What FedRAMP actually is — and who has to care
FedRAMP (Federal Risk and Authorization Management Program) is the US government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services. If you want to sell a cloud-based product to US federal agencies, you almost certainly need FedRAMP authorization. It's not optional — the OMB M-11-11 memo directed agencies to use only FedRAMP-authorized cloud services where available, and most agency contracting officers enforce this.
The program is managed by the FedRAMP Program Management Office (PMO) within GSA, with oversight from NIST, DHS, and DoD. It's built on NIST SP 800-53 Rev 5 control families — the same controls used across federal cybersecurity — but with specific FedRAMP overlays, templates, and testing requirements.
Who needs to care: any SaaS, PaaS, or IaaS company selling to US federal civilian agencies or DoD, or serving as a subcontractor to a prime that holds federal contracts.
The three impact levels — and how they determine your compliance burden
FedRAMP uses NIST FIPS 199 information impact levels to categorize cloud service offerings (CSOs). The impact level you need determines how many controls you must implement and how rigorous the assessment will be.
| Impact Level | Controls Required | Typical Use Cases | Timeline to ATO | 3PAO Assessment Cost |
|---|---|---|---|---|
| Low | ~125 controls | Public information, no PII, low-sensitivity government data | 12–18 months | $80K–$180K |
| Moderate | ~325 controls | Most civilian agency use cases — CUI, PII, financial data, healthcare | 18–24 months | $200K–$500K |
| High | ~421 controls | Law enforcement, intelligence-adjacent, critical infrastructure, healthcare at scale | 24–36 months | $400K–$800K |
The vast majority of commercial SaaS selling to civilian agencies targets FedRAMP Moderate. If your agency customer processes PII, financial records, or any Controlled Unclassified Information (CUI), assume Moderate. If you're selling to DoD and your data has operational significance, you may be looking at High or DoD IL4/IL5 instead of (or in addition to) FedRAMP.
Agency ATO vs JAB P-ATO — the two paths to authorization
This is the decision that trips up most CSPs new to FedRAMP. There are two authorization paths:
Agency Authorization (Agency ATO)
In the Agency ATO path, a specific federal agency acts as your sponsor and Authorizing Official (AO). They review your System Security Plan (SSP), engage a Third-Party Assessment Organization (3PAO) to assess your controls, and issue an Authority to Operate (ATO) decision. Once you have an Agency ATO and it's listed in the FedRAMP Marketplace, other agencies can reuse the authorization — but they don't have to. Some agencies will do their own review before accepting it.
Pros: Faster timeline. More flexibility on scoping. Agency partnership helps shape requirements. Usually cheaper in total.
Cons: Requires finding an agency sponsor willing to commit resources. Authorization scope and rigor varies by agency. Some agencies' ATOs carry less weight with other agencies than JAB.
How to get a sponsor: This is the practical challenge. You need an agency that (a) wants to use your product and (b) has security resources to manage the ATO process. Start with your warmest federal relationship — a paying or pilot agency customer is ideal. The FedRAMP PMO also has a liaison program to help match CSPs with agency sponsors.
JAB Provisional Authorization (P-ATO)
The Joint Authorization Board consists of the CIOs of DoD, DHS, and GSA. A JAB P-ATO is government-wide — once issued, any agency can accept it. The FedRAMP PMO prioritizes which CSPs get a JAB P-ATO slot based on demand signals from agencies.
Pros: Government-wide recognition. Higher credibility signal. No individual agency sponsor needed.
Cons: Much harder to get a JAB slot — PMO prioritizes CSPs with demonstrated government demand. Longer timeline. More prescriptive process. JAB reserves the right to withdraw the P-ATO if ConMon lapses.
Reality check: For most SaaS startups new to federal, Agency ATO is the right starting point. Go Agency first, then pursue JAB once you have revenue and demonstrated demand.
The System Security Plan (SSP) — your main deliverable
The SSP is the foundation of your FedRAMP authorization package. It's a comprehensive document — typically 600+ pages for Moderate — that describes your system, its authorization boundary, and how every required control is implemented. The FedRAMP PMO provides a standard SSP template at fedramp.gov/documents-templates/.
Key SSP sections:
- System Description: What the system does, the service model (SaaS/PaaS/IaaS), system owner, ISSO contact
- Authorization Boundary: What's in scope. Critical for SaaS — must include cloud infrastructure (AWS/Azure/GCP), any FedRAMP-authorized services you inherit from, and all system components
- System Architecture and Network Diagrams: Must accurately reflect the live environment
- Data Flow Diagrams: Show all federal data flows, encryption points, and external connections
- FIPS 199 Categorization: Your impact level determination
- Control Implementation Statements: For every required control, describe exactly how it's implemented in your system. This is the bulk of the SSP
- Interconnections: All external systems your CSO connects to
- System Inventory: All hardware, software, and cloud service components
The SSP is a living document — it must be kept current throughout your continuous monitoring (ConMon) phase. Plan for at least 6-12 months of internal effort to build it, or $80K–$200K if you engage a consultant to write it.
FIPS 140-2/3 validated encryption — the hard requirement most CSPs miss
One of the most common early blockers for FedRAMP Moderate and High is the FIPS 140-2/3 encryption requirement. FedRAMP requires that all cryptographic modules used to protect federal data be validated under FIPS 140-2 or FIPS 140-3 — the standard is enforced at the module level, not the algorithm level.
What this means in practice: you can't just use AES-256 or TLS 1.3 and assume you're compliant. The specific OpenSSL version, Go crypto library, or Java JCE implementation you use must itself be FIPS 140-validated. The NIST CMVP maintains the validated modules list at csrc.nist.gov/projects/cryptographic-module-validation-program.
For most cloud-native SaaS running on AWS, Azure, or GCP government regions, the cloud provider's FIPS-validated endpoints handle most of this — but you need to verify. AWS GovCloud and Azure Government have specific FIPS-compliant configurations you must enable, not just assume.
Selecting a 3PAO — the independent assessor you can't skip
A Third-Party Assessment Organization (3PAO) is the accredited independent firm that performs the security assessment of your CSO. You cannot self-assess for FedRAMP — a 3PAO is mandatory. HITRUST, SOC 2, and other frameworks allow self-attestation in some cases; FedRAMP does not.
FedRAMP-recognized 3PAOs are listed at marketplace.fedramp.gov under the assessors section. Selection criteria:
- Impact level experience: Ask how many Moderate or High assessments they've done
- Your service model: SaaS, PaaS, or IaaS — different assessment approaches
- Timeline availability: Good 3PAOs are booked months out
- Price and scope transparency: Get a fixed-price engagement, not T&M, where possible
3PAO assessment timeline: from kickoff to Security Assessment Report (SAR) delivery is typically 3-6 months. Before engaging a 3PAO, you should be at or near control implementation — don't bring in a 3PAO to discover gaps. Use a readiness assessment or gap assessment first.
Cost ranges: FedRAMP Low 3PAO fees run $80K–$180K; Moderate $200K–$500K; High $400K–$800K. Internal staffing adds 1-2 FTE ISSO/compliance roles during assessment (at $120K–$180K/year each).
Continuous Monitoring (ConMon) — the ongoing obligation after ATO
Getting the ATO is not the end — it's the start of continuous monitoring obligations. FedRAMP ConMon requirements include:
- Monthly: Vulnerability scans of operating systems, databases, and web applications. Results uploaded to the agency AO or FedRAMP PMO (for JAB P-ATOs, to the secure repository)
- Annual: Full penetration test; security assessment update; POA&M review
- Event-triggered: Significant change notification to AO before implementation; incident reports within 1 hour to US-CERT (cisa.gov/report)
- Monthly: POA&M (Plan of Action & Milestones) updates with status of all open findings
ConMon is where CSPs most commonly fail to maintain authorization. Scan gaps, delayed POA&M updates, and unreported significant changes are the top reasons agencies revoke or suspend ATOs. Budget $100K–$200K/year for ongoing ConMon — staff, scanning tools, and external pen test.
Authorization roadmap — a realistic timeline for FedRAMP Moderate
| Phase | Timeline | Key Activities |
|---|---|---|
| 0 — Pre-Authorization | Months 1–3 | Scope boundary, draft SSP, remediate critical control gaps (MFA, FIPS encryption, account management, logging), engage agency sponsor |
| 1 — Readiness Assessment | Months 3–6 | FedRAMP Ready status (optional but recommended), 3PAO readiness review, finalize SSP and supporting docs |
| 2 — 3PAO Assessment | Months 6–12 | 3PAO testing (documentation review, interviews, technical testing), SAR development, remediation of findings |
| 3 — Package Review | Months 12–18 | Authorization package submitted to AO (or JAB), AO review, back-and-forth on findings |
| 4 — ATO & ConMon | Month 18+ | ATO issued, FedRAMP Marketplace listing, ConMon programme operational |
These timelines assume you start with reasonably mature security controls. If you're starting from zero security programme, add 6-12 months of foundational work before Phase 0.
Control mapping from existing frameworks
If you already have SOC 2 Type II, ISO 27001, or NIST CSF in place, you have meaningful overlap with FedRAMP Moderate requirements. The control mapping isn't perfect, but it's substantial:
- SOC 2 Type II: CC6 (Logical Access) ↔ FedRAMP AC family; CC7 (System Operations) ↔ AU, SI, IR families; CC8 (Change Management) ↔ CM family. SOC 2 doesn't require FIPS crypto or FISMA-specific controls — that's the main gap
- ISO 27001: Strong mapping to AC, AU, CM, IA control families. ISO 27001 certification substantially reduces 3PAO documentation work in those areas
- NIST CSF 2.0: Direct mapping to SP 800-53 since CSF was derived from it. CSF ID/PR/DE/RS/RC functions map directly to FedRAMP RA, SI, IR, CP families
Don't start from scratch if you have existing certifications — map your existing evidence to FedRAMP control requirements and identify the gaps. It's faster and cheaper than rebuilding.
Key resources to start
- fedramp.gov — official templates, guidance, and the CSP authorization guide
- marketplace.fedramp.gov — authorized services and 3PAO list
- FedRAMP Readiness Assessment Report (RAR) template — fedramp.gov/documents-templates/
- NIST SP 800-53 Rev 5 — csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- info@fedramp.gov — PMO contact for CSP questions
For a structured assessment of your current FedRAMP readiness across all key control families, use the FedRAMP Authorization Roadmap Generator. For your NIST 800-171/CMMC assessment if you also have DoD contracts, use the NIST 800-171/CMMC 2.0 Assessment Generator. For incident response planning (required for ConMon), use the Incident Response Plan Generator.