The FedRAMP Marketplace is the official directory of cloud products, federal agencies, and Third Party Assessment Organizations (3PAOs) engaged in the FedRAMP program.
Its primary purpose is to help agencies quickly and easily research and find secure cloud services and products.
In this guide, we’ll break down how the FedRAMP Marketplace works, what each listing status means, how to get listed, and what trends are shaping the future of this critical resource.
What is the FedRAMP Marketplace and why does it matter?
The FedRAMP Marketplace is a publicly accessible, searchable database of:
- Cloud service offerings (CSOs) that successfully achieved a FedRAMP designation
- Federal agencies that have authorized or are currently sponsoring a CSO
- 3PAOs that are accredited and can perform FedRAMP assessments
Maintained by the FedRAMP Program Management Office (PMO), the Marketplace is not just a central directory of FedRAMP Authorized products. It is a key pillar in the FedRAMP program’s mission to simplify and scale secure cloud adoption across the federal government.
Before FedRAMP was introduced in 2011, a cloud service provider had to prepare a unique authorization package for every agency it wanted to work with. These agency-specific packages often included different requirements, formats, and expectations, which created an inefficient and often repetitive process for both CSPs creating these packages and government buyers reviewing them.
FedRAMP was established to make that process more consistent, transparent, and scalable. By standardizing security requirements and enabling the reuse of security assessments, FedRAMP follows a “do once, use many” approach.
The Marketplace operationalizes this concept by making it easy for stakeholders to discover and reuse authorizations, significantly reducing redundant effort and accelerating cloud procurement across government.
In short, the FedRAMP Marketplace supports the adoption of more secure, efficient, and modern IT infrastructure throughout the federal ecosystem by:
- Empowering federal agencies to make informed, risk-based decisions when selecting cloud services
- Helping agencies replace outdated, insecure legacy systems with secure, cost-effective, and mission-driven cloud technologies faster
- Lowering barriers to entry for CSPs seeking to serve the federal market
- Promoting transparency and trust across the federal cloud ecosystem
- Strengthening overall cloud security and safeguarding sensitive government data against evolving threats
- Incentivizing CSPs to adopt stronger security practices that benefit not only individual agencies, but the broader national cybersecurity landscape
Now that we understand its definition and broader purpose, let’s take a closer look at the different reasons hundreds of thousands of people visit the FedRAMP Marketplace.

What is the purpose of the FedRAMP Marketplace?
The FedRAMP Marketplace supports a wide range of research and procurement needs. Whether you're a cloud provider, a federal buyer, or assessor, it serves as a central hub for navigating FedRAMP authorization. Here are three reasons you might turn to the Marketplace:
1. To evaluate and select CSOs that have achieved a FedRAMP designation
If you're a federal agency looking for FedRAMP Authorized (or soon-to-be authorized) cloud services and products, the FedRAMP Marketplace allows you to explore offerings based on a variety of factors such as:
- Security baseline (Low, Moderate, High, Li-SaaS)
- Deployment model (e.g., SaaS, PaaS, IaaS)
- Service category or business function
This is especially helpful for federal agencies when comparing potential vendors and verifying claims of FedRAMP compliance.
2. To research agencies partnering with CSPs for a FedRAMP Authorization
The FedRAMP Marketplace also provides visibility into which federal agencies are sponsoring which cloud service providers. This can help:
- CSPs identify potential sponsors
- Federal buyers confirm whether a CSO has already been vetted and authorized by another agency, streamlining the reuse process.
3. To review FedRAMP’s community of recognized 3PAOs
All 3PAOs approved by the FedRAMP PMO are listed in the Marketplace, along with their contact details and areas of specialization.
If you’re a CSP preparing for FedRAMP authorization, this can help you evaluate and select a qualified assessor aligned with your scope and timeline.
FedRAMP Marketplace designations: How to get FedRAMP Ready, In Process, or Authorized
As of July 31, 2025, there are 451 FedRAMP Authorized services. But there are a total of 585 products listed in the FedRAMP Marketplace. Why the discrepancy? Because the total number accounts for CSOs that have achieved any FedRAMP designation.
There are three official designations for CSOs defined by the FedRAMP PMO based on the CSO’s current status in the FedRAMP authorization process. These are:

FedRAMP Ready
This designation means the CSO has completed a Readiness Assessment conducted by a 3PAO to assess its ability to meet federal security requirements and the resulting Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP PMO. While optional, this assessment is highly recommended.
When to pursue FedRAMP Ready designation
FedRAMP Ready is ideal for CSPs that are early in their FedRAMP journey and don’t yet have an agency sponsor but want to demonstrate their maturity and commitment to security. This designation can be a strong competitive differentiator that can help unblock deals and start building trust with federal prospects.
It’s also ideal for CSPs with complex systems who may need help identifying and addressing any gaps or weaknesses before proceeding to the full FedRAMP security assessment to avoid time-consuming and expensive rework.
Since this designation is optional, it’s important to note some drawbacks or limitations to understand when not to pursue this designation.
When not to pursue FedRAMP Ready
While FedRAMP Ready can be a helpful milestone, it’s not the right fit for every cloud service provider. Consider these limitations before pursuing this designation:
- Only available for Moderate and High-impact systems: If your offering falls under the Low baseline or Li-SaaS, the Ready designation isn’t an available option.
- Only valid for one calendar year: The designation is only valid for one calendar year from date of designation. If your team isn’t prepared to move forward with full authorization within that timeframe—due to timing, budget, or resource constraints—it may not be worth the effort.
- Not a substitute for authorization: FedRAMP Ready signals preparedness, but it is not equivalent to FedRAMP Authorized. If you're trying to close a deal that requires full FedRAMP authorization, this designation likely won’t be sufficient.
Why it’s useful:
- Doesn’t require a sponsoring agency
- Can help CSPs identify and remediate gaps early
- Signals readiness and security posture to potential agency partners
FedRAMP In Process
This designation means the CSO is actively working toward FedRAMP authorization with a sponsoring agency.
To achieve this designation, a CSP must first formalize its partnership with an agency by submitting an In Process Request (IPR) letter and Work Breakdown Structure (WBS) to intake@fedramp.gov. Once the agency sends the IPR and WBS to the FedRAMP PMO to formally confirm the partnership, the CSP will be listed as FedRAMP In Process in the Marketplace.
The CSP pursuing this designation should also demonstrate progress toward authorization by completing key steps or best practices, such as:
- Having a system that is fully built and functional
- Having a leadership team that is committed and fully on board with the FedRAMP process
- Submitting a CSP Information Form (which will assign a FedRAMP ID)
- Determining the security categorization of the data that will be placed within the CSO using the FedRAMP FIPS 199 Categorization Template (Appendix K of the SSP Template)
- Preparing for and conducting a Kickoff Meeting following FedRAMP’s guidelines
When to pursue FedRAMP In Process designation
CSPs that have secured a federal agency sponsor and are ready to start the authorization process should pursue this designation. It can help demonstrate progress toward compliance and unlock opportunities for federal procurement and reuse.
Why it’s useful:
- Shows progress toward full authorization
- Demonstrates trust and investment from a federal sponsor
- Can help differentiate from competitors that haven’t started the authorization process
FedRAMP Authorized
This designation means the CSO has successfully completed and maintained a FedRAMP authorization. This requires completing:
- A full security assessment by an accredited 3PAO
- The agency authorization process (including review of the security authorization package by the agency and FedRAMP PMO)
- Annual reassessments by a 3PAO
- Ongoing continuous monitoring activities
When to pursue FedRAMP Authorized designation
FedRAMP Authorized is the gold standard for CSPs serving the federal government. A listing in the FedRAMP Marketplace makes it significantly easier for agencies to adopt your service and can dramatically improve your chances of winning government contracts.
It also offers a strong competitive advantage in the private sector. FedRAMP’s rigorous security standards give customers confidence in your ability to protect sensitive data.
Why it’s useful:
- Recognized across all federal agencies and in private sector
- Enables federal procurement and reuse
- Validates the CSP’s long-term security and compliance posture
FedRAMP Marketplace filters
FedRAMP Marketplace filters
Since the FedRAMP Marketplace is designed to be a searchable and sortable database, it has several filters to help users quickly identify the most relevant listings.
For CSOs, these filters are:
- Status: FedRAMP designation (Authorized, In Process, Ready)
- Business Category: Business category/categories the CSO falls into (Accounting, Data Management, Finance, Media, Storage, etc.)
- Service Model: SaaS, PaaS, or IaaS
- Impact Level: 20x Low*, Li-SaaS, Low, Moderate, or High
- Deployment Model: Public, Private, Hybrid, Community
- Assessor: View which 3PAO conducted the assessment
*Note: FedRAMP 20x is technically not an impact level. It’s a pilot program testing a faster path to Low Authorization.
These filters make it easier for federal buyers to identify and evaluate the CSOs that meet their specific needs and for CSPs to assess the competitive landscape.
To learn more about a CSO, you can click on their listing to discover the total number of ATO letters and reuse ATOs on file, the date of their annual assessment, a list of all authorized services, and more.

Analyzing the current FedRAMP Marketplace
As of July 31, 2025, the FedRAMP Marketplace includes 585 CSOs that have achieved a formal FedRAMP designation. While the total number of listings has grown steadily over the years, expansion has been gradual due to the historically time- and resource-intensive nature of the FedRAMP authorization process and the limited capacity of the PMO.
To help scale participation and increase Marketplace volume, the FedRAMP PMO created three designations. Of the 585 CSOs listed in July, there are:
- 451 Authorized
- 69 In Process
- 65 Ready
That means that while the majority (77%) of products are FedRAMP Authorized, the other two designations add nearly a quarter of listings to the Marketplace. This reflects FedRAMP’s commitment to making the process more accessible and scalable.
In addition to these designations, FedRAMP has introduced the Li-SaaS baseline and FedRAMP 20x pathway to expand access, particularly for low-risk and low-impact services, to scale the Marketplace:
- Low baseline accounts for just 17 listings, only 3% of all CSOs listed in the Marketplace. However, 6 of these—including Secureframe—are currently using FedRAMP 20x. Once authorized, FedRAMP 20x will make up more than a third of Low authorizations to date.
- Li-SaaS baseline accounts for 49 CSOs—8% of the Marketplace. This notable difference from the Low baseline makes sense considering that over 90% of products in the Marketplace are SaaS-based solutions.
Moderate-impact systems make up approximately 73% of listings, meaning the Moderate baseline remains the most common path to federal cloud adoption. High-impact systems also overrepresent compared to low-impact systems, making up 16% of the Marketplace. But because of the introduction of Li-SaaS and FedRAMP 20x, the FedRAMP Marketplace has increased—and should continue to do so—as more lightweight and low-impact offerings pursue authorization.
Beyond impact level, other notable trends in the Marketplace include:
- Deployment models: About 60% of listings are Government Community Cloud, while 34% are Public Cloud. This suggests that FedRAMP has driven broader adoption of public cloud infrastructure across federal agencies.
- Top business categories: Data Management (34%), Analytics (32%), Cybersecurity & Risk Management (31%), Collaboration (27%), and Operations Management (21%) represent the most common solution areas for which federal agencies seek cloud services and products.
Overall, the Marketplace is steadily diversifying—with growing support for lighter-weight offerings and an expanded menu of secure cloud services that align with evolving federal IT needs. Let’s take a closer look at how you can expect the FedRAMP Marketplace to continue to change in the future.

The future of the FedRAMP Marketplace
As FedRAMP 20x takes shape, the Marketplace is poised to grow not only in size but in efficiency, diversity, and accessibility. Here are key trends to expect:
- Low baseline adoption will accelerate via FedRAMP 20x: Currently, just 3% of CSOs in the Marketplace are authorized at the Low or 20x Low baseline. Since FedRAMP 20x aims to remove barriers and increase participation by streamlining documentation, reducing friction, and offering tailored baselines for lower-risk systems, this percentage is expected to increase as more organizations participate in the FedRAMP 20x Pilot program.
- Li-SaaS will continue to make up a significant portion of low-impact systems: Like FedRAMP 20x, Li-SaaS offers a scalable, right-sized pathway for CSOs looking to get FedRAMP Authorization. This will remain a valuable pathway for SaaS providers delivering tools with limited federal data interaction.
- Total FedRAMP Authorized services will increase faster: With FedRAMP 20x focusing on more standardized templates, automation, and machine-readable security artifacts, the authorization process is expected to speed up significantly, allowing more CSOs to reach FedRAMP Authorized status faster.
- Marketplace listings will become more dynamic: As automation increases and structured content becomes the norm, listings may soon reflect real-time status updates, improving transparency and enabling more agile procurement.
For CSPs, a FedRAMP Marketplace listing is becoming more than just a procurement milestone—it’s a signal of credibility, technical maturity, and commitment to serving the federal market. As the Marketplace continues to evolve, early and active participation will be key to staying competitive and building trusted relationships with agency buyers.
FAQs
Who is listed in the FedRAMP Marketplace?
There are three main types of participants listed in the FedRAMP Marketplace:
- Products: These are cloud service offerings (CSOs) from commercial providers that have achieved one of the three FedRAMP designations: Authorized, In Process, or Ready. Each listing includes information about the product’s service model, deployment model, impact level, 3PAO, and agency sponsor if applicable.
- Agencies: Federal agencies that are sponsoring CSPs through the FedRAMP authorization process, or have issued their own ATOs, are also listed. Their participation provides critical support for reuse and authorization tracking.
- Assessors: Only 3PAOs recognized by the FedRAMP PMO are listed in the Marketplace. Each assessor undergoes a rigorous approval process and is essential for conducting security assessments under the FedRAMP program.
Is Amazon FedRAMP approved?
Amazon is listed twice in the FedRAMP Marketplace.
- AWS US East/West—a multi-tenant public cloud for Federal, State and Local Government customers, as well as commercial customers—is FedRAMP Moderate Authorized and has been since 2013.
- AWS GovCloud (US)—an AWS Region designed to allow US government agencies and customers supporting the US government to move more sensitive workloads into the cloud—is FedRAMP High Authorized and has been since 2016.
What is a FedRAMP designation?
A FedRAMP designation is an official status assigned to a CSO based on its current stage in the FedRAMP authorization process. There are three official designations:
- FedRAMP Ready: Means the CSO has completed a readiness assessment by an accredited third-party assessment organization (3PAO) and is deemed capable of meeting federal security requirements.
- FedRAMP In Process: Means the CSO is actively working toward authorization with a sponsoring federal agency.
- FedRAMP Authorized: Means the CSO has successfully completed the full FedRAMP authorization process and maintains ongoing compliance.
These designations help agencies, assessors, and vendors understand where a CSO stands on the path to full FedRAMP compliance and are filters in the FedRAMP Marketplace.