background

FedRAMP Requirements: What They Are For Each Baseline + Checklist

  • fedrampangle-right
  • FedRAMP Requirements: What They Are For Each Baseline + Checklist

If you're a cloud service provider (CSP) looking to work with the U.S. federal government, understanding FedRAMP requirements is a critical first step. FedRAMP sets rigorous security standards for cloud products and services used by federal agencies, and meeting these requirements is essential to achieving and maintaining a FedRAMP authorization.

But what exactly are the FedRAMP requirements? What documentation is needed? Which security controls apply to your system? And how do you get started?

This guide answers those questions and more.

What are FedRAMP requirements?

FedRAMP requirements refer to the combination of security controls, documentation, and processes a cloud service provider must implement and maintain to receive an Authority to Operate (ATO), a designation that their cloud product or service meets the rigorous security standards required for federal use.

These requirements are based on:

  • FIPS 199 impact categorization, used to determine the baseline (Low, Li-SaaS, Moderate, High)
  • NIST SP 800-53 Rev. 5 security controls, tailored to match the impact level of the system (Low, Moderate, or High) and baseline
  • A suite of documentation, including a System Security Plan (SSP) with over a dozen appendices or attachments, including a Plan of Action and Milestones (POA&M) and security policies and procedures
  • Third Party Assessment Organization (3PAO) audits, which validate that required controls are implemented and functioning

Before we walk through the steps required to meet FedRAMP requirements, let’s take a quick look at how requirements differ by a system’s impact level and baseline.

FedRAMP Requirements for High, Moderate, Low & Li-SaaS Baselines

While FedRAMP has a core set of requirements—implementation of NIST-based security controls, submission of the SSP and relevant policies and procedures, ongoing continuous monitoring—the scope and rigor of these requirements varies according to the system’s impact level and baseline.

Below we’ll provide a brief overview of the difference in requirements by baseline. For a detailed breakdown, see our articles on FedRAMP Low, FedRAMP Moderate, and FedRAMP High, linked below.

Note: The total number of controls for the Li-SaaS, Low, Moderate, and High baselines are taken from the FedRAMP Security Controls Template linked in the latest FedRAMP® CSP Authorization Playbook. The total number of controls for the Low 20x baseline is taken from the FedRAMP 20x Standards and Docs available on fedramp.gov

FedRAMP High requirements​

Cloud service offerings (CSOs) at the High baseline must meet the most stringent requirements in the FedRAMP framework. This level is designed for systems supporting critical government operations where a breach could result in catastrophic harm, including threats to human life, financial ruin, or mission failure. To prevent these catastrophic adverse effects, the High baseline requires a significant investment of time, resources, and effort.

Key requirements are:

  • Controls: CSPs must implement 410 controls spanning 17 control families. This extensive control set includes robust technical safeguards, rigorous procedural oversight, and advanced monitoring capabilities. In particular, families like Contingency Planning, Incident Response, and System and Communications Protection are heavily represented.
  • Documentation: The SSP and all 17 appendices are mandatory, with extensive detail expected for each control. The documentation burden is significant, as it includes policies and procedures in addition to the SSP, and must reflect both the depth and maturity of control implementation.
  • Continuous Monitoring: FedRAMP High imposes the most demanding ongoing obligations, with monthly scanning and continuous monitoring deliverables, semiannual IRP testing, and annual activities such as red team penetration testing and static code analysis. These ensure ongoing operational security and alignment with evolving threat landscapes.

FedRAMP Moderate requirements​

The Moderate baseline is the most widely used FedRAMP level. It applies to systems where compromise could result in serious—not catastrophic—adverse effects, such as financial loss, mission disruption, or significant harm to individuals or agency assets.

Key requirements are:

  • Controls: CSPs must implement 323 controls spanning the 17 control families. While this includes many of the same controls as FedRAMP High, the number and complexity of controls and control enhancements is reduced. Since fewer controls require extensive testing or advanced analysis, the technical burden is lower—although still rigorous.
  • Documentation: Like High, the SSP and all 17 appendices must be completed, including policies and procedures for all control families. However, because the baseline of controls is slightly less comprehensive, the documentation effort is also moderately lighter.
  • Continuous Monitoring: Continuous monitoring requirements are similarly stringent to the High baseline, and include monthly updates and annual activities like penetration testing, vulnerability scanning, and contingency/IRP testing. Red team testing and code analysis are still required but typically on a more manageable scale than at the High baseline.

FedRAMP Low requirements​

Since FedRAMP Low is designed for systems where the potential impact of a security breach is minimal, this baseline is not as rigorous as the higher baselines. These CSOs are typically public-facing, non-critical systems such as informational websites or productivity tools that don’t handle sensitive government data, so this baseline tries to reduce the operational burden of authorization.

  • Controls: The Low baseline includes 156 controls, offering a foundational but still comprehensive level of protection that reduces the lift for providers.
  • Documentation: While the full SSP and all 17 appendices are still required, the implementation detail can often be simpler and more straightforward, particularly for smaller or lower-risk systems.
  • Continuous Monitoring: CSPs must conduct monthly scans and submit required updates for their POA&M and other documents. Annual penetration testing is required, but table top testing for contingency planning only needs to occur every three years, and IRP testing is not required—making this the least demanding of the traditional baselines.

FedRAMP LI-SaaS requirements​

The LI-SaaS baseline is a streamlined variant of the Low baseline, intended specifically for SaaS providers whose systems operate entirely in the cloud and handle only minimal login-related PII (e.g., usernames and email addresses). It’s designed to make FedRAMP accessible to modern SaaS vendors without compromising core security expectations.

Key requirements are:

  • Controls: Only 45 to 65 controls must be formally documented and assessed, depending on whether conditional controls apply. An additional 75 to 95 controls must be attested to but do not require documentation or independent assessment. This tailored approach allows CSPs to focus on the controls most relevant to their operational footprint.
  • Documentation: The SSP is required, but only 11 of the 17 appendices are needed. This significantly reduces the administrative burden while still ensuring key practices like access control, incident response, and system integrity are documented.
  • Continuous Monitoring: Monthly scanning and annual penetration testing are still expected, ensuring baseline-level security hygiene. However, activities such as red team exercises, static code analysis, and contingency and IRP testing are not required due to the lower risk profile of LI-SaaS systems.

FedRAMP 20x baseline requirements

FedRAMP 20x is a new authorization path that’s being tested in pilot programs to make the FedRAMP process faster, more scalable, and more aligned with modern cloud-native technologies. It focuses on automation, reuse, and continuous validation rather than static, one-time documentation.

Currently in Phase One of the pilot, FedRAMP 20x is being used to authorize Low baseline systems that might otherwise be constrained by the traditional FedRAMP process due to complexity, size, or cost.
Requirements for this pathway won’t be finalized until the FedRAMP PMO has completed the review of all submissions for the FedRAMP 20x Phase One Pilot (20xP1 pilot), but here’s a general overview of the requirements:

  • Controls: Participants must implement 51 controls to demonstrate that their system adheres to a set of Key Security Indicators (KSIs), rather than the traditional Low Baseline requirements or a subset of those requirements (like the LI-SaaS baseline).
  • Documentation: Rather than requiring these CSPs to fill out the FedRAMP SSP template, 20xP1 pilot participants can present evidence in flexible, machine-readable formats that support real-time validation. The PMO is evaluating different formats submitted by pilot participants to eventually define a future standard.
  • Continuous Monitoring: The FedRAMP 20x pilot requires continuous monitoring, regular reporting, and ongoing authorization to maintain 20x Low authorization. PMO is evaluating what those requirements and deliverables will be. Monthly scans and penetration testing may still be required, but greater flexibility is expected in how evidence is delivered and validated.

The table below provides a more detailed breakdown of how the control, documentation, and continuous monitoring requirements vary by baseline.

FedRAMP requirements checklist for CSPs

Whichever impact level and baseline applies to your CSO, FedRAMP compliance requires some key steps, including:

  • Implementing baseline security controls
  • Documenting your control environment including in the following:
  • System Security Plan (SSP)
  • Policies and procedures
  • Network diagram
  • Plan of Action & Milestones (POA&Ms)
  • Undergoing an independent assessment, and 
  • Continuously monitoring your system.

Let’s break these steps down in more detail below.

1. Implement baseline security controls

FedRAMP draws from 17 control families in the NIST 800-53 catalog to establish minimum control baselines for Low, Moderate, and High-impact systems. The number of controls increases as the risk level increases:

  • Low baseline: 157 controls
  • Low 20x baseline: 51 controls
  • Li-SaaS baseline: A subset of the Low baseline controls, requiring 45-65 controls to be documented and assessed and up to 95 attested to
  • Moderate baseline: 325 controls
  • High baseline: 421 controls

After identifying your impact level, you must implement all required controls for your baseline (or document, assess, and attest to the required controls for the Li-SaaS baseline) and explain any exceptions in your documentation.

2. Document policies and procedures

FedRAMP requires formal documentation of your internal security practices. For the Low, Moderate, and High baselines, you must have documentation in place for each control family, from an access control policy to a supply chain risk management policy. The LI-SaaS baseline has some exceptions. 

These documents must align with the controls you’ve implemented and be reviewed regularly. 

CSPs can choose to combine all policies in a single document and procedures in a single document or create separate P&Ps for each control family and attach them in Appendix C of their SSP.

3. Create and maintain your System Security Plan (SSP)

For the LI-SaaS, Low, Moderate, and High baselines, the SSP is your core compliance document. It must detail:

  • Your system boundary
  • How data flows through the system
  • How each security control is implemented
  • Any inherited controls from FedRAMP authorized systems
  • Connections to external services (e.g., other cloud services that are not FedRAMP authorized such as corporate services and external update services)
  • Any federally noted pieces that should be adequately described and secured, such as development/test environments

All SSP appendices must also be completed and submitted.

4. Undergo a Third-Party Assessment (3PAO)

You must undergo a full security assessment by a FedRAMP-accredited 3PAO. This includes:

  • Documentation review
  • Vulnerability scanning
  • Penetration testing
  • Interviews and demonstrations

After the assessment, the 3PAO produces a Security Assessment Report (SAR), which is submitted with your SSP to your sponsoring agency. The SAR documents the assessment results, highlights any identified vulnerabilities, and provides a recommendation regarding FedRAMP authorization.

5. Create and maintain a Plan of Action and Milestones (POA&M)

Any gaps identified during the 3PAO assessment must be documented in a POA&M, which outlines:

  • The nature of the finding
  • The planned remediation steps
  • Timelines
  • Assigned owners

POA&Ms must be actively tracked and updated monthly to achieve and maintain authorization. 

6. Perform and submit Continuous Monitoring (ConMon) deliverables 

After achieving authorization, you must complete continuous monitoring activities and submit deliverables to your designated document repository for the authorizing official’s (AO’s) review. These must be completed periodically, as listed in the FedRAMP Continuous Monitoring Deliverables Template.

Key activities and deliverables include:

  • Monthly: Submitting vulnerability/configuration scans, POA&M updates, inventory updates, and a Continuous Monitoring Monthly Executive Summary
  • Annually: Updating your SSP and appendices, undergoing pen testing and vulnerability and configuration scans by 3PAO
  • Other activities for higher baselines: Incident response plan and contingency plan tests, red team penetration testing, and static code analysis for Moderate and High-impact systems

ConMon activities like these ensure CSPs continuously maintain the security of their FedRAMP Authorized systems by providing AOs with monthly insight into the security posture of the system. 

7. Complete annual reassessments to maintain compliance

FedRAMP requires full reassessment each year. To complete an annual reassessment, CSPs must:

For more information on the annual assessment process, including what steps the 3PAO must complete, please refer to the FedRAMP® Annual Assessment Guidance Version 3.0.

FedRAMP Requirements Checklist PDF

Use this checklist as a quick reference for what requirements your organization will need to meet to achieve and maintain a FedRAMP authorization.

How to manage FedRAMP requirements

Achieving and maintaining FedRAMP authorization requires organizations to adhere to stringent control, documentation, and continuous monitoring requirements—and not just for a point-in-time assessment but over time. This is resource-intensive, but automation can ease the burden. 

Secureframe helps CSPs manage FedRAMP requirements more efficiently by providing:

  • Out-of-the-box support for all FedRAMP baselines, including FedRAMP 20x: Start with pre-mapped controls and tests aligned to your FedRAMP baseline requirements, helping you quickly identify and fill in gaps in your control environment. 
  • System Security Plan (SSP) builder: Create and maintain your SSP effortlessly with pre-built templates mapped to FedRAMP and other federal frameworks and guided workflows walk you through each required section.
  • Automated evidence collection and control testing via federal cloud integrations: Secureframe integrates with your existing tech stack, including AWS GovCloud, Azure Government, Microsoft GCC High, and Intune GCC High,and automatically pulls system logs, configurations, and activity data to satisfy evidence and continuous and monitoring requirements.
  • POA&M Manager: Secureframe links POA&M items directly to SSP implementation statuses for seamless tracking and offers structured workflows for assigning remediation owners, tracking deadlines, and monitoring resolution progress—all in one centralized place.
  • AI-powered remediation: When tests fail, Comply AI for Remediation generates recommended fixes as infrastructure-as-code so your team can quickly patch issues.
  • AI Evidence Validation: This AI feature helps compliance teams verify documentation accuracy before FedRAMP assessments begin, reducing findings and exceptions while accelerating time to compliance.
  • Real-time dashboard for compliance status and agency reporting: Visualize your current compliance posture, outstanding tasks, and progress toward authorization, with exportable reports for agency partners.
  • Expertise in government and federal compliance: Our dedicated, world-class compliance team includes former FedRAMP, FISMA, and CMMC auditors, offering the expertise and experience you need at every stage of the process.
  • Trusted 3PAO partner network: We have strong partnerships with certified Third Party Assessment Organizations like Coalfire Federal, providing support for FedRAMP and other federal audits.

Whether you're aiming for FedRAMP Low, Li-SaaS, Moderate, or High, Secureframe provides the tools and guidance to help you get compliant and stay compliant.

Want to simplify FedRAMP compliance? Talk to an expert at Secureframe to see how we can help.

FAQs

Is FedRAMP required?

FedRAMP is required for any cloud service used by a federal agency. If you offer cloud-based services and want to sell to the U.S. government, FedRAMP authorization is mandatory.

When is FedRAMP required?

FedRAMP is required before a federal agency can use a cloud service in production. It's typically required early in procurement or onboarding.

Does FedRAMP require U.S. citizenship?

Not universally. However, some federal agencies may require that support personnel be U.S. citizens or that data be stored in U.S.-based infrastructure. Check with your sponsoring agency about this potential requirement.

What are FedRAMP requirements?

While FedRAMP requirements vary according to system impact level and baseline, key requirements for any cloud service provider seeking authorization include:

  • Implementing a minimum set of security controls and enhancements selected from the NIST SP 800-53 Rev. 5 control catalog
  • Creating and maintaining robust documentation of those controls, including an SSP, POA&M, and security policies and procedures
  • Completing continuous monitoring activities, such as vulnerability and configuration scans and pen tests
  • Undergoing annual assessments by a Third-Party Assessment Organization (3PAO)