We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / FedRAMP
US FedRAMP PMO / GSA · United States

FedRAMP

The US government authorisation programme for cloud services.

Introduction: FedRAMP in the Cloud Security Assurance Landscape

The Federal Risk and Authorization Management Program (FedRAMP) is the United States government-wide programme that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services used by federal agencies. Established formally in 2011 through an Office of Management and Budget (OMB) memorandum and codified in law by the FedRAMP Authorization Act (part of the National Defense Authorization Act for Fiscal Year 2023), FedRAMP embodies a 'do once, use many times' philosophy. Its intent is to reduce duplicative effort, drive consistent security, and accelerate the adoption of secure commercial cloud by federal departments and agencies.

For any Cloud Service Provider (CSP) that wishes to sell Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) to the US federal market, a FedRAMP authorisation is effectively a market-entry requirement. For federal agencies, FedRAMP is mandatory whenever they procure or operate a cloud service that processes, stores, or transmits federal information. This guide provides an auditor-grade, end-to-end treatment of FedRAMP: what it is, who must comply, its control structure derived from NIST Special Publication 800-53, a master assessment checklist covering every control family, the phased path to authorisation, the continuous monitoring model, and how FedRAMP maps to adjacent frameworks such as ISO/IEC 27001, SOC 2, StateRAMP, and NIST 800-171.

Copyright and Source Note
FedRAMP programme documents (templates, baselines, guidance) are US Government works and are generally in the public domain. However, the underlying control catalogue is defined in NIST SP 800-53 (also a US Government work) and the assessment procedures in NIST SP 800-53A. This guide paraphrases and summarises those sources in original language for educational purposes; it does not reproduce copyrighted text and is not a substitute for the authoritative FedRAMP baselines, templates, and the current NIST catalogue. Always verify against fedramp.gov and the FedRAMP Marketplace before relying on any control identifier or requirement.

What is FedRAMP

FedRAMP is a compliance and authorisation programme, not a standalone control catalogue. It layers a federal governance and process wrapper on top of the NIST Risk Management Framework (RMF) and the NIST SP 800-53 control catalogue. In practice, FedRAMP takes the FIPS 199 impact levels (Low, Moderate, High), selects a tailored baseline of NIST 800-53 controls for each level, adds FedRAMP-specific parameters and additional controls, and defines the process by which a CSP is assessed by an independent Third Party Assessment Organisation (3PAO) and then authorised.

There are two principal authorisation paths. The first is the Agency Authorisation path (formerly called Agency ATO), where a specific federal agency reviews the CSP's security package and its Authorising Official (AO) issues an Authority to Operate (ATO), which other agencies may then reuse. The second is the JAB path historically operated by the Joint Authorization Board; under the FedRAMP Authorization Act the JAB has been superseded by a FedRAMP Board, and the programme has moved toward a single authorisation model with agency sponsorship. FedRAMP also defines a lighter-weight FedRAMP Tailored baseline (often called Li-SaaS, Low-impact SaaS) for low-risk, low-impact SaaS applications.

The deliverable at the heart of every FedRAMP engagement is the Security Assessment Package: principally the System Security Plan (SSP) with its attachments, the Security Assessment Plan (SAP), the Security Assessment Report (SAR) produced by the 3PAO, and the Plan of Action and Milestones (POA&M). After authorisation, the CSP must maintain the authorisation through Continuous Monitoring (ConMon), submitting monthly deliverables and undergoing an annual assessment.

Key FedRAMP Terminology

TermMeaning
CSPCloud Service Provider — the organisation offering the cloud service (SaaS/PaaS/IaaS) seeking authorisation.
CSOCloud Service Offering — the specific product/boundary being authorised.
3PAOThird Party Assessment Organisation — an accredited, independent assessor that performs the security assessment.
AOAuthorising Official — the federal official who accepts residual risk and grants the ATO.
ATOAuthority to Operate — the formal authorisation decision permitting federal use.
P-ATOProvisional ATO — historically issued by the JAB; being phased out under the new model.
SSPSystem Security Plan — the core document describing the system, boundary, and control implementation.
SARSecurity Assessment Report — the 3PAO's findings from testing the controls.
POA&MPlan of Action and Milestones — the tracked register of open weaknesses and remediation plans.
ConMonContinuous Monitoring — ongoing monthly/annual maintenance of the authorisation.
FIPS 199Standard used to categorise the system impact level (Low/Moderate/High).
A2LA / accreditationAmerican Association for Laboratory Accreditation, which accredits 3PAOs against ISO/IEC 17020.

Who Must Comply with FedRAMP

FedRAMP applies to cloud services in the federal ecosystem. Compliance obligations fall on different parties depending on their role. The following table clarifies who is in scope and why.

PartyApplicability / Obligation
Cloud Service Providers (CSPs) selling to US federal agenciesMandatory. Any CSP whose SaaS/PaaS/IaaS processes, stores, or transmits federal data must obtain and maintain a FedRAMP authorisation at the appropriate impact level.
US Federal Executive Branch agenciesMandatory. Agencies must use FedRAMP-authorised cloud services and must not operate unauthorised cloud offerings for federal information; agencies act as authorising sponsors.
Independent SaaS vendors seeking federal contractsMandatory in practice. FedRAMP authorisation (or an in-process listing on the Marketplace) is typically a prerequisite in federal RFPs and contracts.
Systems integrators and managed service providers hosting federal workloadsIn scope where they deliver a cloud service or leverage/inherit controls; must document inherited controls and shared responsibility.
Sub-service providers / underlying IaaS-PaaS (e.g., the CSP's hosting platform)Indirectly in scope. The authorised CSO must run on a FedRAMP-authorised infrastructure or fully document and assess the underlying stack; leveraged authorisations are documented in the SSP.
US State, local, tribal, and education entitiesNot directly bound by FedRAMP (they often use StateRAMP or TX-RAMP), but many reference FedRAMP baselines.
Department of Defense (DoD) cloud consumersFedRAMP is the baseline, but DoD adds DoD Cloud Computing SRG impact levels (IL2/IL4/IL5/IL6) and additional controls beyond FedRAMP.
  • Trigger for applicability: the cloud service handles federal information (any data an agency creates, collects, processes, stores, or transmits).
  • Impact level drives the baseline: FIPS 199 categorisation of confidentiality, integrity, and availability determines Low, Moderate, or High.
  • Most SaaS applications targeting federal buyers pursue the Moderate baseline, as it covers the majority of Controlled Unclassified Information (CUI) use cases.
  • High baseline is required for law enforcement, emergency services, financial, and health data where a breach could have severe or catastrophic impact.

Structure of FedRAMP: Impact Levels, Control Families, and Baselines

FedRAMP inherits the structure of NIST SP 800-53. Controls are organised into control families (each identified by a two-letter code such as AC for Access Control). FedRAMP defines security control baselines — pre-selected and parameterised sets of controls — for each FIPS 199 impact level. The number of controls grows with impact level. The FedRAMP baselines are periodically re-baselined as NIST revises SP 800-53 (the current baselines are aligned to NIST SP 800-53 Revision 5).

FedRAMP Impact Levels and Baseline Sizes

Impact LevelFIPS 199 BasisTypical Data / Use CaseApproximate Control Count (Rev 5)
Low (Li-SaaS / Tailored)Loss has limited adverse effectLow-risk SaaS, collaboration tools, public-facing services~125 (Li-SaaS is a tailored subset, ~ fewer)
LowLoss has limited adverse effectLow-sensitivity federal data~156
ModerateLoss has serious adverse effectMost CUI; the majority of federal SaaS~323
HighLoss has severe or catastrophic effectLaw enforcement, emergency, financial, health, high-value assets~410

The NIST SP 800-53 Control Families Adopted by FedRAMP

FedRAMP baselines draw from the twenty control families below. Rev 5 introduced Supply Chain Risk Management (SR) and PII Processing and Transparency (PT). Not every family is fully populated at every impact level, but all are represented at Moderate and High.

Family CodeFamily NameFocus Area
ACAccess ControlAccount management, least privilege, remote access, session control
ATAwareness and TrainingSecurity awareness, role-based training, records
AUAudit and AccountabilityEvent logging, log content, review, retention, time stamps
CAAssessment, Authorisation, and MonitoringControl assessment, interconnections, POA&M, ConMon, penetration testing
CMConfiguration ManagementBaseline configuration, change control, least functionality, inventory
CPContingency PlanningBackups, alternate sites, disaster recovery, testing
IAIdentification and AuthenticationMFA, credential management, identity proofing, cryptographic auth
IRIncident ResponseHandling, reporting, testing, incident tracking
MAMaintenanceControlled/remote maintenance, tools, personnel
MPMedia ProtectionMedia access, marking, storage, transport, sanitisation
PEPhysical and Environmental ProtectionFacility access, power, fire, temperature, data-centre controls
PLPlanningSystem security/privacy plans, rules of behaviour, architecture
PSPersonnel SecurityScreening, termination, transfer, access agreements
PTPII Processing and TransparencyConsent, purpose specification, privacy notices (Rev 5)
RARisk AssessmentCategorisation, risk assessment, vulnerability scanning
SASystem and Services AcquisitionSDLC, developer security, external services, supply chain
SCSystem and Communications ProtectionBoundary protection, encryption, cryptographic key management
SISystem and Information IntegrityFlaw remediation, malware, monitoring, spam, error handling
SRSupply Chain Risk ManagementSupply chain plan, provenance, component authenticity (Rev 5)
PMProgram ManagementOrganisation-wide programme controls (largely inherited/agency-level)

Master Assessment Checklist: Every Control Family

This is the operational core of the guide. For each NIST 800-53 control family adopted by FedRAMP, the tables below enumerate what an assessor (3PAO) verifies and the typical evidence a CSP must produce. Findings feed the Security Assessment Report and any residual weaknesses feed the POA&M. Control identifiers (e.g., AC-2) reference the NIST catalogue as implemented by the FedRAMP baseline; parameter values (frequencies, thresholds) are set by FedRAMP-specific assignments.

AC — Access Control

What to verifyTypical evidence
AC-2 Account management: provisioning, review, and disabling of accounts with defined lifecycleAccount management procedure, joiner/mover/leaver records, periodic account review reports, automated disable evidence
AC-3 Enforcement of approved authorisations for logical accessRole/permission matrix, access control policy configuration, RBAC/ABAC export
AC-6 Least privilege including privileged account restriction and reviewPrivileged account inventory, just-in-time access records, quarterly least-privilege review
AC-7 Unsuccessful logon attempt lockout thresholdsAuthentication configuration showing lockout after defined attempts
AC-11 Session lock after inactivity; AC-12 session terminationSession timeout configuration, screenshots, policy
AC-17 Remote access authorised, monitored, and encryptedVPN/bastion configuration, remote access authorisation list, encryption settings
AC-4 Information flow enforcement between security domainsNetwork segmentation diagrams, firewall/security group rules, data flow matrix

AT — Awareness and Training

What to verifyTypical evidence
AT-2 Security and privacy awareness training on hire and annually, including insider-threat awarenessTraining completion records, LMS reports, course content, sign-off
AT-3 Role-based training for personnel with significant security responsibilitiesRole-based curriculum, completion logs for admins/developers
AT-4 Retention of training recordsArchived training records covering the retention period

AU — Audit and Accountability

What to verifyTypical evidence
AU-2 Auditable events defined and coordinated across the systemAudit policy, list of logged event types, log source inventory
AU-3 Audit records capture required content (who, what, when, where, outcome)Sample log records, log schema documentation
AU-6 Audit review, analysis, and reporting for indications of inappropriate activitySIEM correlation rules, log review cadence records, alert tickets
AU-8 Time stamps synchronised to an authoritative sourceNTP configuration, time-source documentation
AU-9 Protection of audit information from unauthorised access/modificationLog access controls, immutable/WORM storage configuration
AU-11 Audit record retention per FedRAMP parameters (minimum online and archived periods)Retention policy, storage configuration proving retention duration

CA — Assessment, Authorisation, and Monitoring

What to verifyTypical evidence
CA-2 Independent control assessment by an accredited 3PAO3PAO accreditation, Security Assessment Plan, Security Assessment Report
CA-3 Authorised system interconnections and external service agreementsInterconnection Security Agreements, MOUs, external service inventory
CA-5 POA&M maintained and current with milestones and statusPOA&M workbook, remediation tracking, monthly updates
CA-6 Authorisation (ATO) granted and maintained by the AOSigned ATO letter, authorisation decision documentation
CA-7 Continuous monitoring strategy with defined metrics and frequenciesConMon plan, monthly deliverable submissions, metrics dashboards
CA-8 Penetration testing performed per FedRAMP penetration test guidancePenetration test plan and report following the six mandatory attack vectors

CM — Configuration Management

What to verifyTypical evidence
CM-2 Baseline configuration documented and maintainedConfiguration baselines, IaC templates, hardening baselines
CM-3 Configuration change control with impact analysis and approvalChange tickets, CAB minutes, change control procedure
CM-6 Configuration settings enforce approved hardening (e.g., USGCB/DISA STIG/CIS)Benchmark scan results, deviation register, hardening guides
CM-7 Least functionality — disabling unnecessary ports, protocols, servicesPort/service inventory, deny-by-default configuration
CM-8 System component inventory kept accurate and currentAsset inventory export, CMDB, automated discovery reports
CM-10/CM-11 Software usage and user-installed software restrictionsSoftware allow-list policy, endpoint control configuration

CP — Contingency Planning

What to verifyTypical evidence
CP-2 Contingency plan defining roles, RTO/RPO, and recovery activitiesApproved contingency plan, business impact analysis
CP-4 Contingency plan tested at defined frequencyTest/exercise reports, after-action reviews, lessons learned
CP-6/CP-7 Alternate storage and processing sites with adequate separationRegion/AZ architecture, failover documentation
CP-9 System backups performed, protected, and validatedBackup schedules, backup success logs, restoration test evidence
CP-10 System recovery and reconstitution capabilityDR runbooks, recovery test results

IA — Identification and Authentication

What to verifyTypical evidence
IA-2 Multi-factor authentication for privileged and non-privileged accessMFA configuration, FIDO2/PIV/phishing-resistant MFA evidence
IA-2 Federated/PIV-compatible authentication where requiredIdentity provider configuration, SSO/SAML/OIDC settings
IA-4 Identifier management preventing reuse and enforcing uniquenessIdentity lifecycle procedure, identifier assignment records
IA-5 Authenticator management: password policy, key/certificate handlingPassword policy, cryptographic key inventory, credential rotation logs
IA-5(1) Password complexity and strength aligned to NIST SP 800-63Authentication policy configuration, 800-63 alignment note
IA-8 Identification and authentication of non-organisational usersExternal/customer authentication configuration

IR — Incident Response

What to verifyTypical evidence
IR-1/IR-8 Incident response policy and planApproved IR plan, IR policy, contact roster
IR-4 Incident handling: detection, analysis, containment, eradication, recoveryIR runbooks, incident tickets, timeline records
IR-6 Incident reporting to US-CERT/CISA and the agency within required timeframesReporting procedure referencing US-CERT/CISA one-hour timelines, sample reports
IR-3 Incident response testing/exercisesTabletop exercise reports, simulation results
IR-5 Incident tracking and metricsIncident register, trend analysis, MTTR metrics

MA — Maintenance

What to verifyTypical evidence
MA-2 Controlled maintenance with approval and recordsMaintenance logs, approval records
MA-4 Non-local (remote) maintenance authorised, monitored, and encryptedRemote maintenance session logs, MFA evidence
MA-5 Maintenance personnel authorisation and escort where unclearedPersonnel authorisation list, escort procedures
MA-3 Maintenance tools controlled and inspectedTool inventory, inspection records

MP — Media Protection

What to verifyTypical evidence
MP-2 Media access restricted to authorised personnelAccess control lists, media handling policy
MP-4 Media storage protected physically and cryptographicallyEncryption at rest configuration, storage controls
MP-6 Media sanitisation and disposal prior to reuse/disposalSanitisation records, certificates of destruction, crypto-erase logs
MP-5 Media transport protection and accountabilityTransport procedures, chain-of-custody records

PE — Physical and Environmental Protection

What to verifyTypical evidence
PE-2/PE-3 Physical access authorisations and enforcement at data centresData-centre access lists, badge logs, SOC 2/ISO attestations from the IaaS provider
PE-6 Monitoring of physical accessCCTV/monitoring records, access review reports
PE-13 Fire protection and suppressionFacility attestations, inspection certificates
PE-14 Temperature and humidity controlsEnvironmental monitoring reports
PE-11 Emergency power (UPS/generator)Power redundancy documentation, test records

PL — Planning

What to verifyTypical evidence
PL-2 System Security Plan documented, approved, and currentSigned SSP with all attachments and control implementation summaries
PL-4 Rules of behaviour established and acknowledgedSigned rules-of-behaviour/acceptable-use acknowledgements
PL-8 Security and privacy architecture documentedArchitecture diagrams, boundary diagram, data flow diagrams
PL-10/PL-11 Baseline and tailoring selection recordedControl selection/tailoring workbook

PS — Personnel Security

What to verifyTypical evidence
PS-2 Position risk designations assignedPosition risk designation records
PS-3 Personnel screening/background checks commensurate with riskBackground-check completion records (redacted), screening policy
PS-4 Personnel termination — access revocation on exitOffboarding checklists, access-revocation logs
PS-5 Personnel transfer access re-evaluationTransfer records, access change tickets
PS-6 Access agreements signedSigned NDAs and access agreements
PS-7 Third-party personnel security requirementsContractor security clauses, vendor screening evidence

PT — PII Processing and Transparency

What to verifyTypical evidence
PT-2 Authority to process PII establishedPrivacy authority documentation, Privacy Impact Assessment
PT-3 Purpose specification for PII processingPurpose/use documentation, data inventory
PT-4/PT-5 Consent and privacy notices providedPrivacy notice, consent records/mechanisms
PT-6 System of records notice where applicable (Privacy Act)SORN references, PIA

RA — Risk Assessment

What to verifyTypical evidence
RA-2 FIPS 199 security categorisation performedCategorisation worksheet, impact-level determination
RA-3 Risk assessment conducted and updatedRisk assessment report, risk register
RA-5 Vulnerability scanning of OS, web, and database at required frequencyMonthly authenticated scan reports, scan configuration, remediation SLAs
RA-5 Scan findings remediated within FedRAMP timelines (High 30 / Moderate 90 / Low 180 days)Remediation tracking against timelines, POA&M entries
RA-7 Risk response decisions documentedRisk acceptance memos, deviation requests

SA — System and Services Acquisition

What to verifyTypical evidence
SA-3/SA-8 Secure system development life cycle and security engineering principlesSDLC policy, secure-design standards
SA-4 Security requirements included in acquisitionsProcurement security requirements, contract clauses
SA-9 External system services managed with defined roles and monitoringExternal services inventory, SLAs, shared responsibility matrix
SA-10/SA-11 Developer configuration management and security testingSAST/DAST reports, code review records, developer CM evidence
SA-22 Unsupported components identified and mitigatedEnd-of-life component register, mitigation plans

SC — System and Communications Protection

What to verifyTypical evidence
SC-7 Boundary protection with managed interfaces and deny-by-defaultFirewall/security group rules, boundary diagram, WAF configuration
SC-8 Transmission confidentiality and integrity (TLS/encryption in transit)TLS configuration, cipher suites, FIPS-validated modules
SC-12/SC-13 Cryptographic key management and FIPS 140-validated cryptographyFIPS 140-2/140-3 certificate references, KMS configuration, key rotation
SC-28 Protection of information at rest (encryption at rest)Encryption-at-rest configuration, key custody records
SC-7(3) Access points limited and load-balancedIngress architecture, access-point inventory
SC-5 Denial-of-service protectionDDoS protection configuration, provider attestations

SI — System and Information Integrity

What to verifyTypical evidence
SI-2 Flaw remediation and patch management within timelinesPatch management procedure, patch deployment logs, POA&M
SI-3 Malicious code protectionAnti-malware configuration, detection logs, update evidence
SI-4 System monitoring / intrusion detectionIDS/IPS configuration, SIEM alerts, monitoring architecture
SI-5 Security alerts and advisories acted uponAdvisory intake process, CISA alert handling records
SI-7 Software, firmware, and information integrity verificationFile integrity monitoring configuration and alerts
SI-10/SI-11 Input validation and error handlingSecure coding standards, validation test evidence

SR — Supply Chain Risk Management

What to verifyTypical evidence
SR-2 Supply chain risk management planSCRM plan, governance records
SR-3 Supply chain controls and processesSupplier assessment records, contractual security terms
SR-5 Acquisition strategies and tools to manage supply chain riskVendor risk assessments, tiering
SR-6 Supplier assessments and reviewsSupplier review reports, SBOM where applicable
SR-11 Component authenticity and anti-counterfeitProvenance checks, tamper controls

PM — Program Management (Organisation-Level)

What to verifyTypical evidence
PM-9 Risk management strategy defined at organisation levelEnterprise risk strategy documentation
PM-11 Mission/business process definition informing securityBusiness process and information-type documentation
PM-14 Testing, training, and monitoring planEnterprise T-T-M plan
PM-31 Continuous monitoring strategy (organisation-wide)Organisational ConMon strategy

Scoping the Authorisation Boundary

Correct scoping is the single most consequential decision in a FedRAMP engagement. The authorisation boundary defines everything that is assessed and authorised: the applications, infrastructure, data stores, supporting services, external connections, and the human and physical elements that process federal data. An overly broad boundary inflates cost and control burden; an overly narrow boundary risks a rejected package or an under-protected system.

  • Define the Cloud Service Offering precisely: which application, tiers, and functionality are being authorised.
  • Establish the FIPS 199 impact level first — it dictates the baseline and therefore the entire scope of controls.
  • Draw the authorisation boundary diagram showing all components, data flows, and every crossing of the boundary (ingress/egress).
  • Identify leveraged authorisations: the underlying IaaS/PaaS must itself be FedRAMP-authorised so the CSP can inherit those controls.
  • Document the shared responsibility model — which controls the CSP implements, which are inherited from the platform, which are customer responsibility, and which are hybrid.
  • Include all external services and interconnections (email, identity, monitoring, ticketing) and confirm each is authorised, in-scope, or covered by a signed agreement.
  • Explicitly list what is out of scope and justify exclusions; corporate/back-office systems must be excluded through segmentation, not by assertion.
  • Account for the full data lifecycle within the boundary: collection, processing, storage, transmission, backup, and disposal of federal data.
Boundary Pitfall
The most common cause of package rejection is a boundary that omits supporting services (such as logging, secrets management, CI/CD, or bastion hosts) that actually handle or can access federal data or credentials. If a service can touch federal data or the systems that process it, assume it is in the boundary until proven otherwise.

Implementation Approach: Phased Roadmap to Authorisation

A realistic FedRAMP journey for a Moderate SaaS typically spans nine to eighteen months. The following phased approach sequences the work so that expensive assessment activity is not wasted on an immature control environment.

Phase 1 — Readiness and Gap Assessment

  • Activities: secure federal agency sponsorship or plan the agency-authorisation path; perform FIPS 199 categorisation; conduct a gap assessment against the target baseline; optionally complete a FedRAMP Readiness Assessment Report (RAR) with a 3PAO.
  • Deliverables: impact-level determination, gap analysis report, remediation roadmap, RAR (for Marketplace 'In Process — Ready' designation).

Phase 2 — Boundary Definition and Architecture

  • Activities: finalise the authorisation boundary and data flow diagrams; select a FedRAMP-authorised underlying platform; design segmentation, encryption (FIPS 140-validated), and identity architecture; define the shared responsibility matrix.
  • Deliverables: authorisation boundary diagram, network and data flow diagrams, shared responsibility matrix, architecture decision records.

Phase 3 — Control Implementation and Documentation

  • Activities: implement or configure every applicable control; harden systems to CIS/DISA STIG benchmarks; stand up logging, vulnerability scanning, and continuous monitoring tooling; author the SSP with per-control implementation statements and all attachments (policies, IR plan, contingency plan, configuration management plan, incident response plan, rules of behaviour, PIA).
  • Deliverables: complete System Security Plan and all attachments, policies and procedures for every control family, evidence repository.

Phase 4 — Independent Assessment (3PAO)

  • Activities: engage an accredited 3PAO; the 3PAO produces a Security Assessment Plan; conduct control testing, vulnerability scanning validation, and penetration testing across the six required attack vectors; produce the Security Assessment Report.
  • Deliverables: Security Assessment Plan, penetration test report, Security Assessment Report, initial POA&M from findings.

Phase 5 — Authorisation Decision

  • Activities: assemble the full Security Assessment Package; the sponsoring agency's Authorising Official reviews the SSP, SAR, and POA&M and evaluates residual risk; remediate blocking findings; obtain the ATO and request Marketplace listing.
  • Deliverables: complete security authorisation package, signed ATO letter, FedRAMP Marketplace 'Authorised' designation.

Phase 6 — Continuous Monitoring and Sustainment

  • Activities: submit monthly ConMon deliverables (updated POA&M, vulnerability scan results, inventory); operate change control and significant-change requests; conduct the annual assessment; remediate vulnerabilities within FedRAMP timelines.
  • Deliverables: monthly ConMon packages, annual assessment report, deviation requests, updated SSP reflecting significant changes.

Continuous Monitoring Maturity / Capability Model

FedRAMP does not define a formal five-level maturity model in the way CMMC does; however, the continuous monitoring programme establishes an escalating expectation of capability. The following model expresses practical capability levels a CSP progresses through, useful for internal readiness scoring.

LevelCapability StateCharacteristics
1 — InitialAd hocControls documented on paper only; no automation; evidence gathered reactively; not ready for 3PAO.
2 — DocumentedRepeatableSSP complete; policies exist for all families; manual evidence; scanning performed but inconsistent.
3 — AssessedDefined3PAO assessment passed; POA&M managed; monthly ConMon operating; timelines occasionally missed.
4 — ManagedQuantitatively managedAutomated scanning and inventory; metrics-driven remediation within timelines; drift detection in place.
5 — OptimisedContinuous / near-real-timeContinuous control monitoring, automated evidence, integration with agency dashboards; supports OSCAL-based reporting and rapid significant-change handling.

Assessment and Audit Approach

The FedRAMP assessment is executed by an independent 3PAO following NIST SP 800-53A assessment procedures and FedRAMP-specific test cases. The steps below describe the end-to-end assessment lifecycle.

  1. Categorise the system using FIPS 199 to confirm the impact level and applicable baseline.
  2. Confirm 3PAO independence and accreditation (A2LA against ISO/IEC 17020 and FedRAMP requirements).
  3. Review the System Security Plan and all attachments for completeness and accuracy against the boundary.
  4. Develop the Security Assessment Plan defining scope, test cases, sampling, and the assessment schedule.
  5. Perform control testing using examine, interview, and test methods for each in-scope control.
  6. Conduct authenticated vulnerability scanning of operating systems, web applications, and databases; validate results.
  7. Perform penetration testing across the six mandatory attack vectors (external, internal, web application, network, social engineering, and mobile/API as applicable).
  8. Document findings, risk-rate each weakness, and record false positives, operational requirements, and risk adjustments.
  9. Produce the Security Assessment Report with the Risk Exposure Table and recommendations.
  10. Populate the initial POA&M with all open weaknesses, remediation plans, and milestones.
  11. Submit the complete package to the Authorising Official for the authorisation decision.
  12. Transition into continuous monitoring: monthly deliverables, annual assessment, and significant-change reviews.

Evidence Request List

The following categorised list represents the evidence a 3PAO and Authorising Official expect. Maintaining this in a living evidence repository dramatically reduces assessment friction.

  • Governance and documentation: System Security Plan, all attachments, policies and procedures for every control family, rules of behaviour, Privacy Impact Assessment.
  • Boundary and architecture: authorisation boundary diagram, network diagram, data flow diagrams, shared responsibility matrix, leveraged authorisation documentation.
  • Access control: account inventory, privileged account list, RBAC/permission matrices, account review records, MFA configuration.
  • Logging and monitoring: audit event definitions, sample logs, SIEM rules, log retention configuration, monitoring/IDS architecture.
  • Vulnerability and patch: monthly authenticated scan reports (OS/web/DB), remediation tracking, patch deployment logs, penetration test report.
  • Configuration management: hardening baselines, benchmark scan results, change tickets, CAB records, component inventory/CMDB.
  • Contingency and resilience: contingency plan, backup logs, restoration test results, DR exercise reports, RTO/RPO documentation.
  • Incident response: IR plan, incident register, US-CERT/CISA reporting procedure, tabletop exercise results.
  • Personnel and training: screening records (redacted), onboarding/offboarding logs, signed access agreements, training completion reports.
  • Cryptography and data protection: FIPS 140-validation certificates, TLS/cipher configuration, encryption-at-rest and key management evidence.
  • Supply chain and third parties: SCRM plan, vendor risk assessments, interconnection agreements, external service SLAs.
  • Continuous monitoring: ConMon plan, monthly deliverable submissions, POA&M history, deviation requests, significant-change request records.

Roles and Responsibilities

RoleResponsibility
Cloud Service Provider (CSP)Implements and operates controls, authors the SSP, remediates findings, and maintains continuous monitoring.
System / Information System OwnerAccountable within the CSP for the security posture and documentation of the CSO.
Third Party Assessment Organisation (3PAO)Independently assesses controls, performs scanning and penetration testing, and produces the SAR.
Authorising Official (AO)Federal official who reviews residual risk and grants or denies the ATO.
Sponsoring Agency / ISSOProvides sponsorship, reviews the package, and supports the authorisation and ConMon oversight.
FedRAMP PMO / FedRAMP BoardAdministers the programme, maintains baselines and templates, and governs the Marketplace.
CISO / Security Team (CSP)Owns the control environment, policies, incident response, and vulnerability management.
DevOps / EngineeringImplements technical controls, hardening, automation, and remediation.
Privacy OfficerOwns PII processing controls, PIA, and privacy notices.
Third-party suppliers / IaaS providerProvide inherited controls and attestations documented via shared responsibility.

KPIs to Track

  • Percentage of applicable controls fully implemented versus planned/partial.
  • Number of open POA&M items by severity (High/Moderate/Low) and ageing beyond remediation timelines.
  • Mean time to remediate vulnerabilities against FedRAMP SLAs (High 30 / Moderate 90 / Low 180 days).
  • On-time submission rate for monthly continuous monitoring deliverables.
  • Vulnerability scan coverage — percentage of in-scope assets scanned (authenticated) each cycle.
  • Percentage of assets deviating from the approved hardening baseline (configuration drift).
  • Incident detection and response metrics: mean time to detect and mean time to respond; reporting within required timeframes.
  • Privileged access review completion rate and count of stale/orphaned accounts.
  • Change management: percentage of changes following approved change control; significant-change requests submitted on time.
  • Annual assessment findings trend versus prior year (net-new versus recurring weaknesses).

Readiness Checklist

  • FIPS 199 categorisation completed and impact level (Low/Moderate/High) confirmed.
  • Agency sponsorship secured or agency-authorisation path defined.
  • Authorisation boundary and data flow diagrams finalised and validated.
  • Underlying platform confirmed FedRAMP-authorised and leveraged controls documented.
  • Shared responsibility matrix completed for all applicable controls.
  • System Security Plan and every attachment drafted with per-control implementation statements.
  • Policies and procedures exist for all in-scope control families.
  • FIPS 140-validated cryptography in use for data in transit and at rest.
  • Multi-factor authentication enforced for all privileged and non-privileged access.
  • Authenticated vulnerability scanning operational for OS, web, and database.
  • Centralised logging, SIEM monitoring, and required log retention configured.
  • Contingency plan and backups tested with documented restoration.
  • Incident response plan tested and US-CERT/CISA reporting procedure defined.
  • Accredited 3PAO engaged and Security Assessment Plan agreed.
  • POA&M process and continuous monitoring tooling stood up ahead of authorisation.

Common Gaps

  • Authorisation boundary omits supporting services (logging, secrets, CI/CD, bastion) that can access federal data.
  • Use of non-FIPS 140-validated cryptographic modules for encryption in transit or at rest.
  • Incomplete or inconsistent SSP control implementation statements that do not match the actual configuration.
  • Vulnerability remediation exceeding FedRAMP timelines with weak POA&M justification.
  • Authenticated scanning gaps — unauthenticated scans or assets excluded from scan scope.
  • Weak least-privilege enforcement and stale privileged accounts.
  • Inherited controls asserted without evidence or a signed shared responsibility matrix.
  • Continuous monitoring deliverables submitted late or incomplete after authorisation.
  • Significant changes deployed without a significant-change request or re-assessment.
  • Inadequate penetration testing that does not cover all six required attack vectors.
  • Contingency and incident response plans documented but never exercised.
  • Supply chain risk management (SR family) treated superficially with no supplier assessments.

FedRAMP Mapped to Other Frameworks

FrameworkRelationship to FedRAMPNotes
NIST SP 800-53 Rev 5FoundationFedRAMP baselines are tailored subsets of the 800-53 catalogue with FedRAMP-specific parameters.
NIST SP 800-171 / CMMCAdjacent CUI protection800-171 protects CUI in non-federal systems; controls overlap heavily but FedRAMP is for cloud services, CMMC for the DIB supply chain.
ISO/IEC 27001ComplementaryStrong management-system and control overlap; a mapping crosswalk reduces effort, but ISO alone does not satisfy FedRAMP.
SOC 2 (Trust Services Criteria)ComplementaryMany SOC 2 controls overlap with FedRAMP; SOC 2 reports can supply evidence but are not a substitute for authorisation.
StateRAMP / TX-RAMPSibling programmesModelled on FedRAMP for US state/local government; leverage similar baselines and 3PAO assessments.
DoD Cloud Computing SRG (IL2-IL6)Superset for DoDBuilds on FedRAMP Moderate/High and adds DoD-specific controls and impact levels.
FIPS 199 / FIPS 200Categorisation and minimum requirementsDefine impact levels and minimum security requirements that drive the FedRAMP baseline selection.
CIS Benchmarks / DISA STIGConfiguration hardeningProvide the concrete settings that satisfy CM configuration controls.
HIPAA / HITRUSTSector overlapFor health data, HIPAA and HITRUST controls overlap with FedRAMP High; not interchangeable.
OSCALMachine-readable formatFedRAMP is adopting OSCAL for SSP/SAP/SAR/POA&M to automate package exchange and ConMon.
How CyberSigma Helps
CyberSigma guides Cloud Service Providers through the entire FedRAMP lifecycle — from FIPS 199 categorisation and authorisation-boundary design to gap assessment, SSP and full documentation authoring, control implementation and hardening, 3PAO readiness, and continuous monitoring operations. As a CERT-In empanelled auditor and PCI QSA practice with deep NIST 800-53 expertise, we help you avoid the boundary, cryptography, and evidence pitfalls that cause package rejection, and we build the automation and POA&M discipline needed to sustain your Authority to Operate. Whether you are targeting Low, Moderate, or High, or aligning FedRAMP with ISO 27001, SOC 2, and CMMC, CyberSigma delivers an audit-ready, defensible path to federal cloud authorisation.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is FedRAMP the same as NIST 800-53?
FedRAMP uses NIST 800-53 baselines but adds a specific assessment, authorisation and continuous-monitoring programme for cloud services used by the US government.
Official documents

Need help with FedRAMP?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.