Introduction: FedRAMP in the Cloud Security Assurance Landscape
The Federal Risk and Authorization Management Program (FedRAMP) is the United States government-wide programme that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services used by federal agencies. Established formally in 2011 through an Office of Management and Budget (OMB) memorandum and codified in law by the FedRAMP Authorization Act (part of the National Defense Authorization Act for Fiscal Year 2023), FedRAMP embodies a 'do once, use many times' philosophy. Its intent is to reduce duplicative effort, drive consistent security, and accelerate the adoption of secure commercial cloud by federal departments and agencies.
For any Cloud Service Provider (CSP) that wishes to sell Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) to the US federal market, a FedRAMP authorisation is effectively a market-entry requirement. For federal agencies, FedRAMP is mandatory whenever they procure or operate a cloud service that processes, stores, or transmits federal information. This guide provides an auditor-grade, end-to-end treatment of FedRAMP: what it is, who must comply, its control structure derived from NIST Special Publication 800-53, a master assessment checklist covering every control family, the phased path to authorisation, the continuous monitoring model, and how FedRAMP maps to adjacent frameworks such as ISO/IEC 27001, SOC 2, StateRAMP, and NIST 800-171.
Copyright and Source Note
FedRAMP programme documents (templates, baselines, guidance) are US Government works and are generally in the public domain. However, the underlying control catalogue is defined in NIST SP 800-53 (also a US Government work) and the assessment procedures in NIST SP 800-53A. This guide paraphrases and summarises those sources in original language for educational purposes; it does not reproduce copyrighted text and is not a substitute for the authoritative FedRAMP baselines, templates, and the current NIST catalogue. Always verify against fedramp.gov and the FedRAMP Marketplace before relying on any control identifier or requirement.
What is FedRAMP
FedRAMP is a compliance and authorisation programme, not a standalone control catalogue. It layers a federal governance and process wrapper on top of the NIST Risk Management Framework (RMF) and the NIST SP 800-53 control catalogue. In practice, FedRAMP takes the FIPS 199 impact levels (Low, Moderate, High), selects a tailored baseline of NIST 800-53 controls for each level, adds FedRAMP-specific parameters and additional controls, and defines the process by which a CSP is assessed by an independent Third Party Assessment Organisation (3PAO) and then authorised.
There are two principal authorisation paths. The first is the Agency Authorisation path (formerly called Agency ATO), where a specific federal agency reviews the CSP's security package and its Authorising Official (AO) issues an Authority to Operate (ATO), which other agencies may then reuse. The second is the JAB path historically operated by the Joint Authorization Board; under the FedRAMP Authorization Act the JAB has been superseded by a FedRAMP Board, and the programme has moved toward a single authorisation model with agency sponsorship. FedRAMP also defines a lighter-weight FedRAMP Tailored baseline (often called Li-SaaS, Low-impact SaaS) for low-risk, low-impact SaaS applications.
The deliverable at the heart of every FedRAMP engagement is the Security Assessment Package: principally the System Security Plan (SSP) with its attachments, the Security Assessment Plan (SAP), the Security Assessment Report (SAR) produced by the 3PAO, and the Plan of Action and Milestones (POA&M). After authorisation, the CSP must maintain the authorisation through Continuous Monitoring (ConMon), submitting monthly deliverables and undergoing an annual assessment.
Key FedRAMP Terminology
| Term | Meaning |
|---|
| CSP | Cloud Service Provider — the organisation offering the cloud service (SaaS/PaaS/IaaS) seeking authorisation. |
| CSO | Cloud Service Offering — the specific product/boundary being authorised. |
| 3PAO | Third Party Assessment Organisation — an accredited, independent assessor that performs the security assessment. |
| AO | Authorising Official — the federal official who accepts residual risk and grants the ATO. |
| ATO | Authority to Operate — the formal authorisation decision permitting federal use. |
| P-ATO | Provisional ATO — historically issued by the JAB; being phased out under the new model. |
| SSP | System Security Plan — the core document describing the system, boundary, and control implementation. |
| SAR | Security Assessment Report — the 3PAO's findings from testing the controls. |
| POA&M | Plan of Action and Milestones — the tracked register of open weaknesses and remediation plans. |
| ConMon | Continuous Monitoring — ongoing monthly/annual maintenance of the authorisation. |
| FIPS 199 | Standard used to categorise the system impact level (Low/Moderate/High). |
| A2LA / accreditation | American Association for Laboratory Accreditation, which accredits 3PAOs against ISO/IEC 17020. |
Who Must Comply with FedRAMP
FedRAMP applies to cloud services in the federal ecosystem. Compliance obligations fall on different parties depending on their role. The following table clarifies who is in scope and why.
| Party | Applicability / Obligation |
|---|
| Cloud Service Providers (CSPs) selling to US federal agencies | Mandatory. Any CSP whose SaaS/PaaS/IaaS processes, stores, or transmits federal data must obtain and maintain a FedRAMP authorisation at the appropriate impact level. |
| US Federal Executive Branch agencies | Mandatory. Agencies must use FedRAMP-authorised cloud services and must not operate unauthorised cloud offerings for federal information; agencies act as authorising sponsors. |
| Independent SaaS vendors seeking federal contracts | Mandatory in practice. FedRAMP authorisation (or an in-process listing on the Marketplace) is typically a prerequisite in federal RFPs and contracts. |
| Systems integrators and managed service providers hosting federal workloads | In scope where they deliver a cloud service or leverage/inherit controls; must document inherited controls and shared responsibility. |
| Sub-service providers / underlying IaaS-PaaS (e.g., the CSP's hosting platform) | Indirectly in scope. The authorised CSO must run on a FedRAMP-authorised infrastructure or fully document and assess the underlying stack; leveraged authorisations are documented in the SSP. |
| US State, local, tribal, and education entities | Not directly bound by FedRAMP (they often use StateRAMP or TX-RAMP), but many reference FedRAMP baselines. |
| Department of Defense (DoD) cloud consumers | FedRAMP is the baseline, but DoD adds DoD Cloud Computing SRG impact levels (IL2/IL4/IL5/IL6) and additional controls beyond FedRAMP. |
- Trigger for applicability: the cloud service handles federal information (any data an agency creates, collects, processes, stores, or transmits).
- Impact level drives the baseline: FIPS 199 categorisation of confidentiality, integrity, and availability determines Low, Moderate, or High.
- Most SaaS applications targeting federal buyers pursue the Moderate baseline, as it covers the majority of Controlled Unclassified Information (CUI) use cases.
- High baseline is required for law enforcement, emergency services, financial, and health data where a breach could have severe or catastrophic impact.
Structure of FedRAMP: Impact Levels, Control Families, and Baselines
FedRAMP inherits the structure of NIST SP 800-53. Controls are organised into control families (each identified by a two-letter code such as AC for Access Control). FedRAMP defines security control baselines — pre-selected and parameterised sets of controls — for each FIPS 199 impact level. The number of controls grows with impact level. The FedRAMP baselines are periodically re-baselined as NIST revises SP 800-53 (the current baselines are aligned to NIST SP 800-53 Revision 5).
FedRAMP Impact Levels and Baseline Sizes
| Impact Level | FIPS 199 Basis | Typical Data / Use Case | Approximate Control Count (Rev 5) |
|---|
| Low (Li-SaaS / Tailored) | Loss has limited adverse effect | Low-risk SaaS, collaboration tools, public-facing services | ~125 (Li-SaaS is a tailored subset, ~ fewer) |
| Low | Loss has limited adverse effect | Low-sensitivity federal data | ~156 |
| Moderate | Loss has serious adverse effect | Most CUI; the majority of federal SaaS | ~323 |
| High | Loss has severe or catastrophic effect | Law enforcement, emergency, financial, health, high-value assets | ~410 |
The NIST SP 800-53 Control Families Adopted by FedRAMP
FedRAMP baselines draw from the twenty control families below. Rev 5 introduced Supply Chain Risk Management (SR) and PII Processing and Transparency (PT). Not every family is fully populated at every impact level, but all are represented at Moderate and High.
| Family Code | Family Name | Focus Area |
|---|
| AC | Access Control | Account management, least privilege, remote access, session control |
| AT | Awareness and Training | Security awareness, role-based training, records |
| AU | Audit and Accountability | Event logging, log content, review, retention, time stamps |
| CA | Assessment, Authorisation, and Monitoring | Control assessment, interconnections, POA&M, ConMon, penetration testing |
| CM | Configuration Management | Baseline configuration, change control, least functionality, inventory |
| CP | Contingency Planning | Backups, alternate sites, disaster recovery, testing |
| IA | Identification and Authentication | MFA, credential management, identity proofing, cryptographic auth |
| IR | Incident Response | Handling, reporting, testing, incident tracking |
| MA | Maintenance | Controlled/remote maintenance, tools, personnel |
| MP | Media Protection | Media access, marking, storage, transport, sanitisation |
| PE | Physical and Environmental Protection | Facility access, power, fire, temperature, data-centre controls |
| PL | Planning | System security/privacy plans, rules of behaviour, architecture |
| PS | Personnel Security | Screening, termination, transfer, access agreements |
| PT | PII Processing and Transparency | Consent, purpose specification, privacy notices (Rev 5) |
| RA | Risk Assessment | Categorisation, risk assessment, vulnerability scanning |
| SA | System and Services Acquisition | SDLC, developer security, external services, supply chain |
| SC | System and Communications Protection | Boundary protection, encryption, cryptographic key management |
| SI | System and Information Integrity | Flaw remediation, malware, monitoring, spam, error handling |
| SR | Supply Chain Risk Management | Supply chain plan, provenance, component authenticity (Rev 5) |
| PM | Program Management | Organisation-wide programme controls (largely inherited/agency-level) |
Master Assessment Checklist: Every Control Family
This is the operational core of the guide. For each NIST 800-53 control family adopted by FedRAMP, the tables below enumerate what an assessor (3PAO) verifies and the typical evidence a CSP must produce. Findings feed the Security Assessment Report and any residual weaknesses feed the POA&M. Control identifiers (e.g., AC-2) reference the NIST catalogue as implemented by the FedRAMP baseline; parameter values (frequencies, thresholds) are set by FedRAMP-specific assignments.
AC — Access Control
| What to verify | Typical evidence |
|---|
| AC-2 Account management: provisioning, review, and disabling of accounts with defined lifecycle | Account management procedure, joiner/mover/leaver records, periodic account review reports, automated disable evidence |
| AC-3 Enforcement of approved authorisations for logical access | Role/permission matrix, access control policy configuration, RBAC/ABAC export |
| AC-6 Least privilege including privileged account restriction and review | Privileged account inventory, just-in-time access records, quarterly least-privilege review |
| AC-7 Unsuccessful logon attempt lockout thresholds | Authentication configuration showing lockout after defined attempts |
| AC-11 Session lock after inactivity; AC-12 session termination | Session timeout configuration, screenshots, policy |
| AC-17 Remote access authorised, monitored, and encrypted | VPN/bastion configuration, remote access authorisation list, encryption settings |
| AC-4 Information flow enforcement between security domains | Network segmentation diagrams, firewall/security group rules, data flow matrix |
AT — Awareness and Training
| What to verify | Typical evidence |
|---|
| AT-2 Security and privacy awareness training on hire and annually, including insider-threat awareness | Training completion records, LMS reports, course content, sign-off |
| AT-3 Role-based training for personnel with significant security responsibilities | Role-based curriculum, completion logs for admins/developers |
| AT-4 Retention of training records | Archived training records covering the retention period |
AU — Audit and Accountability
| What to verify | Typical evidence |
|---|
| AU-2 Auditable events defined and coordinated across the system | Audit policy, list of logged event types, log source inventory |
| AU-3 Audit records capture required content (who, what, when, where, outcome) | Sample log records, log schema documentation |
| AU-6 Audit review, analysis, and reporting for indications of inappropriate activity | SIEM correlation rules, log review cadence records, alert tickets |
| AU-8 Time stamps synchronised to an authoritative source | NTP configuration, time-source documentation |
| AU-9 Protection of audit information from unauthorised access/modification | Log access controls, immutable/WORM storage configuration |
| AU-11 Audit record retention per FedRAMP parameters (minimum online and archived periods) | Retention policy, storage configuration proving retention duration |
CA — Assessment, Authorisation, and Monitoring
| What to verify | Typical evidence |
|---|
| CA-2 Independent control assessment by an accredited 3PAO | 3PAO accreditation, Security Assessment Plan, Security Assessment Report |
| CA-3 Authorised system interconnections and external service agreements | Interconnection Security Agreements, MOUs, external service inventory |
| CA-5 POA&M maintained and current with milestones and status | POA&M workbook, remediation tracking, monthly updates |
| CA-6 Authorisation (ATO) granted and maintained by the AO | Signed ATO letter, authorisation decision documentation |
| CA-7 Continuous monitoring strategy with defined metrics and frequencies | ConMon plan, monthly deliverable submissions, metrics dashboards |
| CA-8 Penetration testing performed per FedRAMP penetration test guidance | Penetration test plan and report following the six mandatory attack vectors |
CM — Configuration Management
| What to verify | Typical evidence |
|---|
| CM-2 Baseline configuration documented and maintained | Configuration baselines, IaC templates, hardening baselines |
| CM-3 Configuration change control with impact analysis and approval | Change tickets, CAB minutes, change control procedure |
| CM-6 Configuration settings enforce approved hardening (e.g., USGCB/DISA STIG/CIS) | Benchmark scan results, deviation register, hardening guides |
| CM-7 Least functionality — disabling unnecessary ports, protocols, services | Port/service inventory, deny-by-default configuration |
| CM-8 System component inventory kept accurate and current | Asset inventory export, CMDB, automated discovery reports |
| CM-10/CM-11 Software usage and user-installed software restrictions | Software allow-list policy, endpoint control configuration |
CP — Contingency Planning
| What to verify | Typical evidence |
|---|
| CP-2 Contingency plan defining roles, RTO/RPO, and recovery activities | Approved contingency plan, business impact analysis |
| CP-4 Contingency plan tested at defined frequency | Test/exercise reports, after-action reviews, lessons learned |
| CP-6/CP-7 Alternate storage and processing sites with adequate separation | Region/AZ architecture, failover documentation |
| CP-9 System backups performed, protected, and validated | Backup schedules, backup success logs, restoration test evidence |
| CP-10 System recovery and reconstitution capability | DR runbooks, recovery test results |
IA — Identification and Authentication
| What to verify | Typical evidence |
|---|
| IA-2 Multi-factor authentication for privileged and non-privileged access | MFA configuration, FIDO2/PIV/phishing-resistant MFA evidence |
| IA-2 Federated/PIV-compatible authentication where required | Identity provider configuration, SSO/SAML/OIDC settings |
| IA-4 Identifier management preventing reuse and enforcing uniqueness | Identity lifecycle procedure, identifier assignment records |
| IA-5 Authenticator management: password policy, key/certificate handling | Password policy, cryptographic key inventory, credential rotation logs |
| IA-5(1) Password complexity and strength aligned to NIST SP 800-63 | Authentication policy configuration, 800-63 alignment note |
| IA-8 Identification and authentication of non-organisational users | External/customer authentication configuration |
IR — Incident Response
| What to verify | Typical evidence |
|---|
| IR-1/IR-8 Incident response policy and plan | Approved IR plan, IR policy, contact roster |
| IR-4 Incident handling: detection, analysis, containment, eradication, recovery | IR runbooks, incident tickets, timeline records |
| IR-6 Incident reporting to US-CERT/CISA and the agency within required timeframes | Reporting procedure referencing US-CERT/CISA one-hour timelines, sample reports |
| IR-3 Incident response testing/exercises | Tabletop exercise reports, simulation results |
| IR-5 Incident tracking and metrics | Incident register, trend analysis, MTTR metrics |
MA — Maintenance
| What to verify | Typical evidence |
|---|
| MA-2 Controlled maintenance with approval and records | Maintenance logs, approval records |
| MA-4 Non-local (remote) maintenance authorised, monitored, and encrypted | Remote maintenance session logs, MFA evidence |
| MA-5 Maintenance personnel authorisation and escort where uncleared | Personnel authorisation list, escort procedures |
| MA-3 Maintenance tools controlled and inspected | Tool inventory, inspection records |
MP — Media Protection
| What to verify | Typical evidence |
|---|
| MP-2 Media access restricted to authorised personnel | Access control lists, media handling policy |
| MP-4 Media storage protected physically and cryptographically | Encryption at rest configuration, storage controls |
| MP-6 Media sanitisation and disposal prior to reuse/disposal | Sanitisation records, certificates of destruction, crypto-erase logs |
| MP-5 Media transport protection and accountability | Transport procedures, chain-of-custody records |
PE — Physical and Environmental Protection
| What to verify | Typical evidence |
|---|
| PE-2/PE-3 Physical access authorisations and enforcement at data centres | Data-centre access lists, badge logs, SOC 2/ISO attestations from the IaaS provider |
| PE-6 Monitoring of physical access | CCTV/monitoring records, access review reports |
| PE-13 Fire protection and suppression | Facility attestations, inspection certificates |
| PE-14 Temperature and humidity controls | Environmental monitoring reports |
| PE-11 Emergency power (UPS/generator) | Power redundancy documentation, test records |
PL — Planning
| What to verify | Typical evidence |
|---|
| PL-2 System Security Plan documented, approved, and current | Signed SSP with all attachments and control implementation summaries |
| PL-4 Rules of behaviour established and acknowledged | Signed rules-of-behaviour/acceptable-use acknowledgements |
| PL-8 Security and privacy architecture documented | Architecture diagrams, boundary diagram, data flow diagrams |
| PL-10/PL-11 Baseline and tailoring selection recorded | Control selection/tailoring workbook |
PS — Personnel Security
| What to verify | Typical evidence |
|---|
| PS-2 Position risk designations assigned | Position risk designation records |
| PS-3 Personnel screening/background checks commensurate with risk | Background-check completion records (redacted), screening policy |
| PS-4 Personnel termination — access revocation on exit | Offboarding checklists, access-revocation logs |
| PS-5 Personnel transfer access re-evaluation | Transfer records, access change tickets |
| PS-6 Access agreements signed | Signed NDAs and access agreements |
| PS-7 Third-party personnel security requirements | Contractor security clauses, vendor screening evidence |
PT — PII Processing and Transparency
| What to verify | Typical evidence |
|---|
| PT-2 Authority to process PII established | Privacy authority documentation, Privacy Impact Assessment |
| PT-3 Purpose specification for PII processing | Purpose/use documentation, data inventory |
| PT-4/PT-5 Consent and privacy notices provided | Privacy notice, consent records/mechanisms |
| PT-6 System of records notice where applicable (Privacy Act) | SORN references, PIA |
RA — Risk Assessment
| What to verify | Typical evidence |
|---|
| RA-2 FIPS 199 security categorisation performed | Categorisation worksheet, impact-level determination |
| RA-3 Risk assessment conducted and updated | Risk assessment report, risk register |
| RA-5 Vulnerability scanning of OS, web, and database at required frequency | Monthly authenticated scan reports, scan configuration, remediation SLAs |
| RA-5 Scan findings remediated within FedRAMP timelines (High 30 / Moderate 90 / Low 180 days) | Remediation tracking against timelines, POA&M entries |
| RA-7 Risk response decisions documented | Risk acceptance memos, deviation requests |
SA — System and Services Acquisition
| What to verify | Typical evidence |
|---|
| SA-3/SA-8 Secure system development life cycle and security engineering principles | SDLC policy, secure-design standards |
| SA-4 Security requirements included in acquisitions | Procurement security requirements, contract clauses |
| SA-9 External system services managed with defined roles and monitoring | External services inventory, SLAs, shared responsibility matrix |
| SA-10/SA-11 Developer configuration management and security testing | SAST/DAST reports, code review records, developer CM evidence |
| SA-22 Unsupported components identified and mitigated | End-of-life component register, mitigation plans |
SC — System and Communications Protection
| What to verify | Typical evidence |
|---|
| SC-7 Boundary protection with managed interfaces and deny-by-default | Firewall/security group rules, boundary diagram, WAF configuration |
| SC-8 Transmission confidentiality and integrity (TLS/encryption in transit) | TLS configuration, cipher suites, FIPS-validated modules |
| SC-12/SC-13 Cryptographic key management and FIPS 140-validated cryptography | FIPS 140-2/140-3 certificate references, KMS configuration, key rotation |
| SC-28 Protection of information at rest (encryption at rest) | Encryption-at-rest configuration, key custody records |
| SC-7(3) Access points limited and load-balanced | Ingress architecture, access-point inventory |
| SC-5 Denial-of-service protection | DDoS protection configuration, provider attestations |
SI — System and Information Integrity
| What to verify | Typical evidence |
|---|
| SI-2 Flaw remediation and patch management within timelines | Patch management procedure, patch deployment logs, POA&M |
| SI-3 Malicious code protection | Anti-malware configuration, detection logs, update evidence |
| SI-4 System monitoring / intrusion detection | IDS/IPS configuration, SIEM alerts, monitoring architecture |
| SI-5 Security alerts and advisories acted upon | Advisory intake process, CISA alert handling records |
| SI-7 Software, firmware, and information integrity verification | File integrity monitoring configuration and alerts |
| SI-10/SI-11 Input validation and error handling | Secure coding standards, validation test evidence |
SR — Supply Chain Risk Management
| What to verify | Typical evidence |
|---|
| SR-2 Supply chain risk management plan | SCRM plan, governance records |
| SR-3 Supply chain controls and processes | Supplier assessment records, contractual security terms |
| SR-5 Acquisition strategies and tools to manage supply chain risk | Vendor risk assessments, tiering |
| SR-6 Supplier assessments and reviews | Supplier review reports, SBOM where applicable |
| SR-11 Component authenticity and anti-counterfeit | Provenance checks, tamper controls |
PM — Program Management (Organisation-Level)
| What to verify | Typical evidence |
|---|
| PM-9 Risk management strategy defined at organisation level | Enterprise risk strategy documentation |
| PM-11 Mission/business process definition informing security | Business process and information-type documentation |
| PM-14 Testing, training, and monitoring plan | Enterprise T-T-M plan |
| PM-31 Continuous monitoring strategy (organisation-wide) | Organisational ConMon strategy |
Scoping the Authorisation Boundary
Correct scoping is the single most consequential decision in a FedRAMP engagement. The authorisation boundary defines everything that is assessed and authorised: the applications, infrastructure, data stores, supporting services, external connections, and the human and physical elements that process federal data. An overly broad boundary inflates cost and control burden; an overly narrow boundary risks a rejected package or an under-protected system.
- Define the Cloud Service Offering precisely: which application, tiers, and functionality are being authorised.
- Establish the FIPS 199 impact level first — it dictates the baseline and therefore the entire scope of controls.
- Draw the authorisation boundary diagram showing all components, data flows, and every crossing of the boundary (ingress/egress).
- Identify leveraged authorisations: the underlying IaaS/PaaS must itself be FedRAMP-authorised so the CSP can inherit those controls.
- Document the shared responsibility model — which controls the CSP implements, which are inherited from the platform, which are customer responsibility, and which are hybrid.
- Include all external services and interconnections (email, identity, monitoring, ticketing) and confirm each is authorised, in-scope, or covered by a signed agreement.
- Explicitly list what is out of scope and justify exclusions; corporate/back-office systems must be excluded through segmentation, not by assertion.
- Account for the full data lifecycle within the boundary: collection, processing, storage, transmission, backup, and disposal of federal data.
Boundary Pitfall
The most common cause of package rejection is a boundary that omits supporting services (such as logging, secrets management, CI/CD, or bastion hosts) that actually handle or can access federal data or credentials. If a service can touch federal data or the systems that process it, assume it is in the boundary until proven otherwise.
Implementation Approach: Phased Roadmap to Authorisation
A realistic FedRAMP journey for a Moderate SaaS typically spans nine to eighteen months. The following phased approach sequences the work so that expensive assessment activity is not wasted on an immature control environment.
Phase 1 — Readiness and Gap Assessment
- Activities: secure federal agency sponsorship or plan the agency-authorisation path; perform FIPS 199 categorisation; conduct a gap assessment against the target baseline; optionally complete a FedRAMP Readiness Assessment Report (RAR) with a 3PAO.
- Deliverables: impact-level determination, gap analysis report, remediation roadmap, RAR (for Marketplace 'In Process — Ready' designation).
Phase 2 — Boundary Definition and Architecture
- Activities: finalise the authorisation boundary and data flow diagrams; select a FedRAMP-authorised underlying platform; design segmentation, encryption (FIPS 140-validated), and identity architecture; define the shared responsibility matrix.
- Deliverables: authorisation boundary diagram, network and data flow diagrams, shared responsibility matrix, architecture decision records.
Phase 3 — Control Implementation and Documentation
- Activities: implement or configure every applicable control; harden systems to CIS/DISA STIG benchmarks; stand up logging, vulnerability scanning, and continuous monitoring tooling; author the SSP with per-control implementation statements and all attachments (policies, IR plan, contingency plan, configuration management plan, incident response plan, rules of behaviour, PIA).
- Deliverables: complete System Security Plan and all attachments, policies and procedures for every control family, evidence repository.
Phase 4 — Independent Assessment (3PAO)
- Activities: engage an accredited 3PAO; the 3PAO produces a Security Assessment Plan; conduct control testing, vulnerability scanning validation, and penetration testing across the six required attack vectors; produce the Security Assessment Report.
- Deliverables: Security Assessment Plan, penetration test report, Security Assessment Report, initial POA&M from findings.
Phase 5 — Authorisation Decision
- Activities: assemble the full Security Assessment Package; the sponsoring agency's Authorising Official reviews the SSP, SAR, and POA&M and evaluates residual risk; remediate blocking findings; obtain the ATO and request Marketplace listing.
- Deliverables: complete security authorisation package, signed ATO letter, FedRAMP Marketplace 'Authorised' designation.
Phase 6 — Continuous Monitoring and Sustainment
- Activities: submit monthly ConMon deliverables (updated POA&M, vulnerability scan results, inventory); operate change control and significant-change requests; conduct the annual assessment; remediate vulnerabilities within FedRAMP timelines.
- Deliverables: monthly ConMon packages, annual assessment report, deviation requests, updated SSP reflecting significant changes.
Continuous Monitoring Maturity / Capability Model
FedRAMP does not define a formal five-level maturity model in the way CMMC does; however, the continuous monitoring programme establishes an escalating expectation of capability. The following model expresses practical capability levels a CSP progresses through, useful for internal readiness scoring.
| Level | Capability State | Characteristics |
|---|
| 1 — Initial | Ad hoc | Controls documented on paper only; no automation; evidence gathered reactively; not ready for 3PAO. |
| 2 — Documented | Repeatable | SSP complete; policies exist for all families; manual evidence; scanning performed but inconsistent. |
| 3 — Assessed | Defined | 3PAO assessment passed; POA&M managed; monthly ConMon operating; timelines occasionally missed. |
| 4 — Managed | Quantitatively managed | Automated scanning and inventory; metrics-driven remediation within timelines; drift detection in place. |
| 5 — Optimised | Continuous / near-real-time | Continuous control monitoring, automated evidence, integration with agency dashboards; supports OSCAL-based reporting and rapid significant-change handling. |
Assessment and Audit Approach
The FedRAMP assessment is executed by an independent 3PAO following NIST SP 800-53A assessment procedures and FedRAMP-specific test cases. The steps below describe the end-to-end assessment lifecycle.
- Categorise the system using FIPS 199 to confirm the impact level and applicable baseline.
- Confirm 3PAO independence and accreditation (A2LA against ISO/IEC 17020 and FedRAMP requirements).
- Review the System Security Plan and all attachments for completeness and accuracy against the boundary.
- Develop the Security Assessment Plan defining scope, test cases, sampling, and the assessment schedule.
- Perform control testing using examine, interview, and test methods for each in-scope control.
- Conduct authenticated vulnerability scanning of operating systems, web applications, and databases; validate results.
- Perform penetration testing across the six mandatory attack vectors (external, internal, web application, network, social engineering, and mobile/API as applicable).
- Document findings, risk-rate each weakness, and record false positives, operational requirements, and risk adjustments.
- Produce the Security Assessment Report with the Risk Exposure Table and recommendations.
- Populate the initial POA&M with all open weaknesses, remediation plans, and milestones.
- Submit the complete package to the Authorising Official for the authorisation decision.
- Transition into continuous monitoring: monthly deliverables, annual assessment, and significant-change reviews.
Evidence Request List
The following categorised list represents the evidence a 3PAO and Authorising Official expect. Maintaining this in a living evidence repository dramatically reduces assessment friction.
- Governance and documentation: System Security Plan, all attachments, policies and procedures for every control family, rules of behaviour, Privacy Impact Assessment.
- Boundary and architecture: authorisation boundary diagram, network diagram, data flow diagrams, shared responsibility matrix, leveraged authorisation documentation.
- Access control: account inventory, privileged account list, RBAC/permission matrices, account review records, MFA configuration.
- Logging and monitoring: audit event definitions, sample logs, SIEM rules, log retention configuration, monitoring/IDS architecture.
- Vulnerability and patch: monthly authenticated scan reports (OS/web/DB), remediation tracking, patch deployment logs, penetration test report.
- Configuration management: hardening baselines, benchmark scan results, change tickets, CAB records, component inventory/CMDB.
- Contingency and resilience: contingency plan, backup logs, restoration test results, DR exercise reports, RTO/RPO documentation.
- Incident response: IR plan, incident register, US-CERT/CISA reporting procedure, tabletop exercise results.
- Personnel and training: screening records (redacted), onboarding/offboarding logs, signed access agreements, training completion reports.
- Cryptography and data protection: FIPS 140-validation certificates, TLS/cipher configuration, encryption-at-rest and key management evidence.
- Supply chain and third parties: SCRM plan, vendor risk assessments, interconnection agreements, external service SLAs.
- Continuous monitoring: ConMon plan, monthly deliverable submissions, POA&M history, deviation requests, significant-change request records.
Roles and Responsibilities
| Role | Responsibility |
|---|
| Cloud Service Provider (CSP) | Implements and operates controls, authors the SSP, remediates findings, and maintains continuous monitoring. |
| System / Information System Owner | Accountable within the CSP for the security posture and documentation of the CSO. |
| Third Party Assessment Organisation (3PAO) | Independently assesses controls, performs scanning and penetration testing, and produces the SAR. |
| Authorising Official (AO) | Federal official who reviews residual risk and grants or denies the ATO. |
| Sponsoring Agency / ISSO | Provides sponsorship, reviews the package, and supports the authorisation and ConMon oversight. |
| FedRAMP PMO / FedRAMP Board | Administers the programme, maintains baselines and templates, and governs the Marketplace. |
| CISO / Security Team (CSP) | Owns the control environment, policies, incident response, and vulnerability management. |
| DevOps / Engineering | Implements technical controls, hardening, automation, and remediation. |
| Privacy Officer | Owns PII processing controls, PIA, and privacy notices. |
| Third-party suppliers / IaaS provider | Provide inherited controls and attestations documented via shared responsibility. |
KPIs to Track
- Percentage of applicable controls fully implemented versus planned/partial.
- Number of open POA&M items by severity (High/Moderate/Low) and ageing beyond remediation timelines.
- Mean time to remediate vulnerabilities against FedRAMP SLAs (High 30 / Moderate 90 / Low 180 days).
- On-time submission rate for monthly continuous monitoring deliverables.
- Vulnerability scan coverage — percentage of in-scope assets scanned (authenticated) each cycle.
- Percentage of assets deviating from the approved hardening baseline (configuration drift).
- Incident detection and response metrics: mean time to detect and mean time to respond; reporting within required timeframes.
- Privileged access review completion rate and count of stale/orphaned accounts.
- Change management: percentage of changes following approved change control; significant-change requests submitted on time.
- Annual assessment findings trend versus prior year (net-new versus recurring weaknesses).
Readiness Checklist
- FIPS 199 categorisation completed and impact level (Low/Moderate/High) confirmed.
- Agency sponsorship secured or agency-authorisation path defined.
- Authorisation boundary and data flow diagrams finalised and validated.
- Underlying platform confirmed FedRAMP-authorised and leveraged controls documented.
- Shared responsibility matrix completed for all applicable controls.
- System Security Plan and every attachment drafted with per-control implementation statements.
- Policies and procedures exist for all in-scope control families.
- FIPS 140-validated cryptography in use for data in transit and at rest.
- Multi-factor authentication enforced for all privileged and non-privileged access.
- Authenticated vulnerability scanning operational for OS, web, and database.
- Centralised logging, SIEM monitoring, and required log retention configured.
- Contingency plan and backups tested with documented restoration.
- Incident response plan tested and US-CERT/CISA reporting procedure defined.
- Accredited 3PAO engaged and Security Assessment Plan agreed.
- POA&M process and continuous monitoring tooling stood up ahead of authorisation.
Common Gaps
- Authorisation boundary omits supporting services (logging, secrets, CI/CD, bastion) that can access federal data.
- Use of non-FIPS 140-validated cryptographic modules for encryption in transit or at rest.
- Incomplete or inconsistent SSP control implementation statements that do not match the actual configuration.
- Vulnerability remediation exceeding FedRAMP timelines with weak POA&M justification.
- Authenticated scanning gaps — unauthenticated scans or assets excluded from scan scope.
- Weak least-privilege enforcement and stale privileged accounts.
- Inherited controls asserted without evidence or a signed shared responsibility matrix.
- Continuous monitoring deliverables submitted late or incomplete after authorisation.
- Significant changes deployed without a significant-change request or re-assessment.
- Inadequate penetration testing that does not cover all six required attack vectors.
- Contingency and incident response plans documented but never exercised.
- Supply chain risk management (SR family) treated superficially with no supplier assessments.
FedRAMP Mapped to Other Frameworks
| Framework | Relationship to FedRAMP | Notes |
|---|
| NIST SP 800-53 Rev 5 | Foundation | FedRAMP baselines are tailored subsets of the 800-53 catalogue with FedRAMP-specific parameters. |
| NIST SP 800-171 / CMMC | Adjacent CUI protection | 800-171 protects CUI in non-federal systems; controls overlap heavily but FedRAMP is for cloud services, CMMC for the DIB supply chain. |
| ISO/IEC 27001 | Complementary | Strong management-system and control overlap; a mapping crosswalk reduces effort, but ISO alone does not satisfy FedRAMP. |
| SOC 2 (Trust Services Criteria) | Complementary | Many SOC 2 controls overlap with FedRAMP; SOC 2 reports can supply evidence but are not a substitute for authorisation. |
| StateRAMP / TX-RAMP | Sibling programmes | Modelled on FedRAMP for US state/local government; leverage similar baselines and 3PAO assessments. |
| DoD Cloud Computing SRG (IL2-IL6) | Superset for DoD | Builds on FedRAMP Moderate/High and adds DoD-specific controls and impact levels. |
| FIPS 199 / FIPS 200 | Categorisation and minimum requirements | Define impact levels and minimum security requirements that drive the FedRAMP baseline selection. |
| CIS Benchmarks / DISA STIG | Configuration hardening | Provide the concrete settings that satisfy CM configuration controls. |
| HIPAA / HITRUST | Sector overlap | For health data, HIPAA and HITRUST controls overlap with FedRAMP High; not interchangeable. |
| OSCAL | Machine-readable format | FedRAMP is adopting OSCAL for SSP/SAP/SAR/POA&M to automate package exchange and ConMon. |
How CyberSigma Helps
CyberSigma guides Cloud Service Providers through the entire FedRAMP lifecycle — from FIPS 199 categorisation and authorisation-boundary design to gap assessment, SSP and full documentation authoring, control implementation and hardening, 3PAO readiness, and continuous monitoring operations. As a CERT-In empanelled auditor and PCI QSA practice with deep NIST 800-53 expertise, we help you avoid the boundary, cryptography, and evidence pitfalls that cause package rejection, and we build the automation and POA&M discipline needed to sustain your Authority to Operate. Whether you are targeting Low, Moderate, or High, or aligning FedRAMP with ISO 27001, SOC 2, and CMMC, CyberSigma delivers an audit-ready, defensible path to federal cloud authorisation.