What is FedRAMP (Federal Risk and Authorization Management Program)?
The US federal government's standardized program for cloud security authorization. Enables federal agencies to use cloud services that have been pre-vetted against NIST SP 800-53 controls. Authorization levels: Low, Moderate, High. FedRAMP High is the most rigorous and required for systems handling controlled unclassified information (CUI).
Full explanation
FedRAMP authorization is required for any cloud service used by US federal agencies. The process is multi-year: select a sponsoring agency, complete a NIST SP 800-53 control mapping, undergo a Third Party Assessment Organization (3PAO) audit, address findings, and receive an Authority to Operate (ATO). Costs typically $500K-$2M for FedRAMP Moderate, $2M-$5M for FedRAMP High. Higher-classification levels (IL4, IL5, IL6) layer additional DoD requirements on top. The 'FedRAMP Marketplace' lists every authorized service.
Example
A SaaS vendor wins a federal civilian agency deal contingent on FedRAMP Moderate authorization. They sponsor an agency partner, complete the SSP (System Security Plan), engage a 3PAO, and target ATO within 18 months. During that time they cannot serve federal agencies; once ATO is granted, they're listed in the FedRAMP Marketplace and visible to every other federal agency.
FAQ
Do I need FedRAMP if I sell to enterprises only?
No. FedRAMP applies only to US federal-government customers. State/local government may follow StateRAMP (a parallel state-level program). Commercial enterprise customers typically rely on SOC 2 + ISO 27001 instead.
How does FedRAMP relate to IL4/IL5/IL6?
DoD Impact Levels (IL2/IL4/IL5/IL6) layer DoD-specific requirements on top of FedRAMP authorization. IL2 ~ FedRAMP Moderate. IL4 covers CUI. IL5 covers sensitive non-classified DoD data. IL6 is for classified Secret. Each step up adds personnel-clearance, data-residency, and additional control requirements.