The ultimate guide to FedRAMP: A requirements guide for authorization

Originally published November 18, 2022. Updated September 5, 2025.

‍

If you want to do business with federal entities, FedRAMP authorization is something to consider. Here’s everything you need to get started on your FedRAMP journey. 

‍

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a standardized way for federal agencies to vet and approve cloud service providers before engaging in partnerships or business deals. Every U.S. federal agency can only use cloud services that are FedRAMP authorized.

‍

FedRAMP includes an extensive list of security controls and continuous monitoring requirements. If your cloud service is FedRAMP authorized, it reassures federal agencies that you have security best practices in place to keep their critical information safe.

‍

FedRAMP was established through collaboration between the General Services Administration (GSA), the Department of Homeland Security (DHS), and the Department of Defense (DoD).

‍

Who needs to be FedRAMP compliant?

While FedRAMP is a government standard, it is not a law. No organization is legally required to be FedRAMP authorized. However, the easiest path for cloud service providers to begin working with federal agencies is through FedRAMP authorization.

‍

FedRAMP applies exclusively to cloud service providers—organizations that sell cloud-based services or SaaS services. If you offer a cloud service and would like to take on federal agencies as clients, FedRAMP compliance opens that door.

‍

Benefits of FedRAMP authorization

Is it worth your investment to become FedRAMP authorized? There are two primary benefits that this authorization can provide:

‍

Expanded business opportunities

The most direct benefit of FedRAMP authorization is that it allows you to be eligible for federal contracts. Of course, it doesn’t guarantee those contracts, but you will not be considered without it. Depending on the circumstances and the product or service you provide, a single federal agency contract could be worth millions.

‍

High levels of cloud security

‍

Adhering to FedRAMP’s security requirements can be beneficial even if you don’t receive contracts with federal agencies. It can strengthen your cloud security and also make you a more desirable candidate for other clients.

‍

Understandably, the federal government deals with extremely sensitive data. The standards for data security in cloud systems are very high. If a client sees that you are FedRAMP authorized, even if they’re simply a private business or NGO, they will know that you have highly sophisticated and mature security—an incredibly powerful selling point.

‍

{{cta_withimage22="/cta-blocks"}}

‍

Steps to achieve FedRAMP authorization requirements 

Interested in becoming FedRAMP authorized? Here’s a quick overview of the process.

‍

Step 1: Consider a FedRAMP Readiness Assessment (optional)

Step 2: Secure an agency sponsor and categorize your system

Step 3: Conduct pre-authorization planning

Step 4: Undergo a full initial security assessment by your 3PAO

Step 5: Create a Plan of Action and Milestones (POA&M)

Step 6: Undergo agency authorization and PMO review

Step 7: Implement continuous monitoring and prepare for ongoing annual assessments

‍

Step 1: Consider a FedRAMP readiness assessment report (optional)

Although optional, many cloud service providers begin with a readiness assessment report (RAR). Conducted by a FedRAMP-accredited third-party assessment organization (3PAO), the RAR acts as a “health check” to determine whether your system is prepared for the full authorization process.

‍

During this step, the 3PAO evaluates your security posture against baseline controls and identifies gaps. The report is reviewed by the FedRAMP Program Management Office (PMO). If approved, your service can be listed as “FedRAMP Ready” on the FedRAMP Marketplace—signaling to agencies that you’re a credible candidate actively pursuing authorization.

‍

Step 2: Secure an agency sponsor and categorize your system

The first required milestones in the FedRAMP journey are securing an agency sponsor and determining your system’s impact level—two prerequisites for moving forward in the authorization process.

‍

Agency sponsors

Without a federal agency sponsor, you cannot move forward in the authorization process. Sometimes, a federal agency will approach your organization and request that you pursue FedRAMP authorization so they can use your service. Other times, you may choose to proactively pursue FedRAMP authorization with an agency to secure them as a customer. 

‍

Once a sponsor agrees to back you, you’ll formally submit an in-process request (IPR) package to the FedRAMP PMO. This signals to the PMO that you’re actively working toward authorization. Your IPR will include things like a project plan and a work-breakdown structure (WBS). A WBS is a timeline with milestones for the authorization process.

‍

System categorization

Next comes system categorization, following the Federal Information Processing Standard (FIPS) 199. Here, you’ll evaluate the potential impact of a data breach on confidentiality, integrity, and availability, and determine whether your system should be classified as Tailored Low-Impact Software as a Service (LI-SaaS), Low, Moderate, or High impact according to FedRAMP’s security baselines. 

‍

A LI-SaaS, Low, Moderate, or High classification sets the stage for the process moving forward, with higher classifications usually requiring more controls, testing, collaboration, and time to authorization. While your organization makes the initial LI-SaaS, Low, Moderate, or High designation, it’s up to your agency sponsor to validate your recommendation. 

‍

To prepare, most providers assemble key artifacts such as a high-level system architecture diagram, data flow diagrams, and a roles-and-responsibilities matrix. 

‍

If the PMO accepts your IPR package, your service will be listed—with its LI-SaaS, Low, Moderate, or High designation—as “In Process” on the FedRAMP Marketplace.

‍

Step 3: Conduct pre-authorization planning

The goal of pre-authorization planning is to make sure your system, documentation, and team are fully prepared before formal security testing begins. Done well, pre-authorization planning can reduce rework, shorten the formal assessment, and improve your odds of passing on the first try.

‍

Think of planning in three stages:

• Build your core documentation: Your system security plan (SSP) is the centerpiece of FedRAMP authorization—this is when you should draft it in detail. Your SSP explains how your system meets each FedRAMP control. During this stage, you’ll also prepare supporting materials such as a security assessment plan (SAP), boundary diagrams, and required attachments, like FedRAMP’s Attachment 12.
• Align with your sponsor and 3PAO: Before testing begins, you’ll meet with your agency sponsor and 3PAO to discuss things like scope confirmation, remediation schedules, and test logistics. 
• Close any gaps before testing: It’s common to go through multiple iterations of gap analysis and fixes before moving into a formal assessment. This prework helps minimize costly delays later.

‍

Step 4: Undergo a full initial security assessment by your 3PAO

Next, it’s time to prove your security posture. Your 3PAO will formally test your system against FedRAMP security requirements and generate an official evidence package that your agency sponsor will use to decide whether to grant your Authority to Operate (ATO).

‍

In practice, your 3PAO will execute your SAP (from your pre-authorization planning) and perform a rigorous review of your system, including technical testing like pen testing, vulnerability scanning, and configuration reviews. 

‍

The outcome is a security assessment report (SAR), which documents strengths, weaknesses, and any residual risks. Any identified defects must be retested within a specified window, and remediation plans need to be documented. 

‍

Step 5: Create a plan of action and milestones (POA&M)

Every weakness identified in the SAR is tracked in a plan of action and milestones (POAM or POA&M). This document includes a description of the issue, severity, remediation plan, responsible party, and due date. 

‍

You should address any “high” findings first, as FedRAMP has prescriptive timelines: High vulnerabilities must be remediated within 30 days, moderate within 90 days, and low within 180 days.

‍

Best practice is to use the POA&M as a living document—integrated into your ops tools, updated continuously, and backed with evidence—that your sponsoring agency and the FedRAMP PMO can review during and after authorization to ensure continuous progress.

‍

Without a credible, actively managed POA&M, you can’t move on to authorization. 

‍

Step 6: Undergo agency authorization and PMO review

This is the decision point where your sponsoring agency and the FedRAMP PMO decide if your system is secure enough to be granted authorization. You’ll package all security evidence and risk data into a final authorization package that includes: 

• Your updated SSP
• The SAR from the 3PAO
• Your POA&M
• Penetration testing results
• Letters of attestation for agency review 

The sponsoring agency conducts a risk analysis, may request additional fixes, and—if satisfied—issues an ATO letter.

‍

After the agency grants authorization, the FedRAMP PMO performs a final review and, once approved, adds your service to the FedRAMP Marketplace. At this point, you are officially FedRAMP authorized.

‍

Step 7: Implement continuous monitoring and prepare for ongoing annual assessments 

Authorization is not a one-time event. To maintain status, you must implement continuous monitoring practices. These include:

• Monthly: vulnerability scans and POA&M updates
• Quarterly: reviews for significant changes to your system
• Annual: reassessments and penetration testing
• Ongoing: incident reporting to agencies within required timeframes

‍

Agencies and the PMO track compliance using metrics such as scan results, overdue POA&M items, and vulnerability trends. Many providers leverage automation tools to streamline reporting and reduce manual overhead.

‍

FedRAMP impact levels and control categories

FedRAMP authorization requirements differ depending on your impact level. These levels are based on the sensitivity of data handled and the potential consequences if that data is compromised.

‍

LI-SaaS controls

Tailored LI-SaaS is designed for cloud services that pose very limited risk and only handle publicly available or minimally sensitive data. The baseline reduces the full set of Low controls to a smaller, more practical subset focused on access, incident response, and system availability. This streamlined path lowers the compliance burden and accelerates authorization, making it ideal for lightweight SaaS tools entering the federal market.

‍

Low impact controls

Low-impact organizations handle only public or minimally sensitive data, meaning a breach would pose little risk. Examples include public-facing marketing websites, knowledge bases, or dashboards that don’t expose sensitive information. These systems must still meet FedRAMP Low baseline requirements but face fewer controls and a shorter authorization timeline.

‍

Moderate impact controls

The Moderate baseline is the most common in FedRAMP, and most SaaS providers seeking federal clients pursue FedRAMP Moderate controls. Organizations at this level process controlled unclassified information (CUI), employee personally identifiable information (PII), or mission-critical data where loss could cause operational disruption. With more than 320 controls under FedRAMP Rev 5, the Moderate path is rigorous but achievable. 

‍

High impact controls

High-impact systems support the nation’s most sensitive workloads—law enforcement databases, electronic health records, or emergency response infrastructure. FedRAMP High requires the full set of 410 controls, with stricter requirements around encryption, auditing, and monitoring. Pursuing FedRAMP High authorization (sometimes called FedRAMP High certification) often takes a year or more, given the depth of testing and remediation needed.

‍

* Control counts are taken from FedRAMP’s official Rev 5 baseline summary.
** FedRAMP publishes no fixed timeline for Moderate and High; times shown reflect the PMO’s own phase descriptions plus published review statistics for Low.

‍

Maintaining FedRAMP compliance

Authorization is only the beginning. To stay compliant, providers must demonstrate ongoing adherence to FedRAMP’s strict standards. This means meeting FedRAMP compliance requirements through vulnerability scanning, incident response, and annual audits.

‍

Vulnerability scanning and reporting

FedRAMP mandates monthly vulnerability scans. Any findings must be addressed within specific timeframes: high vulnerabilities in 30 days, medium in 90 days, and low in 180 days. Missed deadlines show up in your POA&M, which agencies actively monitor. Automating scans and remediation tracking can help you make sure nothing slips through the cracks.

‍

Incident response and communication

If a security incident occurs, you must notify all affected agencies promptly—typically within one hour of discovery. Your incident response plan should include clear communication channels, containment strategies, and documented lessons learned. Mishandling an incident can jeopardize your authorization status.

‍

Audits

Annual FedRAMP audits—carried out by your 3PAO—validate that your processes, controls, and monitoring remain effective. Consistency in these audits is what keeps your FedRAMP compliance intact. Annual audits in this continuous monitoring phase consist of a subset of controls and do not require a full assessment.

‍

Streamline your FedRAMP authorization process with Vanta

Vanta can guide you through FedRAMP with streamlined documentation, custom control creation, continuous monitoring, and instant alerts all in one place. Schedule a Vanta demo today to learn more.

‍

{{cta_simple39="/cta-blocks"}}

FAQs

What is the difference between FedRAMP and NIST?‍

NIST security standards serve as the basis for FedRAMP, specifically NIST 800-53. FedRAMP adapts the security requirements of NIST 800-53 for cloud-based services and applies them to third-party cloud service providers. NIST compliance and FedRAMP authorization are two different processes, and each one must be pursued separately.

‍

Is JAB still a path for FedRAMP authorization?

Yes, but it’s limited. The Joint Authorization Board (JAB) path is reserved for cloud services with broad government demand.

‍

Is FedRAMP for cloud only?

Yes. FedRAMP only applies to cloud-based systems and services, including software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). On-premise software and non-cloud products are outside the program’s scope.

‍

How can I see if a company is FedRAMP authorized?

You can search the official FedRAMP Marketplace. It lists all providers with Ready, In Process, or Authorized designations, along with details about their impact level and sponsoring agency.

‍

What is the FedRAMP 20x pilot?

The FedRAMP 20x pilot is an initiative to dramatically shorten the authorization review queue for Low-impact systems. It allows some providers to complete Marketplace review in under five weeks, compared to the typical four to six months. Vanta became FedRAMP Low authorized under the pilot program—read about the lessons we learned during the process.

‍

‍