If you're a cloud service provider (CSP) looking to work with federal agencies, getting FedRAMP authorized is a must. The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government’s standardized approach to assessing and monitoring the security of cloud products and services. Without FedRAMP approval, your service can’t legally store or process federal data.

Earlier this year, the program rolled out a major overhaul called FedRAMP 20x. It introduced a single, streamlined path to authorization and laid the groundwork for a more modern, scalable compliance framework. This article breaks down the current FedRAMP process into clear, actionable steps so you can understand what's involved, how long it might take, and how to set your offering up for success.

The FedRAMP authorization process in 2025

The FedRAMP process is how cloud providers demonstrate that their service meets the federal government’s cybersecurity standards. The end goal is to receive an Authority to Operate (ATO), which means a federal agency has officially approved your cloud service for use in their environment.

Today, all new authorizations follow the agency authorization path. This means you must work with a federal agency that agrees to sponsor your product through the FedRAMP process. The former Joint Authorization Board (JAB) is no longer a key part of the process as the FedRAMP PMO oversees the program.

Types of FedRAMP authorization

FedRAMP authorizations are categorized based on the sensitivity and risk level of the data the cloud service will handle. There are three main impact levels:

• FedRAMP Low: For information systems that process data intended for public access. These have fewer control requirements and lower risk.
• FedRAMP Moderate: For information systems handling Controlled Unclassified Information (CUI), which is the most common category. Most CSPs pursuing FedRAMP target this level.
• FedRAMP High: For information systems that process high-impact data, such as law enforcement, financial, or health information. This level has the most stringent requirements.

In 2024, FedRAMP launched the FedRAMP 20x Phase One pilot to test a faster path to Low authorization. This pilot introduces a reduced set of Key Security Indicators (KSIs) in place of the full FedRAMP Rev. 5 baseline controls and uses machine-readable assessments to simplify the process. Successful participants receive a 12-month Low authorization and may be prioritized for Moderate authorization in future phases.

The pilot is open to any CSP and is an ideal opportunity for startups or growth-stage companies looking to break into the federal market with a smaller upfront investment.

Step-by-step: How to get FedRAMP authorized

The FedRAMP assessment process is designed to ensure that cloud services used by federal agencies meet strict security and compliance requirements. While the path to authorization can take over a year, understanding each phase of the journey can help you avoid delays and move forward with confidence. Whether you're aiming for FedRAMP Low, Moderate, or High, the process follows the same general structure—starting with preparation and ending with continuous monitoring. The new FedRAMP 20x pilot even offers an accelerated option for providers pursuing Low authorization.

Step 1: Secure an agency partner (or pursue FedRAMP Ready)

The first step in the process depends on your entry point. Most CSPs begin by identifying a federal agency willing to sponsor their authorization. Once a sponsor is secured, you can formally initiate the FedRAMP process by submitting an In Process Request to the FedRAMP Program Management Office (PMO), along with:

• A Work Breakdown Structure (WBS) showing your project timeline
• Confirmation the system is fully operational and ready for assessment
• A completed FedRAMP CSP Information Form
• A kickoff meeting with the agency, the PMO, your 3PAO, and your internal team

Your Marketplace listing will then be updated to show your FedRAMP In Process status.

Alternatively, if you do not yet have an agency sponsor, you can choose to pursue FedRAMP Ready status by working with a 3PAO to complete a Readiness Assessment Report (RAR). This optional but valuable step evaluates your alignment with the FedRAMP baseline and helps identify gaps in your current security posture. If your system meets the baseline requirements, your 3PAO may recommend you for the FedRAMP Ready designation, which gives a strong signal to potential agency sponsors that your offering is well prepared.

Step 2: Conduct the security assessment

With your agency sponsor and 3PAO in place, the next phase is the full security assessment. This step is where your cloud system undergoes rigorous testing to validate its security posture.

First, your 3PAO will develop a Security Assessment Plan (SAP), which outlines the scope of the assessment, the methodologies to be used, and the schedule for execution. This plan is based on FedRAMP’s requirements and must be agreed upon by all parties.

Next comes the assessment itself. Your 3PAO will test your system against the applicable FedRAMP controls. This includes penetration testing, vulnerability scanning, configuration checks, and evaluating the implementation of critical security safeguards like access control and encryption.

The results of the assessment are documented in a Security Assessment Report (SAR). This report highlights any findings or deficiencies and provides recommendations for remediation. Based on the SAR, you'll update your Plan of Action and Milestones (POA&M), detailing how and when you will address any risks.

These documents, along with your finalized System Security Plan (SSP), are bundled into a complete Security Authorization Package for submission to the sponsoring agency.

Step 3: Agency review and ATO decision

The sponsoring agency then reviews your security package to determine whether your cloud service meets their risk tolerance. They may request additional documentation or remediation efforts before moving forward.

If the agency accepts the risks outlined in the SAR and POA&M, they will issue an Authority to Operate (ATO). At this point, your listing on the FedRAMP Marketplace will be updated to reflect your FedRAMP Authorized status. Other government agencies can then reuse your authorization, significantly expanding your federal market opportunities.

Step 4: Maintain FedRAMP compliance

FedRAMP authorization isn’t a one-time event. To remain in good standing, you must actively maintain compliance through continuous monitoring.

Each month, you’ll need to submit vulnerability scan results, POA&M updates, and other information security documentation through the FedRAMP secure repository. You’ll also conduct annual security assessments with your 3PAO and notify the FedRAMP PMO of any major system changes that could affect your security posture.

Keeping your POA&M current and accurate is essential. It serves as a living document that reflects your ongoing risk management efforts.

What’s changing under FedRAMP 20x?

FedRAMP 20x is modernizing the program with a focus on automation, standardization, and a better customer experience. Key updates include:

• A single agency path for new authorizations
• The FedRAMP Board (not the JAB) now sets policy and direction
• Emphasis on machine-readable documentation and API-driven workflows
• More flexible change management and risk-based decision making

The goal is to make the FedRAMP process faster, more transparent, and better aligned with modern cloud service delivery.

How long does the FedRAMP authorization process take?

Under the legacy model, FedRAMP authorization typically takes 12 to 18 months. The process involves several manual steps, extensive documentation, and multiple rounds of review and remediation. Timelines can vary based on the complexity of your system, your internal readiness, and how quickly you can coordinate with your agency sponsor and 3PAO.

Here’s a rough breakdown:

FedRAMP 20x is designed to dramatically reduce the time to authorization by shifting from point-in-time assessments to real-time security reporting, automated evidence collection, and agency dashboard reviews. The new model emphasizes continuous compliance and aims to cut red tape and accelerate access to the federal market.

If you are participating in the FedRAMP 20x Phase One Pilot, authorization may be possible in as little as 3 to 6 months, depending on how quickly you can meet the new Key Security Indicator (KSI) requirements and integrate automated reporting tools.

The FedRAMP PMO has stated a goal of bringing future Moderate-level authorizations down to under 2 weeks once the program is fully rolled out. Key factors influencing 20x timelines include:

• Level of FedRAMP authorization (Low, Moderate, or High)
• Your system’s readiness to support automated, real-time security reporting
• Agency familiarity and comfort with the 20x model
• Your ability to map to KSIs and integrate API-based evidence collection

Get FedRAMP ready faster with Secureframe

Achieving FedRAMP compliance is a rigorous process that demands substantial time and resources. You'll need to perform a gap analysis and readiness assessment, establish your baseline and authorization boundary, implement the appropriate NIST 800-53 controls, and gather all necessary documentation and evidence for your 3PAO. Even after you’ve been authorized, maintaining compliance requires ongoing assessments and continuous monitoring.

While there are strict security requirements around using non-FedRAMP authorized vendors and handling FedRAMP metadata within a FedRAMP boundary, automation can significantly reduce the time and effort needed to manage manual compliance tasks.

That’s why organizations trust Secureframe as their partner for achieving and maintaining FedRAMP and other federal frameworks. Here’s what sets us apart:

• Federal compliance solution: Our platform is tailored to the unique needs of federal contractors, with SSP, POA&M, and SPRS score generation, federal cloud integrations, and out-of-the-box support for CMMC and the FedRAMP KSI framework.
• Expertise in federal compliance: Our team includes former FISMA, FedRAMP, and CMMC auditors who provide hands-on guidance throughout the process.
• Seamless integrations: Secureframe connects with AWS GovCloud and other federal cloud products to automatically collect evidence, track changes, and flag issues.
• 3PAO partnerships: We work closely with top accredited assessors like Coalfire Federal to make your FedRAMP audit as efficient as possible.

Want to see how we can streamline your FedRAMP journey? Schedule a demo with a product expert today.