Skip to main content
background

Federal Risk and Authorization Management Program (FedRAMP)

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that standardizes security assessments, authorizations, and continuous monitoring for cloud products and services used by federal agencies. FedRAMP provides a cost-efficient, risk-based approach for the adoption of cloud services by establishing baseline security requirements derived from NIST SP 800-53.

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by the federal government. Introduced in 2011 and enacted into law in December 2022 as part of the FedRAMP Authorization Act, the program ensures that cloud service providers (CSPs) meet consistent security requirements regardless of which federal agency uses their services.

FedRAMP Authorization Levels

FedRAMP defines three authorization baselines based on the potential impact of a security breach:

  • FedRAMP Low: For systems where the loss of confidentiality, integrity, or availability would have a limited adverse effect. Requires approximately 125 security controls.
  • FedRAMP Moderate: The most common baseline, covering systems where a breach could have a serious adverse effect. Requires approximately 325 security controls.
  • FedRAMP High: For the most sensitive unclassified government workloads where a breach could have a severe or catastrophic effect. Requires approximately 421 security controls.

The FedRAMP Authorization Process

Cloud service providers pursue FedRAMP authorization through one of two paths. The Joint Authorization Board (JAB) path involves review by representatives from DoD, DHS, and GSA and results in a Provisional Authorization to Operate (P-ATO) that any agency can leverage. The Agency path involves working directly with a sponsoring federal agency. Both paths require assessment by an accredited Third-Party Assessment Organization (3PAO) and result in a security authorization package that is listed on the FedRAMP Marketplace.

FedRAMP and CMMC

FedRAMP and CMMC serve related but different purposes. FedRAMP authorizes cloud services for government use, while CMMC certifies contractor cybersecurity practices. Defense contractors using cloud services to handle CUI often need both — their cloud environment should meet FedRAMP requirements (or equivalent, such as Microsoft GCC High), and their organization must achieve CMMC Level 2 certification. The NIST SP 800-53 controls used in FedRAMP overlap significantly with the NIST SP 800-171 controls required by CMMC.

FedRAMP 20x

FedRAMP 20x represents the program’s modernization initiative aimed at accelerating the authorization process, reducing the time and cost for cloud service providers to achieve authorization, and leveraging automation for continuous monitoring. FedRAMP 20x introduces community-driven working groups, automated security validation, and streamlined documentation requirements while maintaining the security rigor that agencies depend on.