What FedRAMP is
FedRAMP (the Federal Risk and Authorization Management Program) is the US government's mandatory security assessment and authorization program for cloud services used by federal agencies. Established in 2011, it's run by the General Services Administration (GSA) with oversight from OMB and CIO Council.
The core idea: instead of every federal agency separately re-evaluating each cloud vendor, FedRAMP creates a single, standardized authorization that other agencies can leverage. "Authorize once, use many times."
The 3 impact levels
| Level | Use case | Controls |
|---|---|---|
| Low | Public-facing, low-sensitivity data. Subset: Li-SaaS for low-impact SaaS. | 156 controls (Li-SaaS: 125) |
| Moderate | Most common. Internal agency systems, controlled unclassified information (CUI), most B2B SaaS. | 323 controls |
| High | Catastrophic impact if breached. Law enforcement, emergency services, financial systems, sensitive PII at scale. | ~410 controls |
Impact level is determined by the FIPS 199 categorization of the data the system processes. The agency you're selling to drives the determination.
Authorization paths
Agency ATO (Authority to Operate)
A single federal agency acts as your sponsor. They assess your system against the appropriate baseline, accept the residual risk, and issue an ATO letter. Other agencies can then leverage your authorization package via reciprocity.
- Typical timeline: 12-24 months from kickoff to ATO
- 3PAO involvement: required — a FedRAMP-accredited Third Party Assessment Organization audits your controls
- Path to other agencies: via package reuse / agency leverage
JAB P-ATO (Joint Authorization Board Provisional ATO)
The JAB (DoD, DHS, GSA CIOs) grants a provisional authorization that any federal agency can leverage with minimal additional review. Historically the gold standard but harder and slower.
What FedRAMP authorization actually requires
- Security categorization — FIPS 199 / NIST SP 800-60 categorization of the data and system.
- System Security Plan (SSP) — the master document describing how each NIST 800-53 control is implemented. For Moderate, typically 300-700 pages.
- Continuous monitoring plan — defining how you'll provide monthly POA&M updates, annual assessments, etc.
- Incident response plan with US-CERT reporting workflows.
- 3PAO assessment — the FedRAMP-accredited audit firm tests every control, issues a Security Assessment Report (SAR).
- Plan of Action & Milestones (POA&M) — tracking every open finding and the remediation plan.
- Authorization package — SSP + SAR + POA&M + supporting docs delivered to the sponsoring agency or JAB.
Cost and timeline
| Phase | Time | Cost range |
|---|---|---|
| Gap assessment + readiness | 3-6 months | $50-150K |
| Remediation + SSP authoring | 6-12 months | $200-800K (internal + consulting) |
| 3PAO assessment | 3-6 months | $100-400K |
| Agency review + ATO | 3-9 months | — |
| Total to first ATO | 18-36 months | $750K-$2.5M |
| Annual ConMon | Continuous | $250-750K/year |
Moderate is the typical path: budget $1-1.5M and 18-24 months. High runs $2M+ and 24-36 months. These are pre-revenue costs — most CSPs pursue FedRAMP only when they have committed federal customer demand.
FedRAMP 20x
Announced 2024, FedRAMP 20x is a phased program restructuring designed to:
- Cut authorization time from 18+ months toward 3-6 months for low/moderate systems
- Emphasize machine-readable artifacts (OSCAL — Open Security Controls Assessment Language) so packages are inspectable by tooling, not just PDFs
- Continuous authorization — replace point-in-time annual assessments with continuous monitoring evidence streams
- Reduce documentation overhead — fewer narrative requirements, more reliance on control tests
Full rollout is multi-year. As of 2026, the traditional Moderate path still dominates. Watch for phased pilots from FedRAMP PMO.
FedRAMP vs StateRAMP vs CMMC vs DoD IL4/5
| Program | Audience | Notes |
|---|---|---|
| FedRAMP | Federal civilian + DoD basic | The baseline. Required for most fed cloud use. |
| StateRAMP | State/local government | Built on FedRAMP's framework; targeted at state agencies and municipalities. |
| CMMC 2.0 | Defense Industrial Base (DIB) contractors | Cybersecurity Maturity Model Certification for orgs handling CUI / FCI. Layer ON TOP of FedRAMP for cloud use. |
| DoD IL4 / IL5 / IL6 | DoD-specific impact levels | Extra requirements above FedRAMP High for DoD systems. IL4 = CUI, IL5 = mission-critical CUI, IL6 = classified. |