>
    Strata Copilot
    FedRAMP Moderate CDSS Single SKU
    Focus
    Download PDF
    Focus
    1. Home
    2. FedRAMP
    3. Network Security FedRAMP
    4. NGFW (Hardware and VM) FedRAMP Moderate and High Requirements
    5. FedRAMP Moderate CDSS Single SKU
    Download PDF
    FedRAMP

    FedRAMP Moderate CDSS Single SKU

    Table of Contents

    FedRAMP Moderate CDSS Single SKU

    Learn about the FedRAMP Moderate CDSS Single SKU.
    Palo Alto Networks Cloud delivered Security Solution (CDSS) Subscriptions are now available for customers to utilize the FedRAMP Moderate environment. The release of the single modifier SKU will effectively streamline the ordering process and ensures compliance by requiring all CDSS subscriptions on a particular device (NGFW) to be in one environment (commercial, FedRAMP Moderate, or FedRAMP High), not in a mixed environment.
    To support this new design, the following requirements and changes apply:
    • Single modifier FedRAMP Mod SKU. A single FedRAMP Moderate SKU is applied for all CDSS subscriptions ( ATP, AURL, AWF, ADNS, SCM Pro, DLP, SaaS inline and IoT Enterprise) to indicate the customer has purchased FedRAMP Moderate
    • Pricing uplift. , The FedRAMP Moderate SKU will provide a 15% uplift to the CDSS subscription list price
    • Classification. The NGFW must be classified as FedRAMP Moderate, either directly or by placing it in a FedRAMP Moderate Cloud Service Provider (CSP).
    • Compliance rule.FedRAMP Moderate designated firewalls or VMs must possess both the subscription SKU and the FedRAMP Moderate SKUs.
    The table below describes the core requirement to classify the device (or its environment) as FedRAMP Moderate to enforce usage of the FedRAMP Moderate certified subscriptions:
    Device/PlatformClassification RequirementSubscription RequirementPricing
    NGFW/Cloud NGFW
    Must be classified as FedRAMP Moderate. This can be achieved by either:
    • Placing the device in a separate level designated as FedRAMP Moderate.
    • Classifying the NGFW itself as FedRAMP Moderate.
    		All CDSS subscriptions purchased for the classified device must be FedRAMP Moderate SKUs. All subscriptions associated with the device must be in one environment (Commercial, FedRAMP Moderate, or FedRAMP High).A single FedRAMP modifier SKU is created to calculate and charge an additional 15% of the total base price of all CDSS subscriptions attached to the classified device.
    The table below describes various purchase scenarios:
    ScenarioRequirements
    New purchaseYou must determine if the NGFW is classified as FedRAMP Moderate. Select your subscriptions (for a la carte or bundle) and the FedRAMP Moderate SKU (15% uplift) is added.
    Adding subscriptionsWhen you add a subscription to an already classified FedRAMP Moderate device, the system identifies the device and ensures the 15% FedRAMP Moderate SKU uplift is charged for the new subscription.
    When licenses are enabled, the serial number registration in the respective cloud should happen automatically based on the license, with no manual process.
    Requirements for using a single SKU differ based on whether you want to cover your full or partial environment with a FedRAMP Moderate classification. The table below describes these differences:
    Estate CoverageQuoting and Classification
    Full estateDevices under your CSP are classified as FedRAMP Moderate. All NGFWs in that particular CSP will automatically receive the FedRAMP Moderate classification. Users purchasing ELA1/ELA2 will receive FedRAMP Moderate for all CDSS subscriptions.
    The single FedRAMP Moderate SKU that charges the 15% uplift is a new offering for ELA1/ELA2.
    Partial estateDuring the quoting process, you must select the current and projected estate that will be classified as FedRAMP Moderate. The quote will indicate how much is Commercial vs. FedRAMP Moderate. Only devices selected based on the CSP receive the FedRAMP Moderate classification.
    The following CDSS subscriptions are included in the single FedRAMP Moderate SKU:
    • ATP (Advanced Threat Prevention)
    • AURL (Advanced URL Filtering)
    • AWF (Advanced WildFire)
    • ADNS (Advanced DNS Security)
    • SCM Pro
    • DLP (Data Loss Prevention)
    • SaaS Inline
    • IoT Enterprise

    Use Cases

    This section provides information about the requirements and processes for implementing the new FedRAMP Moderate SKU across various use cases. It focuses primarily on new purchases and adding additional subscriptions for NGFW and Enterprise License Agreements (ELA). It includes information for:
    • New purchases
    • Adding additional subscriptions to a firewall
    • Enterprise License Agreements
    • Renewal or add-ons for existing customers
    New Purchases
    In this scenario, during the fulfillment process:
    • You purchase a new NGFW.
    • You indicate if the new NGFW will be classified as FedRAMP Moderate.
    • You select the CDSS subscriptions you want to use (for example, ATP).
    • The pricing is updated to reflect the single FedRAMP SKU modifier; an additional 15% is charged for the subscriptions.
    • Your profile is updated to indicate which subscriptions have been charged for FedRAMP Moderate.
    Adding Additional Subscriptions to a Classified Firewall
    In this scenario, during the fulfillment process:
    • You already have an existing FedRAMP Moderate subscription associated with a firewall and you want to add a new subscription (for example, you want to add AWF to the existing subscription that already includes ATP and AURL).
    • The system identifies the existing firewall classification.
    • The single FedRAMP Moderate SKU is changed to reflect an additional 15% charge for the new subscription.
    • Your profile is updated to reflect the new subscription that includes the FedRAMP Moderate charge.
    Renewal/Add-ons for Existing Customers
    In this scenario, during the fulfillment process:
    • You currently have AWF, DLP or SaaS inline subscriptions.
    • During the time of renewal, or, when you add any additional subscriptions, the firewall follows a new fulfillment process where the subscription must specify either FedRAMP Moderate, FedRAMP High, or commercial. Mixed environments are not supported.

    Troubleshooting

    Palo Alto Networks validates the authorization code when you activate a single SKU license for devices you intend to use a FedRAMP Moderate environment. When you activate a license (using either the Customer Support Portal, the Hub, or through a NGFW) the following scenarios occur based on if you are a new customer or an existing customer.
    New Customers
    The following scenarios apply to new customers, and only to those who purchase a la carte subscriptions, specifically ATP, AURL, AWF, ADNS, Device Security, DLP, SaaS-Inline, SCM Pro, IoT Enterprise. It does not apply to ASDWAN and Prisma Access Agent:
    • First License Activation. When you activate a license from one of the supported CDSS options no validation is required. The first activation can be for commercial or FedRAMP.
    • Subsequent license activation. If you attempt to activate a license after the first activation has already been completed, an error message appears in the CSP, the Hub, or the NGFW where you attempted to activate.
    • Scenario 1. If you already activated a FedRAMP Moderate license on NGFW and attempt to activate a subsequent commercial license from the list of supported CDSSs an error message appears:
    Auth code {auth code} cannot be activated because there is already a FedRamp Moderate license activated on your Device {Serial Number}.
    • Scenario 2. If you already have a commercial license activated on NGFW and attempt to activate a subsequent FedRAMP Moderate or FedRAMP High license from the list of CDSSs an error message appears:
    Auth code {auth code} cannot be activated because there is already a commercial license activated on your Device {Serial Number}.
    • Scenario 3. If you already have a FedRAMP High license activated on NGFW and you attempt to activate a subsequent FedRAMP Moderate license or a commercial license from the list of CDSSs an error message appears:
    Auth code {auth code} cannot be activated because there is already a FedRamp High license activated on your Device {Serial Number}.
    Existing Customers
    If you are an existing Palo Alto Networks customer transitioning from a commercial to a FedRAMP Moderate license no action is required. The licensing paradigm automatically updates your commercial license with the FedRAMP Moderate license during the order fulfillment process.

    © 2026 Palo Alto Networks, Inc. All rights reserved.