This is a draft of security controls the GSA will require for cloud-computer systems purchased by federal agencies for "high-impact" uses. High-impact data will likely consist of health and law-enforcement data, but not classified information. Cloud computing vendors seeking to sell to federal agencies currently must get security accreditation through FedRAMP. To date, FedRAMP has offered accreditations up to the "moderate-impact" level. About 80% of federal IT systems are low- and moderate-impact.