background

FedRAMP: What It Is, Who Needs It, and Where to Start

  • fedrampangle-right
  • FedRAMP: What It Is, Who Needs It, and Where to Start

FedRAMP sets the gold standard for cloud security, and achieving authorized status can open up significant growth opportunities in both government and private sectors. Understanding and navigating FedRAMP compliance, however, can be complex and full of questions. 

Does your organization need to be FedRAMP compliant? Even if you’re not legally required to comply, what are the benefits of achieving FedRAMP authorization? What does the authorization process entail, and how do you get started? How much resources, time, and money will it take to get FedRAMP compliant? 

Learn the essentials of FedRAMP compliance and find practical guidance and best practices for cloud service providers pursuing authorization. 

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is designed to ensure that all cloud services used by US federal agencies meet strict security requirements, mitigating the risk of data breaches and cyber threats. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud technologies.

FedRAMP was introduced in 2011 and enacted into law in December 2022 as part of the US National Defense Authorization Act. With 27 applicable laws and regulations and another 26 standards and guidance documents, FedRAMP is one of the most rigorous cybersecurity certifications in the world. 

What is the purpose of FedRAMP?

As federal agencies began to replace traditional software with cloud-based solutions, cloud service providers (CSPs) were required to prepare an authorization package for each agency they wanted to work with. Much like vendor security questionnaires, requirements for these authorization packages were inconsistent, resulting in significant manual and duplicate work for both cloud solutions creating the authorization packages and the agencies reviewing them.

FedRAMP offers a consistent, standardized approach to streamline this process. By using a "do once, use many" framework, FedRAMP enables CSPs and federal agencies to reuse existing security assessments, saving significant time and reducing duplicated efforts.

Benefits of FedRAMP Authorization

Cloud service providers that have a FedRAMP designation are listed in the FedRAMP Marketplace, a list of authorized services government agencies use to find new cloud-based solutions. A listing in the FedRAMP Marketplace makes you much more likely to get business from government agencies, since it’s easier for an agency to use a product that’s already authorized than to start the process with a new vendor. There are currently 326 FedRAMP Authorized Services in the Marketplace.

Beyond access to the federal market, a FedRAMP Marketplace listing can also give you a significant competitive advantage in the private sector. FedRAMP is a rigorous and respected security standard, so authorization can give current and potential customers the highest confidence in your commitment to meeting stringent cloud security standards. 

The Ultimate Guide to Federal Frameworks

Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.

Who needs to be FedRAMP compliant?

All cloud service providers that process or store federal data must be FedRAMP authorized. 

This requirement extends to organizations that handle federal data, directly or indirectly, through cloud computing environments. It's not only the CSPs that need to be concerned with FedRAMP; federal agencies and state and local governments that use cloud services must also ensure their providers are compliant. In addition, businesses seeking to enter the federal marketplace must achieve FedRAMP authorization.

FedRAMP requirements

FedRAMP is a derivative of NIST Special Publication 800-53 and uses the same baselines (Low, Moderate, High) and associated controls, but adds to them by specifying certain parameters and additional control requirements.

For example, there is also a privacy control baseline that is applied to systems of every impact level. If a CSP processes personally identifiable information (PII), for instance, it must implement controls assigned to the privacy control baseline.

All organizations must implement controls assigned to their respective security control baseline. Low has the fewest number of controls, while High has the most controls and the strictest parameters. 

FedRAMP requirements are broken down into 18 control families based on NIST 800-53 Rev. 5:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Security Assessment and Authorization
  5. Configuration Management
  6. Contingency Planning
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical and Environmental Protection
  12. Planning
  13. Personnel Security
  14. Risk Assessment
  15. System and Services Acquisition
  16. System and Communication Protection
  17. System and Information Integrity
  18. Supply Chain Risk Management (new with Revision 5)

Recommended reading

A Guide to GovRAMP: Benefits, Requirements, and How to Get Authorized

Read Moreangle-right

Understanding the FedRAMP authorization process

Here's an overview of the FedRAMP authorization process:

Step 1. Compile required documents

CSPs must prepare and submit a comprehensive set of documents that detail their security practices and controls, including:

  • System Security Plan (SSP): Describes how the CSP meets all of FedRAMP's security requirements. SSPs encompass all controls and include information on the cloud service offering (CSO), its environment, security controls, and how controls are implemented.
  • Policies and Procedures: Outlines the CSP's formal policies and procedures for managing and securing the cloud environment, ensuring that operations align with FedRAMP standards. Think of policies as the rules or criteria that the organization must meet and adhere to while procedures are the processes, controls, tools, etc. that are implemented to meet and adhere to those policies. 
  • User Guide: Provides information on how to securely use the cloud service, including details on user roles, responsibilities, and procedures for maintaining security.
  • Configuration Management Plan: Outlines the processes for managing changes to the system and its components, ensuring that changes do not adversely affect security.
  • Supply Chain Risk Management Plan: Identifies and manages risks associated with the supply chain for information systems, components, or services. The plan should include supplier requirements, supply chain risk controls and mitigation strategies, roles and responsibilities, and disposal procedures.
  • Contingency Plan: Defines how the organization will maintain or restore operations in the event of a disruption or incident. Include backup procedures, disaster recovery, and business continuity in the event the information system is compromised. 
  • Plan of Actions and Milestones: A living document that outlines the specific steps an organization will take to address any identified vulnerabilities, including details on prioritization, resources required, and remediation timelines. 
  • Incident Response Plan: Details how the organization will detect, respond to, and recover from a security incident, including specific roles and responsibilities, communication procedures, and steps to contain and recover from an incident to minimize its impact. 
  • Continuous Monitoring Plan: Explains how the organization will regularly monitor and asses control performance. Include threat intelligence, vulnerability scanning, and any other activities designs to ensure your organization’s security posture remains strong and can adapt to new or evolving threats.  

FedRAMP compliance requires thorough documentation, and CSPs often work with third-party assessors and consultants to ensure that their documentation is complete, accurately reflects their security posture, and meets FedRAMP's rigorous standards.

Step 2. Complete a FIPS 199 Assessment to determine the appropriate impact level

The FIPS 199 Assessment involves three main steps:

1. Identification of Information Types: The first step is to identify the types of information processed, stored, or transmitted by the information system. This involves understanding the kind of data, such as personally identifiable information (PII), financial data, proprietary information, etc.

2. Categorization Based on Impact Levels: Each type of information is then categorized based on the potential impact to the organization if there were a compromise in confidentiality, integrity, or availability.

FIPS 199 defines three levels of potential impact:

  • Low Impact: The loss of confidentiality, integrity, or availability could have a limited adverse effect on the organization's operations, assets, or individuals.
  • Moderate Impact: The loss could have a serious adverse effect.
  • High Impact: The loss could have a severe or catastrophic adverse effect.

3. System Categorization: The information system is categorized based on the highest level of impact among the types of information it handles. For example, if a system processes both types of information that are categorized as low impact and high impact, the system as a whole is categorized as high impact.

Use the outcome of the FIPS 199 assessment to determine which NIST SP 800-53 security controls you’ll need to implement to adequately protect the information system.

Step 3. Choose your authorization path

Under the updated FedRAMP 20x model, CSPs no longer pursue authorization through the Joint Authorization Board (JAB). Instead, all authorizations are now agency-sponsored, with a focus on faster, more automated, and collaborative pathways to achieving ATO.

The Agency Authorization path

To become FedRAMP authorized, a CSP must now work directly with a federal agency that agrees to serve as the sponsoring authority. This agency is actively involved throughout the authorization process, validating your system’s security posture and ultimately issuing the ATO.

The process includes three main stages:

  • Preparation: Assemble required documentation, complete a FIPS 199 categorization, select a 3PAO (Third Party Assessment Organization), and undergo a readiness assessment if applicable.
  • Authorization: Undergo a full security assessment, provide continuous monitoring documentation, and work closely with the sponsoring agency to address risks and finalize the ATO decision.
  • Continuous Monitoring: Once authorized, CSPs must maintain compliance through monthly POA&M updates, regular vulnerability scans, incident reporting, and control status updates. Under FedRAMP 20x, this is expected to move toward real-time reporting using machine-readable data formats and automation tools.

FedRAMP 20x and the future of authorization

The FedRAMP 20x modernization initiative eliminates the centralized JAB authorization model and shifts the compliance process to a more distributed approach. Agencies now take the lead in validating and monitoring CSP compliance, while the FedRAMP Program Management Office (PMO) focuses on maintaining program standards and enabling automation.

This change is designed to accelerate the path to authorization, reduce reliance on manual documentation, and make compliance more accessible to cloud vendors of all sizes. Instead of waiting for JAB prioritization, CSPs can now engage directly with agency partners, demonstrate compliance through continuous monitoring, and streamline the assessment process with automation tools and structured data outputs like OSCAL and JSON.

When planning for authorization under the new model, consider which of your cloud services are best suited for federal use and identify agency partners who would benefit most. Taking a strategic, phased approach can help you allocate resources effectively and scale your FedRAMP compliance efforts over time.

Step 4. Partner with Third Party Assessment Organization (3PAO) to create a Security Assessment Plan and Security Assessment Report

The Security Assessment Plan (SAP) and Security Assessment Report are bookends of the 3PAO’s assessment of the CSP’s information systems. 

The SAP first lays out the methodology and procedures that will be used to conduct the security assessment of the CSP's system. It outlines the scope of the assessment, test procedures, and the criteria for evaluating the security controls. The 3PAO then conducts the assessment according to the SAP. 

After the security assessment is finished, a Security Assessment Report (SAR) is produced to present the findings. It details the results of the assessment, including any vulnerabilities identified and the effectiveness of the implemented security controls.

Step 5. Conduct a 3PAO Readiness Assessment

Completed by a FedRAMP-accredited 3PAO, a readiness assessment helps identify any gaps or weaknesses in your security posture that need to be addressed before proceeding to the full FedRAMP security assessment.

While a 3PAO Readiness Assessment is not formally required in every case, it is strongly recommended, particularly for CSPs new to FedRAMP or looking to engage a federal agency sponsor. A RAR helps demonstrate your security posture, identify gaps, and improve your readiness for a full assessment. Under FedRAMP 20x, agencies may request a RAR before agreeing to sponsor a cloud service offering.

Step 6. Create a Plan of Actions and Milestones Document

A Plan of Actions and Milestones (POA&M) is a document that lists all known security findings and vulnerabilities in the system and outlines a plan for addressing them, including prioritization, resources required, and milestones for remediation.

The POA&M is a living document and is required to maintain FedRAMP compliance. It must be regularly updated at least monthly to reflect the current status of security findings and vulnerabilities and the actions being taken to address them. POA&Ms also contain a historical record of closed issues and vulnerabilities.

Step 7. Establish continuous monitoring and incident response procedures

To maintain FedRAMP authorized status, you’ll need to create a Continuous Monitoring Policy and Incident Response Plan. 

The Continuous Monitoring Policy is a document that outlines your CSP's strategy for continuously monitoring and assessing the security controls in their cloud services and ensuring ongoing compliance with FedRAMP requirements.

The Incident Response Plan details procedures for managing and responding to security incidents, including roles and responsibilities, communication plans, and steps for mitigation and recovery.

Tips for getting started with FedRAMP compliance

Embarking on the journey to FedRAMP compliance can be a daunting task, but learning about the process and following best practices can make compliance much more manageable.

Here are some essential tips and best practices for organizations that are just getting started with FedRAMP compliance:

Thoroughly understand NIST SP 800-53 and FedRAMP requirements

Familiarize yourself with the FedRAMP Security Assessment Framework (SAF), NIST SP 800-53 security controls, and the specific requirements for the impact level (Low, Moderate, High) applicable to your cloud services.

Perform a gap analysis to understand how your current environment aligns with FedRAMP 

This gap analysis should cover all aspects of your cloud service, from data encryption and user authentication to incident response and risk management practices. The outcome will provide a clear roadmap for bridging any gaps and ensuring your services are fully compliant with FedRAMP standards.

Secure support and commitment across your organization

Achieving FedRAMP compliance is a significant endeavor that requires a concerted effort across your organization. It's essential to garner support and commitment from both the executive leadership and the technical teams responsible for implementing the necessary changes. It can be a costly endeavor, so we recommend doing a budget and resource analysis to ensure feasibility and preparedness for the assessment and process.

This involves educating stakeholders about the value and implications of FedRAMP compliance, including the potential for expanded business opportunities within the federal market and the overall enhancement of your security posture. Establishing a cross-functional team dedicated to achieving compliance can facilitate collaboration and ensure that all efforts are aligned with your organization's goals.

Identify a federal agency partner 

Partnering with a federal agency that either currently uses your service or is committed to adopting it can significantly streamline the FedRAMP authorization process. This partnership can also provide valuable insights into the specific security concerns and requirements of federal agencies, allowing you to tailor your compliance efforts more effectively.

In addition, having an agency sponsor can expedite the review process and add credibility to your FedRAMP application. Engaging early and frequently with potential agency partners can help build relationships and secure the necessary commitment to move forward.

Carefully define your system boundaries

A critical step in the FedRAMP compliance process is accurately defining the boundaries of your cloud system. This includes:

  • Internal Components: Identifying all elements within your cloud service, from infrastructure and applications to data storage and processing units, ensuring that security controls are uniformly applied.
  • External Service Connections: Cataloging all connections to external services and third-party providers, assessing the security implications of these integrations, and ensuring they do not compromise your compliance posture. If you don't have on-premise components and rely on cloud services such as AWS, Azure, or Google Cloud Platform, there may be areas of shared responsibility or inheritance for controls.
  • Data and Metadata Flows: Mapping out the flow of data and metadata within and outside your system to understand potential vulnerabilities and apply appropriate security measures. This comprehensive understanding of your system's boundaries is essential for implementing effective security controls and for documenting your security posture in the System Security Plan (SSP) required for FedRAMP authorization.

Approach FedRAMP as an ongoing commitment 

FedRAMP compliance is not a one-time achievement — it’s an ongoing, continuous commitment to maintaining high security standards. It requires regular monitoring, updating security controls, and periodic reassessments to adapt to evolving threats and changes in your cloud services and threat landscape. Adopting a mindset that views FedRAMP as an integral part of your operational processes will help you stay compliant and secure over time.

Engage with the FedRAMP PMO

The FedRAMP Program Management Office (PMO) is an essential resource for organizations pursuing authorized status. They share best practices, training, FAQs, and templates to help simplify and guide CSPs through the process. 

The PMO can provide guidance on technical requirements, clarify compliance criteria, and offer insights into the authorization process. Engaging with the PMO early and often can help you navigate the complexities of FedRAMP, avoid common pitfalls, and develop a successful strategy for achieving and maintaining compliance.

FedRAMP Requirements Checklist

Our FedRAMP Requirements Checklist provides a high-level overview of the technical and security requirements you’ll need to implement to meet the security requirements of the Low, Li-SaaS, Moderate, and High baselines.

How to streamline FedRAMP compliance with automation

Because it’s a rigorous standard, achieving FedRAMP compliance requires a significant amount of time and resources. You’ll need to complete a gap analysis and readiness assessment, determine your baseline, select and implement NIST 800-53 controls, and collect documentation and evidence for your 3PAO. And once that’s done, you’ll have to conduct ongoing assessments and continuous monitoring to maintain compliance. 

GRC automation platforms like Secureframe can significantly cut down on the amount of time and effort it takes to complete these manual tasks, freeing up your team to focus on strategic objectives.

Here are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with federal frameworks: 

  • Government and federal compliance expertise: Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step. 
  • Integrations with federal cloud products: Secureframe integrates with your existing tech stack, including AWS GovCloud, to automate infrastructure monitoring and evidence collection.
  • Trusted 3PAO partner network: Secureframe has strong relationships with certified Third Party Assessment Organizations like Schellman and Prescient Assurance, and can support FedRAMP and other federal audits such as CMMC and CJIS. 
  • Cross-mapping across frameworks: FedRAMP and NIST 800-53 have many overlapping requirements with NIST 800-171, CJIS, and other federal frameworks. Instead of starting from scratch, our platform can help map what you’ve already done for FedRAMP to other frameworks so you’re never duplicating efforts. 
  • Continuous monitoring: By monitoring your tech stack 24/7 to alert you of non-conformities, Secureframe makes it easier to maintain continuous compliance and a strong security posture. You can specify test intervals and notifications for required regular tasks to maintain FedRAMP compliance. You can also use our Risk Register and Risk Management capabilities to support your continuous monitoring efforts and POA&M maintenance. 

To learn more about how Secureframe can help you comply with FedRAMP and other federal frameworks, schedule a demo with a product expert.