<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

Understanding FedRAMP Compliance and Authorization

Everything You Need to Know to Prepare for and Achieve FedRAMP Authorization

FedRAMP Dashboard

What is FedRAMP?

FedRAMP - Design 02

FedRAMP, the Federal Risk and Authorization Management Program, is a framework your organization can use to build cloud security into your overall security program, including cloud security assessments, monitoring, and process implementation. FedRAMP is a requirement for all cloud services providers (CSPs) and cloud solutions used by federal government agencies that handle federal data.

The FedRAMP program has been in place for nearly a decade, following a 2011 memo from the U.S. Federal Office of Management and Budget (OMB) establishing guidelines for federal cloud security. Since then, an increasing number of federal agencies have adopted cloud technologies and cloud services providers, opening up new avenues for bad actors wanting to maliciously access, exfiltrate, or corrupt sensitive and important federal information.

In this FedRAMP compliance knowledgebase, we’ll help you better understand what FedRAMP is, who should be FedRAMP authorized, and establish a foundation to help set you on the course for a FedRAMP authorization. Here’s what you’ll learn:

Here’s What You’ll Find:

What is FedRAMP?

FedRAMP is a framework you can use to build cloud security into your overall security program. It is mandatory to work with federal agencies.

Learn More

Should My Organization Be FedRAMP Authorized?

If you’re a CSP or cloud solution and you want to work with federal agencies, you should be FedRAMP compliant with FedRAMP authorization.

Learn More

FedRAMP Benefits

Adopting the FedRAMP framework for cloud security brings a range of benefits to your organization’s cloud security program.

Learn More

FedRAMP Impact Levels

FedRAMP controls align with FIPS 199 impact levels and should be used to help determine which controls are applicable to your organization.

Learn More


The JAB works with about 12 multi-tenant, multi-capabilities CSPs each year for FedRAMP Provisional Authority to Operate (P-ATO) authorizations.

Learn More


Individual CSPs with fewer capabilities are good candidates for individual agency Authority to Operate (ATO) designation.

Learn More

FedRAMP Controls

To become FedRAMP authorized, you will need to successfully implement a range of FedRAMP cloud security controls based on your product’s impact level.

Learn More

Preparing for a FedRAMP Audit

Before you undergo a formal assessment from a 3PAO, you should conduct internal reviews on control effectiveness and mitigate security issues.

Learn More

FedRAMP Webinar Snapshots

There are many cybersecurity frameworks to consider. Is FedRAMP or another framework right for you? Maybe more than one or a hybrid? Learn more in our webinars.

Learn More

FedRAMP Marketplace

Searching for tools, guidance, and assistance with FedRAMP compliance? Try the FedRAMP Marketplace.

Learn More

FedRAMP Frequently Asked Questions

Have questions about FedRAMP? Check out this FAQ.

Learn More

The Apptega Solution for FedRAMP

Apptega is the industry’s best solution to help simply and streamline all of your FedRAMP compliance needs for increased security visibility and oversight.

Learn More

Understanding the FedRAMP Authorization Requirements

From cost-savings to ease of scaling, cloud solutions provide organizations with a number of benefits, but moving protected and sensitive federal data from on-premises to the cloud also creates new challenges.

Among these challenges are increasingly complex methods needed to secure data, especially for small and mid-sized businesses (SMBs) that may lack the resources or available talent to add cloud security into existing cybersecurity practices.

Threat actors know many CSPs and other cloud solutions have access to a gamut of sensitive and valuable data and that puts them increasingly in these attackers’ crosshairs for nefarious actions. Oracle’s 2020 Cloud Threat Report, for example, reveals that 92% of respondents know they have a cloud-readiness gap and more than half—60%—say they’ve been victims of cloud credentials phishing.

The federal government established FedRAMP to help streamline best practices for cloud security for all federal agencies and the partners they work with. Before the General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in 2012, these federal agencies had their own security requirements for CSPs. Before FedRAMP, if one agency approved a cloud service provider, the CSP had to go through a repeat process before approval by another. As a result, there was little consistency and a lot of duplicate work, both for the government and their potential services partners.

Today, these cloud security best practices are aligned with the Federal Information Security Modernization Act (FISMA), which requires all agencies to protect federal data, and OMB Circular A-130, which dictates that agencies use National Institute of Standards and Technology (NIST) standards when implementing FISMA.

FedRAMP streamlines cloud security approaches into standardized security measures your organization can implement and measure with a common baseline.

There are two ways your organization can become FedRAMP authorized. One is by earning a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) and the other is to earn an individual FedRAMP Agency Authorization to Operate (ATO). If your organization successfully completes a FedRAMP authorization to work with one federal agency, you can use that authorization package to work with other agencies.

Organizations that successfully obtain authorization must undergo continuous monitoring and are subject to annual re-assessments to retain authorized status.

Manage Your FedRAMP Controls With Ease in Apptega

There are 17 core FedRAMP domains your organization must master and demonstrate to obtain and retain for FedRAMP compliance. These controls align with NIST SP 800-53 standards, but have been adjusted to reflect the specific needs of cloud environments. If you’re like most organizations, you may already have some or all of these controls in place, but without a cybersecurity framework management platform like Apptega, it can be difficult to see all of your controls, which ones are working as designed, and where you may have security gaps. Apptega can help you streamline this process and approach your FedRAMP authorization journey with unprecedented confidence and reliability.

Here are some of the ways Apptega can help you on your FedRAMP compliance journey:

  • Create automated and customizable reports
  • Receive automated alerts and notifications
  • Crosswalk all of your frameworks and controls to eliminate redundancy
  • Access pre-built task packs, templates, and policies
  • Utilize a reliable document repository for all your assessment needs
  • Personalize the platform for your organization
  • Get insight into roles and permissions
  • Scale your frameworks and security program as your company evolves
  • Access pre-built templates and policies to streamline best practices

Should My Organization be FedRAMP Authorized?

If you’re a cloud service provider or host a cloud software solution and you create, process, store, or transmit federal data, you are required to be FedRAMP complaint and successfully earn—and maintain—a FedRAMP authorization.

In addition to being able to do business with federal agencies, as a FedRAMP authorized organization, you can expand your service offerings to other federal agencies and demonstrate to these agencies and others that you take information security seriously and that you’ve implemented, tested, and demonstrated that your data security controls are effective and meet industry best practices.

Today, there are 218 cloud services organizations in the FedRAMP Marketplace that have successfully earned FedRAMP authorization. Another 54 are in process with an additional 35 designated as FedRAMP Ready

Reaping the Benefits of FedRAMP Authorization for Your Organization

There are a number of benefits of adopting cloud security best practices from industry-approved frameworks.

Frameworks such as FedRAMP remove the guesswork from your processes and help you build a cloud security program with controls and procedures other organizations have successfully implemented and demonstrate effectiveness against potential breaches and other cyber-threats.

Another benefit of FedRAMP framework adoption is it can help your organization decrease duplicate efforts and achieve cost and process efficiencies. For example, if you successfully earn a FedRAMP authorization from one federal agency, you can use that authorization package as a foundation for working with other agencies.

See a Demo

FedRAMP Framework Alignments

FedRAMP aligns with other industry recognized best practices for security such as FISMA and NIST. FISMA mandates that all agencies protect federal data, while NIST standards define requirements for cloud security including how to do assessments and what processes you should implement to successfully ensure FedRAMP compliance. If your organization has already implemented NIST SP 800-53 standards, you may be well on your way to earning your FedRAMP Authorized designation. That’s because FedRAMP controls are based on NIST 800-53 standards but they’ve been adjusted to meet cloud security needs.

Did you know that you can use Apptega to crosswalk multiple security frameworks used by your organization?

Apptega’s Harmony intelligent framework mapping engine helps you manage all of your controls, giving you insight into where individual controls are applicable across multiple frameworks, including sub-controls, resources, and security related activities. Harmony helps you eliminate redundancy, gives you insight into the effectiveness of your controls, and helps you quickly identify gaps that need more attention.

What Our Customers Are Saying

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

Desiree D. Headshot
Desiree Davis
Operations Manager, Leap Credit

"I would absolutely recommend Apptega for anyone looking to elevate their compliance program from a static source to something that can be used to actively track and manage your compliance."

Understanding FedRAMP Impact Levels

FedRAMP outlines three impact levels for cloud security offerings:

  • Low
  • Moderate
  • High

FedRAMP impact levels align with three core security objectives:

  • Confidentiality: Protections of personal and proprietary information
  • Integrity: Ensuring sufficient safeguards for information so it cannot be modified or destroyed
  • Availability: Ensuring information can be timely and reliability accessed

Before beginning your FedRAMP authorization process, you should understand which impact level is applicable for your organization. Let’s take a closer look at each level and what they mean in relation to Federal Information Processing Standards 199 (FIPS), which establishes standards organizations must meet for information systems and information categorization:

Low Impact: This means the loss of confidentiality, integrity, and availability of information would have a low level of impact on a federal agency, including assets, individuals, and operations. FedRAMP Low Baseline represents 125 controls, while Low-Impact Software as Service (SaaS) is based on 36 controls

Moderate Impact: This means the loss of confidentiality, integrity, and availability of information would have a serious level of impact on a federal agency, including assets, individuals, and operations.

High Impact: This means the loss of confidentiality, integrity, and availability of information would have a severe or catastrophic level of impact on an agency’s assets, individuals, or operations.

Learn More

Understanding FedRAMP Authorization Paths

If you’re a cloud services provider or a cloud software provider and you want to work with federal agencies, you’ll need to obtain formal authorization first. There are two types of authorization that demonstrate your organization meets FedRAMP compliance requirements:

  • 1. Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO): For large, multi-tenant CSPs that offer a wide range of capabilities or use cases and would likely be used by multiple federal agencies.
  • 2. FedRAMP Agency Authority to Operate (ATO): Most organizations are probably best suited for an ATO designation, which means the CSPs capabilities are likely limited to a few federal agencies.

How to Earn a FedRAMP JAB P-ATO Authorization

Each year the Joint Authorization Board (JAB) reviews CSPs on the government’s behalf to determine each CSPs risk posture. Each year, JAB generally selects about 12 large, multi-tenant CSPs for P-ATO consideration, usually three for each quarter.

During this process, the JAB will determine if the CSP meets all FedRAMP requirements and will determine if the CSPs capabilities are applicable to multiple federal agencies. If yes, the CSP can undergo the process to obtain P-ATO authorization, and once designated, will remain under JAB ongoing monitoring and will be subject to annual reviews to ensure sustained compliance.

Here’s a quick walkthrough of the P-ATO authorization process:

  • If you believe your organization meets P-ATO criteria, you must submit a business use case as part of FedRAMP Connect before consideration for the next phase of the P-ATO authorization Process. This use case should outline your organization’s capabilities, strengths, and solution benefits.
  • The JAB will evaluate your organization against a range of criteria.
  • If you make it through FedRAMP Connect, you have 60 days to earn an official FedRAMP Ready designation from the Federal Risk and Authorization Management Program.
    • During the FedRAMP Ready process, you must work with an accredited third-party assessment organization (3PAO) to complete an independent security assessment. Successfully completing this assessment, including a Readiness Assessment Report (RAR) of your current security posture and capabilities, indicates your organization is ready to move on to the next phase of the FedRAMP authorization process.

  • After FedRAMP Ready, you’ll be subject to a full security assessment, including:
    • Finalizing your System Security Plan (SSP)
    • Working with a FedRAMP 3PAO to complete an assessment against FedRAMP requirements and security controls
      Receive a Security Assessment Report (SAR)
    • Establish a Plan of Action and Milestones (POA&M) that outlines your plans to address any security gaps listed in your SAR
    • Include your SSP, SAR, and POA&M in a security package for JAB review
  • During the authorization review phase, JAB will review your security package, a process that can take several weeks.
  • If JAB determines you meet FedRAMP requirements, your organization will receive a P-ATO designation.
  • As a P-ATO, your organization is subject to continuous JAB monitoring and annual assessments to ensure ongoing compliance

How to Earn a FedRAMP Agency ATO

Most organizations will want to pursue an individual ATO. That means your capabilities aren’t as far-reaching or not likely to be as widely adopted as a larger cloud solution. This is generally applicable for organizations that want to work with just one or two federal agencies. Unlike P-ATO, which is overseen by a board, an ATO designation comes directly from the federal agency you want to work with. If you successfully earn an ATO authorization, it’s tied directly to that agency, but you can work with other federal agencies for authorization by using your initial ATO as a starting point; however, you may be asked to meet additional requirements or address other security requirements for each new agency you want to work with.

Here’s a quick walkthrough of the Agency ATO authorization process:

  • While not required, a great starting point on your ATO authorization journey is to complete a readiness assessment to determine if you meet FedRAMP requirements. This should include completing the RAR of your capabilities and security posture.
  • Once you’ve completed your RAR, connect with the federal agency you want to work with. This federal agency will serve as your ATO sponsor throughout the authorization process.

  • Before engaging with your federal agency, you should ensure you:
    • Have a fully built solution
    • Have a leadership team committed to FedRAMP processes
    • Complete a CSP Information Form
    • Determine data security categorization for system access
    • Plan a kick-off meeting with your FedRAMP sponsor
    • Complete a full security assessment with a 3PAO, including documentation of your SSP, SAP, SAR, and POA&M.
  • The FedRAMP PMO will review your security package documentation
    • You may be asked to partake in an SAR debrief with the PMO
  • You must successfully pass a risk assessment
  • If you pass the risk assessment, the federal agency can issue you an ATO letter outlining the agency’s risk tolerance
  • If you successfully earn an agency ATO designation, your organization will be listed in the FedRAMP Marketplace
  • Like the P-ATO, ATO authorized organizations are subject to continuous monitoring and annual compliance assessment

A Look at FedRAMP Control Families

FedRAMP controls are divided among 17 core domains, which can also be referred to as control families. Each of these 17 families spans three primary classes: technical, operational, and management.

The FedRAMP control families are based on NIST 800-53 standards, but each control is adjusted to reflect specific requirements to secure cloud environments. Each domain, or family, consists of a grouping of controls directly related to your CSPs impact level. For example, there are 125 controls for low-level impact systems; 325 controls for moderate-level impact systems; and 421 controls for high-level impact systems. You can refer to FIPS 199 to determine your CSPs’ impact level related to FedRAMP control requirements.

For example, if your solution is considered low-impact, under the Access Control family, you’d be expected to meet 11 controls; however, if your solution is moderate impact, you’d have to meet 17 controls for the Access Control family.

Here are the 17 core families:

  • 1. Access Control
  • 10. Media Protection
  • 2. Awareness and Training
  • 11. Physical and Environmental Protection
  • 3. Audit and Accountability
  • 12. Planning
  • 4. Certification, Accreditation and Security Assessment
  • 13. Personnel Security
  • 5. Configuration Management
  • 14. Risk Assessment
  • 6. Contingency Planning
  • 15. System and Services Acquisition
  • 7. Identification and Authentication
  • 16. System and Communications Protection
  • 8. Incident Response
  • 17. System and Information Integrity
  • 9. Maintenance

For a complete list of all the domains, classes, and control requirements, check out the FedRAMP Control Quick Guide from GSA at https://www.gsa.gov/cdnstatic/FedRAMP_Control_Quick_Guide_V12_%281%29.pdf.

Preparing for Your FedRAMP Assessments

Whether you’re preparing for a readiness assessment or you’re prepping your security package for FedRAMP authorization review, some best practices can help you streamline your processes, improve documentation, and approach your assessments with confidence.

Here are a few general recommendations to help you prepare for your FedRAMP assessments:

  • As we mentioned earlier, to get started with FedRAMP, you need to understand if you’re best suited for a P-ATO authorization or an individual ATO. Review your solution and evaluate if you have multi-tenant capabilities (for an P-ATO) or if you’re more likely aligned to working with just one or a couple of agencies as an ATO.
  • Next, evaluate your security impact level (low, moderate, high) based on FIPS 199 standards.
  • Once you know your impact level, review the FedRAMP Control Quick Guide to determine which (and how many) controls you’ll be expected to meet for your FedRAMP authorization.
  • Next, evaluate your existing controls against your FedRAMP requirement to determine which controls function as intended and which controls are not in place or are not functioning properly. Make plans to implement missing controls and address performance issues for those where you fall short.
  • Before engaging with a 3PAO, conduct an internal review of your security controls and identify where you’re meeting FedRAMP requirements and where you may have weaknesses.
  • Document your known deficiencies as well as your plans to mitigate or remediate those risks.
  • Where possible, remediate as many security weaknesses as you can and then conduct an internal review on control effectiveness before your 3PAO assessment.
  • Complete a Readiness Assessment Report, and then follow up with your Security Assessment Report, a System Security Plan, and document your Plan of Action and Milestones report.

  • Continuously monitor your controls and remediate any issues leading up to your formal 3PAO assessment.
  • If you successfully earn your P-ATO or ATO designation, remember you’re going to be subject to continuous monitoring and annual re-evaluation. It’s a good idea to routinely conduct internal reviews before an issue occurs to keep you one step ahead of threat actors as well as mitigate potential future compliance issues.
  • By continuously evaluating your program and taking the right steps to avoid a breach or other security issues, you can demonstrate your organization takes FedRAMP security seriously and in good faith you’re working toward closing all gaps and maturing your security posture.

FedRAMP Webinars

Choosing a Cybersecurity Framework Webinar Image

How to Choose Which Cybersecurity Framework to Follow

With more than 20 major cybersecurity frameworks on the market, how do you know which one is right for you? Do you need more than one framework to meet all of your compliance and regulatory obligations? Do you have controls from one framework that meet the requirements of another? Not sure what to do or where to begin? In this webinar, you’ll learn more about::

• Common cybersecurity frameworks
• How organizations use these frameworks
• Where there are commonalities between frameworks
• What differentiates each framework from others
• How to manage the frameworks you implement

Watch Now

Secrets To Passing A Cybersecurity Audit: An Auditor's Perspective

Whether you’re preparing for an internal review or you’re getting ready for a formal 3PAO assessment, you’ll want to approach your FedRAMP authorization reviews with confidence, while ensuring you have all the documentation you need to demonstrate compliance and make your assessments as painless as possible. In this webinar, listen in on guidance from a panel of experts who have successfully participated—and passed—audits across a range of industries and compliance requirements, including:

• Best practices for audit preparation
• Tips from industry pros
• Common failures in the audit process
• How to mitigate risk for audit success
• How to gather you need to support auditor requests

Watch Now
FedRAMP Marketplace

Searching for Tools, Guidance, and Help with FedRAMP Compliance?

The FedRAMP Marketplace in CyberXchange is a great place to find resources for FedRAMP compliance. It’s mapped to FedRAMP controls and for each gap or compliance issue, you can find solutions that meet your specific needs. Join thousands of CISOs, CIOs and other cyber professionals in finding perfect-fit solutions for all your FedRAMP needs.

Frequently Asked Questions about FedRAMP (FAQs)

What is FedRAMP?

FedRAMP, the Federal Risk and Authorization Management Program, is a framework that establishes a standardized approach for cloud security assessments, monitoring, and process implementation. FedRAMP authorization is required for all cloud services providers and cloud software solutions that create, processes, store, or transmit federal data.

Who oversees FedRAMP?
The FedRAMP Program Management Office (PMO) resides within the General Services Administration (GSA). The PMO helps federal agencies and cloud services providers through FedRAMP authorization and is responsible for maintaining FedRAMP authorizations so they can be reused in security packages.
Is there FedRAMP certification?
The FedRAMP certification is referred to as a FedRAMP authorization. There are two FedRAMP Authorization paths: one through the Joint Authorization Board (JAB) called a Provisional Authority to Operate (P-ATO), which is designed for multi-tenant, multi-capabilities CSPs that may serve many federal organizations. The other, an agency Authority to Operate, which is for CSPs working directly with a federal agency.
Is FedRAMP Authorization required?
FedRAMP is required for all cloud services providers who work with federal agencies and who create, process, store, or transmit federal data.
Should my organization be FedRAMP compliant?
If your organization is a cloud services provider or other cloud solution and you want to do business with a federal agency, you should be FedRAMP compliant as either a JAB P-ATO or an agency ATO.
What happens if I am not FedRAMP complaint?
If you are not FedRAMP compliant, you will not be able to offer cloud services to a federal agency.
What are FedRAMP impact levels?

There are three impact levels related to FedRAMP: low, moderate, and high.

  • Low Impact: The loss of confidentiality, integrity, and availability would result in a low level of negative impacts on a federal agency’s assets, individuals, or operations.
  • Moderate Impact: The loss of confidentiality, integrity, and availability would result in a serious level of negative impacts on an agency’s assets, individuals, or operations.
  • High Impact: The loss of confidentiality, integrity, and availability would result in a severe or catastrophic level of negative impacts on an agency’s assets, individuals, or operations.
How many FedRAMP controls are there?
There are 17 control domains for FedRAMP. Each domain or family, consists of a grouping of controls directly related to your CSPs impact level. For example, there are 125 controls for low-level impact systems; 325 controls for moderate-level impact systems; and 421 controls for high-level impact systems. You can refer to FIPS 199 to determine your CSPs’ impact level related to FedRAMP control requirements.
Can I map FedRAMP to other cybersecurity frameworks and controls?
Yes. You can map the FedRAMP cloud security framework to other frameworks and controls. In fact, FedRAMP is closely aligned to NIST 800-53. You can use Apptega’s Harmony intelligent framework mapping engine to map all controls across all of your existing frameworks to eliminate redundancy and gain instant insight into control effectiveness and where you have gaps to remediate.
What does “FedRAMP in process” mean?
FedRAMP in process is a designation given to cloud services providers that indicates the JAB is in the process of reviewing the CSP for authorization. If your organization is “In Process” through FedRAMP and you want to work with an additional federal agency, that federal agency can evaluate your existing authorization package to determine the possibility of an ATO designation.
How much does FedRAMP certification cost?
Costs associated with FedRAMP certification, or authorization, depend on a variety of factors including the complexities of your CSP, your impact level, how many controls you’re required to implement, and other factors. Some FedRAMP authorization expenses are estimated as tens of thousands of dollars upwards to several million dollars.
Who are some notable FedRAMP certified companies?

Here are some well-known companies with FedRAMP authorization: Adobe, Amazon Web Services (AWS), BlackBerry, Canon, Cisco, Deloitte, DocuSign, GitHub, Google Cloud Service, Hootsuite, IBM, McAfee, Microsoft Azure, Okta, Oracle, Salesforce, Trello, and Zoom. For a complete list of approved CSPs, visit https://marketplace.fedramp.gov.

Where can I find FedRAMP compliance resources?

FedRAMP compliance resources are in Apptega’s FedRAMP Marketplace. In the marketplace, you can quickly access products and services to help you with your FedRAMP authorization process, including access to consultants with expertise in your specific compliance areas. You can also find additional supporting documents and templates at https://www.fedramp.gov/documents-templates.

The Platform for your FedRAMP Authorization Journey

Managing cloud security controls can be tricky even for skilled cybersecurity teams. That’s because many common IT security practices for on-premises solutions don’t work well for the cloud. But adding another layer of security to your already busy cybersecurity teams doesn’t have to overwhelm them. A cybersecurity framework management solution like Apptega can help you implement, streamline, and manage all of your controls across all your frameworks, regardless of environment.

Here are some of the way Apptega can help you simplify your FedRAMP authorization journey:
  • Manage all of your cybersecurity frameworks and controls in a single solution
  • Get clear visibility into your compliance journey status, including the effectiveness of controls functioning as intended
  • Review recommendations to close security gaps
  • Access a growing library of industry-recognized cybersecurity and privacy frameworks
  • Use pre-built templates for policies and other security needs
  • Quickly generate customized reports to share program status with key stakeholders
  • Get instant access to cybersecurity software and other services for your organization’s specific needs
  • End-to-end cybersecurity and compliance management

Companies on the Journey to Compliance

CounterTrade Logo
Cortland Logo
HCTec logo
Focus on the Family logo
Greenhouse Software logo-1