Glossary

What is FedRAMP?

FedRAMP (Federal Risk and Authorization Management Program) is the US government's mandatory security assessment and authorization program for cloud services used by federal agencies. It defines 3 impact levels (Low, Moderate, High) with 156 to 410 NIST 800-53 controls, costs $750K-$2.5M for initial authorization, and takes 18-36 months from kickoff to ATO.

What FedRAMP is

FedRAMP (the Federal Risk and Authorization Management Program) is the US government's mandatory security assessment and authorization program for cloud services used by federal agencies. Established in 2011, it's run by the General Services Administration (GSA) with oversight from OMB and CIO Council.

The core idea: instead of every federal agency separately re-evaluating each cloud vendor, FedRAMP creates a single, standardized authorization that other agencies can leverage. "Authorize once, use many times."

Who needs it: any cloud service provider (CSP) selling to federal agencies. If the agency stores government data in your cloud — even just as a B2B tool — you need a FedRAMP authorization at the appropriate impact level.

The 3 impact levels

LevelUse caseControls
LowPublic-facing, low-sensitivity data. Subset: Li-SaaS for low-impact SaaS.156 controls (Li-SaaS: 125)
ModerateMost common. Internal agency systems, controlled unclassified information (CUI), most B2B SaaS.323 controls
HighCatastrophic impact if breached. Law enforcement, emergency services, financial systems, sensitive PII at scale.~410 controls

Impact level is determined by the FIPS 199 categorization of the data the system processes. The agency you're selling to drives the determination.

Authorization paths

Agency ATO (Authority to Operate)

A single federal agency acts as your sponsor. They assess your system against the appropriate baseline, accept the residual risk, and issue an ATO letter. Other agencies can then leverage your authorization package via reciprocity.

JAB P-ATO (Joint Authorization Board Provisional ATO)

The JAB (DoD, DHS, GSA CIOs) grants a provisional authorization that any federal agency can leverage with minimal additional review. Historically the gold standard but harder and slower.

2024 change: the JAB stopped accepting new submissions. New CSPs now pursue agency ATO; FedRAMP 20x will eventually replace the JAB model entirely.

What FedRAMP authorization actually requires

Cost and timeline

PhaseTimeCost range
Gap assessment + readiness3-6 months$50-150K
Remediation + SSP authoring6-12 months$200-800K (internal + consulting)
3PAO assessment3-6 months$100-400K
Agency review + ATO3-9 months
Total to first ATO18-36 months$750K-$2.5M
Annual ConMonContinuous$250-750K/year

Moderate is the typical path: budget $1-1.5M and 18-24 months. High runs $2M+ and 24-36 months. These are pre-revenue costs — most CSPs pursue FedRAMP only when they have committed federal customer demand.

FedRAMP 20x

Announced 2024, FedRAMP 20x is a phased program restructuring designed to:

Full rollout is multi-year. As of 2026, the traditional Moderate path still dominates. Watch for phased pilots from FedRAMP PMO.

FedRAMP vs StateRAMP vs CMMC vs DoD IL4/5

ProgramAudienceNotes
FedRAMPFederal civilian + DoD basicThe baseline. Required for most fed cloud use.
StateRAMPState/local governmentBuilt on FedRAMP's framework; targeted at state agencies and municipalities.
CMMC 2.0Defense Industrial Base (DIB) contractorsCybersecurity Maturity Model Certification for orgs handling CUI / FCI. Layer ON TOP of FedRAMP for cloud use.
DoD IL4 / IL5 / IL6DoD-specific impact levelsExtra requirements above FedRAMP High for DoD systems. IL4 = CUI, IL5 = mission-critical CUI, IL6 = classified.

Run FedRAMP control evidence in one platform.

Pre-mapped NIST 800-53 controls, POA&M tracking, evidence chains for ConMon — drop-in for the 18-36 months of pre-ATO work. 7-day trial.

Start your free trial →