cloud services your agency or organization relies on, at which impact levels they are authorized, and where mission-critical data flows through platforms operating below the High threshold. If your most sensitive data exchange is running through Moderate-authorized tools, you have a structural architecture gap, not a configuration problem.

Map framework overlaps before building framework-specific programs. Organizations pursuing CMMC, HIPAA, PCI DSS, and ISO 27001 simultaneously should identify control overlaps early and invest in platforms that satisfy multiple frameworks from a single implementation.

Evaluate FedRAMP High In Process providers now. The FedRAMP authorization journey moves through Ready, In Process, and Authorized stages. “In Process” is not a planning status. It signals that controls have been implemented, independently assessed by a certified third-party assessment organization, and are under active federal review. Agencies and contractors that engage providers during the In Process stage gain architecture lead time. Waiting for the Authorized designation means competing for capacity alongside every organization that also waited.

Consolidate data exchange channels under unified governance. With 82 percent of detections now malware-free, attackers are exploiting gaps between systems rather than targeting individual platforms. Every separate tool for email, file sharing, SFTP, and managed file transfer is a seam in your security architecture. Unified governance under a single policy engine and audit log is not an administrative preference; it is an operational security requirement.

The compliance clock is not slowing down. CMMC requirements are embedded in contracts now. DORA enforcement began in January 2025. HIPAA penalties exceed $100 million annually. The federal agencies and defense contractors that act on FedRAMP High inheritance today will be the ones positioned to compete, win contracts, and demonstrate the security posture their missions and regulators demand. The others will still be building.

Danielle Barbour is Senior Director of Product Marketing, Compliance at Kiteworks. She brings experience across medtech, insurance, and software industries and holds an MBA from Saint Mary’s College of California.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Archives