What is Cybertorch MDR?

Cybertorch is Quzara's FedRAMP High Authorized Managed Extended Detection and Response (MXDR) platform. It provides 24/7 security monitoring, threat detection, incident response, and vulnerability management staffed entirely by U.S. citizens on Azure Government infrastructure.

How does Cybertorch help with CMMC compliance?

Cybertorch allows defense contractors to inherit FedRAMP High Authorized security controls rather than building their own SOC. This accelerates CMMC Level 2 compliance by satisfying continuous monitoring, incident response, and security operations requirements with a proven, audited platform.

Is Cybertorch FedRAMP authorized?

Yes. Cybertorch is FedRAMP High Authorized and operates on Azure Government, authorized for DoD Impact Level 4. It supports Microsoft GCC High environments and meets CMMC, FISMA, and NIST SP 800-171 requirements.

High-end managed detection and response center, realistic futuristic SOC environment, modern security operations center with multiple monitors displaying threat intelligence, cybersecurity analysts at workstations, real-time threat detection das...-2

FedRAMP Certification Classes A Through D

Under Consolidated Rules 2026, FedRAMP replaces the legacy FIPS 199 impact-level labels (Low, Moderate, High) with Certification Classes A, B, C, and D. The rebrand resolves long-standing confusion with the Department of Defense Impact Level designations and aligns the program's language to the legal reality. This page covers each class in depth: scope, control count, authorization paths, and which class a federal mission actually requires.

From FIPS 199 to a clear alphabetical system

Why the New Naming

For more than a decade, FedRAMP impact levels (Low, Moderate, High) sat next to DoD Impact Levels (IL2, IL4, IL5, IL6) in the federal cloud landscape. The two systems used overlapping vocabulary, measured different things, and were routinely confused even by experienced practitioners. A cloud described as Moderate might or might not satisfy IL4. A High system might or might not satisfy IL5. The naming itself produced misalignments in procurement, marketing, and security documentation. Under Consolidated Rules 2026, FedRAMP retires the FIPS 199 impact-level labels and adopts a new alphabetical structure.

There is no Class equivalent to IL5; the systems are explicitly separate. FedRAMP also moves away from authorization toward certification in the program's terminology, because legally FedRAMP only certifies completed assessments. The agency, not FedRAMP, issues the Authority to Operate under the NIST Risk Management Framework. The rebrand aligns the language to the legal reality. Existing FedRAMP Authorized services do not lose their status; they continue to operate under their authorizations, and the language updates as new certifications are issued under CR26.

What each class covers

Class A Through Class D in Detail

The four classes cover the full range from transitional pilot certification to the most demanding High baseline. Each class has its own scope, control count, authorization paths, and structural rules.

Class A: Transitional Pilot Certification

Class A is a transitional designation introduced under 20x. It is available only through Program Certification (directly from the FedRAMP PMO, no agency sponsor required) and is intended for cloud services entering federal market participation through external frameworks, initially SOC 2 Type II. Class A is time-limited: holders have a two-year window to obtain a Class B, C, or D certification through full assessment. Services in Class A remain in the Preparation phase on the FedRAMP Marketplace during that window.

Class B: Replaces Low and Li-SaaS

Class B is the entry-level full certification, replacing the legacy Low and Li-SaaS designations. It applies to systems handling non-sensitive federal information where a security breach would cause limited harm. The control set is approximately 156 controls under Rev5, with the 20x KSI-driven equivalent under CR26. Class B can be achieved through either the Agency authorization path or the Program Certification path, and is fully available under FedRAMP 20x for cloud-native services.

Class C: Replaces Moderate

Class C is the broadest certification tier, replacing the legacy Moderate baseline. It applies to systems handling Controlled Unclassified Information (CUI) and non-public federal data where a breach could cause serious but not catastrophic harm. The control set is approximately 323 to 325 controls under Rev5. Class C represents roughly 80 percent of FedRAMP-certified services. It can be achieved through either the Agency path or the Program Certification path, and is available under FedRAMP 20x for cloud-native services beginning at Phase 3 GA.

Class D: Replaces High

Class D applies to systems handling mission-critical federal information, law enforcement, emergency services, national security, and critical infrastructure, where a breach could produce severe or catastrophic consequences. The control set is approximately 410 to 421 controls under Rev5 and is the most demanding certification tier in the program. Two structural rules apply to Class D: it must always go through the Agency authorization path (no Program Certification route), and no 20x path currently exists for Class D.

Quzara Cybertorch at Class D

Quzara Cybertorch is FedRAMP Certified at Class D (High) on Azure Government, Marketplace ID FR2214150164. Cybertorch operates at the most demanding certification tier and provides the inheritance backbone for cloud services at any class. Operating at Class D means the controls are implemented to the High baseline standard, over-satisfying the requirements of Class B and Class C services that inherit from the platform.

Class Comparison

A SaaS platform serving agencies that handle CUI requires Class C at minimum. A platform serving missions that handle national security information requires Class D. The Class A on-ramp through SOC 2 Type II is useful for providers entering the federal market without an existing FedRAMP authorization who want a faster path to initial certification while building toward a full assessment, but it is explicitly transitional, not a destination.

Agency authorization vs. Program Certification

Authorization Paths By Class

The authorization path itself varies by class. Two paths are available across the class system: the Agency authorization path (traditional, with a federal agency sponsor) and the Program Certification path (introduced under RFC-0023, directly from the FedRAMP PMO without an agency sponsor). Class D differs structurally from the other classes in its path availability. Class A is available only through Program Certification. Class A requires no agency sponsor; it is a direct PMO interaction. This is structurally significant because Class A is intended as an on-ramp for providers entering the federal market without an existing FedRAMP authorization. Class B is available through both paths. A cloud provider can pursue Class B through traditional agency sponsorship, or directly through Program Certification under RFC-0023. The Program Certification path for Class B is part of the modernization program's effort to remove agency sponsorship as a hard prerequisite for initial certification. Class C is also available through both paths. Like Class B, providers can pursue Class C through agency sponsorship or directly through Program Certification. Class C is the most commonly certified class, so the path choice matters operationally for the majority of FedRAMP candidates. Class D has no Program Certification path. Class D must always go through the Agency authorization path. This is a structural rule: the High baseline carries the most demanding control set and is reserved for the most sensitive federal missions, so an agency sponsor's commitment to the system is required for certification. Under Rev5 paths, all four classes are available with their respective constraints. Under 20x paths, Class A, B, and C are available; Class D has no 20x path currently defined and remains on Rev5 paths through the Phase 5 sunset window in FY27 Q3 to Q4 and possibly beyond.

MDR vs EDR vs SIEM vs MSSP vs XDR comparison

How to determine your class

Which Class Your Federal Mission Requires

The choice between Class A, B, C, and D is determined by the data the customer agencies need to process, not by provider preference. The rules below cover how to determine the right class for a federal mission.

Identify the Data Sensitivity

What categories of federal information will the system process? Non-public federal information at low sensitivity (Class B), Controlled Unclassified Information or other Moderate-sensitivity data (Class C), or mission-critical federal information including national security information (Class D).

Identify the Customer Mission

Which federal agencies and which missions will the system serve? Civilian agency administrative systems typically operate at Class B or Class C. CUI-handling missions across agencies operate at Class C minimum. Law enforcement, emergency services, national security, and critical infrastructure missions operate at Class D.

Confirm Through the Customer's Authorization Boundary

The receiving agency's authorization boundary requirements determine the class. An agency processing CUI in an environment classified at Moderate will not accept services certified only to Class B. Confirm the agency's certification expectations during the procurement phase, not after.

Consider the Class A On-Ramp for Initial Entry

For providers entering the federal market without an existing FedRAMP authorization, the Class A on-ramp through SOC 2 Type II provides a faster path to initial certification. Class A holders have a two-year window to obtain a Class B, C, or D certification through full assessment. Class A is explicitly transitional; use it as an on-ramp, not as a destination.

Consider Inheritance When Choosing

Operating on a Class D platform reduces the surface area of the provider's own certification regardless of the provider's target class. A Class C service inheriting from a Class D platform inherits controls implemented to the High baseline standard, over-satisfying the service's Moderate requirements. The inheritance position should factor into the class decision.

Plan for Class Migration

A cloud service that starts at Class B may need to migrate to Class C as its customer base expands into CUI-handling missions. Plan the architecture and instrumentation for the eventual target class even if the initial certification is at a lower class. Re-engineering for a higher class after the fact is expensive.

Inheritance from the most demanding tier

How Quzara's Class D Position Amplifies Customer Value

Quzara Cybertorch operates at Class D on Azure Government. The operating position is structurally significant for customers at any class. The items below cover how the Class D position amplifies value for cloud providers building federal-market services.

Inheritance Over-Satisfies Lower Classes Inheritance is most valuable when the platform's authorization exceeds the inheriting service's target class. A Class C service inheriting from a Class D platform inherits controls implemented to the more demanding High baseline standard, even though the service only needs the Moderate baseline. The platform's controls over-satisfy the service's requirements. This is the structural advantage of building on a Class D platform: lower-class services receive higher-class control implementations for free.

Marketplace Verification Cybertorch's Class D status is verifiable on the FedRAMP Marketplace at Marketplace ID FR2214150164. The Marketplace listing is the authoritative source for provider class status, and procurement teams should always verify provider claims against the Marketplace listing during the RFI phase.

U.S.-Citizen Analyst Team Cybertorch operates with 100 percent U.S.-citizen analysts. This satisfies the citizenship requirements that Class D missions typically require and that Class C CUI-handling missions increasingly require. ITAR-compliant operations.

Azure Government and DoD IL-4 Cybertorch operates on Azure Government with DoD Impact Level 4 reach. This is the cloud foundation that Class D federal missions and DIB CMMC Level 2 contractors require. Microsoft GCC High native support extends the operating envelope to GCC High customers.

Inheritable Control Families Cybertorch's inheritable controls span the Audit and Accountability, Incident Response, and Continuous Monitoring control families: AU-2, AU-3, AU-6, AU-9, AU-12, IR-4, IR-5, IR-6, IR-7, IR-8, CA-7, SI-4, SI-5, and related controls. Inheriting these controls eliminates the customer's need to build and operate a SIEM, log retention, and 24/7 incident response independently.

NISTCompliance.AI Cross-Class Mapping NISTCompliance.AI generates the inheritance matrix and inherited control sections of the customer's OSCAL SSP automatically. The platform handles the cross-class mapping so a Class C customer's SSP correctly references the Class D inherited controls from the platform's Component Definition.

Cybertorch Continues on Rev5 at Class D Since Class D has no 20x path currently, Cybertorch operates on a Rev5 Class D authorization through the Phase 5 sunset window. This is the standard operating position for High-baseline services across the program and does not affect customers' ability to inherit Cybertorch controls into their own 20x authorizations at Class B or Class C.

Choosing Your FedRAMP Class?

The class depends on the data your customer agencies need to process. Quzara Cybertorch operates at Class D on Azure Government, providing inheritance value at any class. NISTCompliance.AI handles the OSCAL package generation across all classes. Request a consultation to map your target class and inheritance posture.

Common Questions About FedRAMP Certification Classes

Why did FedRAMP rename Low, Moderate, and High to Class B, C, and D? The legacy FIPS 199 impact-level names overlapped with the Department of Defense Impact Level designations (IL2 through IL6) and the Department of the Navy's parallel labels. The naming itself produced misalignments in procurement, marketing, and security documentation. Under Consolidated Rules 2026, FedRAMP adopts the alphabetical class system to resolve the overlap and provide a clear, distinct vocabulary.

What is Class A? Class A is a transitional designation introduced under 20x, available only through Program Certification, intended for cloud services entering federal market participation through external frameworks (initially SOC 2 Type II). Class A is time-limited: holders have a two-year window to obtain a Class B, C, or D certification through full assessment.

Does Class B replace Low? Yes. Class B replaces the legacy Low and Li-SaaS designations, covering approximately 156 controls. It is the entry-level full certification.

Does Class C replace Moderate? Yes. Class C replaces the legacy Moderate baseline, covering approximately 323 to 325 controls. Class C represents roughly 80 percent of FedRAMP-certified services.

Does Class D replace High? Yes. Class D replaces the legacy High baseline, covering approximately 410 to 421 controls. Class D is the most demanding certification tier in the program.

What is the structural rule about Class D? Class D must always go through the Agency authorization path; there is no Program Certification route at Class D. Additionally, no 20x path currently exists for Class D. High-baseline cloud services remain on Rev5 paths through Phase 5 and possibly beyond.

Can I get a Class D certification through 20x? Not currently. No 20x path is defined for Class D. High-baseline cloud services remain on Rev5 paths through the Phase 5 sunset window in FY27 Q3 to Q4 and possibly beyond. Quzara Cybertorch is FedRAMP Certified at Class D on a Rev5 authorization.

What is the difference between Agency authorization and Program Certification? Agency authorization is the traditional path: a federal agency sponsors the cloud service through the assessment process. Program Certification, introduced under RFC-0023, allows providers to pursue Class A, B, or C certification directly from the FedRAMP PMO without securing an agency sponsor. Class D continues to require Agency authorization.

Which class does my service need? The class depends on the data your customer agencies need to process. Class B for non-sensitive federal information. Class C for Controlled Unclassified Information and other Moderate-sensitivity data. Class D for mission-critical federal information including national security information. Class A is a transitional on-ramp for initial market entry, not a destination.

How does inheritance work across classes? A cloud service operating on top of a higher-class platform inherits controls implemented to the higher class's standard. A Class C service inheriting from a Class D platform inherits controls implemented to the High baseline standard, over-satisfying the service's Moderate requirements. The platform's controls over-satisfy the service's requirements when the platform operates at a higher class than the service targets.

Does the terminology shift from Authorized to Certified change my existing authorization? No. Existing FedRAMP Authorized services retain their status and continue to operate under their authorizations. The terminology shift applies to new certifications issued under CR26. Cloud providers should update their external collateral, marketing materials, and procurement documentation to use the new class terminology and FedRAMP Certified language.

How does Cybertorch's Class D position help my Class B or C certification? Cloud providers inheriting controls from Cybertorch receive controls implemented to the Class D (High baseline) standard, over-satisfying Class B and Class C requirements. The Audit and Accountability, Incident Response, and Continuous Monitoring control families inherited from Cybertorch reduce the surface area of the provider's own certification at any class. NISTCompliance.AI generates the inheritance matrix referencing Cybertorch's Component Definition automatically.