Skip to main content
> FedRAMP

Federal Risk and Authorization Management Program

Standardized security assessment for cloud services used by federal agencies

Governing Body: U.S. General Services Administration (GSA)
Established: 2011 Last Updated: 2025 (FedRAMP 20x modernization) Scope: Cloud Service Providers Serving U.S. Federal Agencies
3
Impact Levels

What is FedRAMP and what changed with FedRAMP 20x?

FedRAMP is the U.S. government's standardized security authorization program for cloud services. Cloud Service Providers (CSPs) must achieve FedRAMP authorization before federal agencies can use their products. Authorization levels (Low, Moderate, High) track FIPS 199 impact categories and require 125 to 421-plus NIST SP 800-53 controls. The traditional path averaged about 22 months. In March 2025, GSA announced FedRAMP 20x to cut that time to weeks by replacing manual reviews with machine-readable OSCAL documentation and automated validation. Phase 1 (Low impact pilot) ran April through September 2025; Phase 2 (Moderate impact) ran from late 2025 into early 2026; the program is in later phases as of mid-2026. Rev5 remains an available path during the transition until approximately mid-FY2027. Sources: gsa.gov FedRAMP 20x announcement (March 24, 2025); fedramp.gov/20x.

// What is FedRAMP?

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. The program enables agencies to use pre-authorized cloud solutions, reducing duplicative security assessments across government.

Cloud Service Providers (CSPs) seeking to serve federal customers must achieve FedRAMP authorization through rigorous assessment against NIST SP 800-53 controls. The authorization level (Low, Moderate, or High) corresponds to the sensitivity of data the system can process.

The FedRAMP Authorization Act of 2022, signed into law as part of the FY2023 NDAA, codified the program and established the FedRAMP Board to oversee governance.

In March 2025, GSA announced FedRAMP 20x, a redesign of the authorization process targeting authorization timelines of weeks instead of the current average of approximately 22 months. FedRAMP 20x centers on machine-readable OSCAL documentation and automated technical validation to replace manual review steps. Phase 1 (Low impact pilot) ran from April through September 2025. Phase 2 (Moderate impact) ran from late 2025 into early 2026. As of mid-2026 the program is in later phases of rollout. Rev5 remains an available authorization path during the transition; FedRAMP Rev5 is targeted for retirement around mid-FY2027. Sources: gsa.gov FedRAMP 20x announcement (March 24, 2025); fedramp.gov/20x.

// Inside the Regulation

FedRAMP defines three authorization levels based on FIPS 199 impact categorization. Each level requires implementation of increasingly comprehensive security controls from NIST SP 800-53.

1

FedRAMP Low

For cloud systems processing data where loss would have limited adverse effect on operations, assets, or individuals.

125+ Controls

Baseline derived from NIST SP 800-53 Low baseline with FedRAMP-specific parameters and additional controls.

Use Cases

Public websites, collaboration tools with non-sensitive data, development/test environments.

Assessment

Third-Party Assessment Organization (3PAO) assessment required with annual reassessment.

2

FedRAMP Moderate

For cloud systems processing data where loss would have serious adverse effect. Most common authorization level.

325+ Controls

Full control set covering access control, audit, incident response, system protection, and more.

Use Cases

PII processing, financial systems, email services, CRM platforms, most SaaS applications.

Continuous Monitoring

Monthly vulnerability scanning, annual penetration testing, ongoing POA&M management.

3

FedRAMP High

For cloud systems processing data where loss would have severe or catastrophic effect on operations, assets, or individuals.

421+ Controls

Most stringent control baseline including enhanced cryptography, access controls, and incident response.

Use Cases

Law enforcement data, healthcare systems, financial regulatory systems, emergency services.

Enhanced Requirements

Stricter personnel security, enhanced logging, more frequent assessments, FIPS 140-2 validated cryptography.

Note: FedRAMP offers two authorization paths: Agency Authorization (sponsored by a specific agency) and Joint Authorization Board (JAB) Authorization (prioritized review for high-demand solutions). JAB authorizations are provisional and still require agency-specific acceptance. The FedRAMP Marketplace lists all authorized cloud services.

// Who Must Comply

  • 1 Cloud Service Providers selling to federal agencies
  • 2 SaaS, PaaS, and IaaS vendors pursuing government contracts
  • 3 Managed service providers hosting federal workloads
  • 4 Commercial cloud vendors seeking government market access
  • 5 Federal agencies procuring cloud services (must use FedRAMP-authorized solutions)

// Key Requirements

Access Control

Role-based access, MFA, session controls, and least privilege enforcement

Continuous Monitoring

Ongoing vulnerability management, configuration monitoring, and incident detection

Data Protection

Encryption at rest and in transit, key management, and data handling procedures

Incident Response

IR capabilities, US-CERT reporting requirements, and breach notification procedures

Configuration Management

Baseline configurations, change control, and vulnerability remediation

Assessment & Authorization

3PAO assessment, POA&M management, and annual reauthorization

// Enforcement & Penalties

While FedRAMP itself doesn't impose direct penalties, failure to maintain authorization results in loss of ability to serve federal customers. Misrepresentation of FedRAMP status can trigger False Claims Act liability and contract termination.

Maximum Penalty

Loss of federal contracts; False Claims Act exposure for misrepresentation

Examples:

  • Removal from FedRAMP Marketplace for compliance failures
  • Agency contract termination for lapsed authorization
  • False Claims Act liability for misrepresenting authorization status
  • Reputational damage affecting commercial and government sales

// Cyber Insurance Impact

FedRAMP authorization demonstrates mature security practices that can positively influence cyber insurance underwriting. Many insurers view FedRAMP-authorized organizations as lower risk due to validated controls and continuous monitoring requirements.

// How Breach Craft Helps

We help organizations achieve FedRAMP compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of FedRAMP.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Vulnerability Assessment

Thorough security scanning and risk prioritization.

Learn more

// Common Questions

What is FedRAMP 20x?
FedRAMP 20x is GSA's redesign of the FedRAMP authorization process, announced March 24, 2025. The goal is to reduce authorization time from approximately 22 months to weeks by shifting documentation to machine-readable OSCAL format and using automated technical validation in place of manual security package reviews. Phase 1 (Low impact pilot) ran April through September 2025. Phase 2 (Moderate impact) ran from late 2025 into early 2026; as of mid-2026 the program is in later phases of rollout. FedRAMP Rev5 remains an available path for new authorizations during the transition, targeted for retirement around mid-FY2027. See fedramp.gov/20x for current status.

How long does FedRAMP authorization take?
Under the current Rev5 path, FedRAMP authorization has averaged approximately 22 months from readiness assessment to Authority to Operate (ATO). The time varies by impact level, the completeness of your System Security Plan, and the assessment queue at your chosen 3PAO. FedRAMP 20x aims to cut this to weeks for Low impact systems by automating validation steps. Until 20x reaches full rollout (targeted mid-FY2027), plan for a Rev5 timeline if you need authorization for current federal contracts.

Does my SaaS product need FedRAMP authorization?
Any cloud service that a federal agency uses to process, store, or transmit federal data must be FedRAMP authorized. This applies to SaaS, PaaS, and IaaS products. If federal agencies are already using your product without authorization, that creates risk for both you and the agency. The FedRAMP Marketplace at marketplace.fedramp.gov lists all authorized products. If your product is not listed but agencies are using it, contact the FedRAMP Program Management Office or work with a sponsoring agency to start the authorization process.

Can a virtual CISO help with FedRAMP authorization?
Yes. FedRAMP requires a named System Owner and an Information System Security Officer (ISSO) to maintain the System Security Plan, manage the POA&M, and oversee continuous monitoring. A virtual CISO can serve in the ISSO role or support a junior internal owner, keeping your authorization active without the cost of a full-time federal compliance hire. This matters most during the continuous monitoring phase, where monthly vulnerability scans, annual penetration tests, and ongoing POA&M updates are required.

// Related Frameworks

NIST CSF FISMA CMMC

// Industries That Need FedRAMP

These industries commonly require FedRAMP compliance as part of their regulatory obligations.

Government

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873