The Federal Risk and Authorization Management Program provides a standardized framework for security assessment, authorization, and continuous monitoring of cloud products and services used by US federal agencies. FedRAMP Rev 5, aligned with NIST SP 800-53 Revision 5, is the current control baseline governing all new and existing cloud authorizations.
The FedRAMP Authorization Act, signed into law in December 2022 as part of the FY2023 NDAA, codified FedRAMP into federal law and directed the modernization of the authorization process.
Impact Levels
FedRAMP defines three impact levels based on FIPS 199 security categorization:
| Impact Level | Description | Use Cases | Approximate Controls |
|---|---|---|---|
| Low | Limited adverse effect from breach | Publicly available data, non-sensitive workloads | ~156 controls |
| Moderate | Serious adverse effect from breach | Most federal workloads, PII, law enforcement data | ~325 controls |
| High | Severe or catastrophic effect from breach | Defense, healthcare, law enforcement, financial data | ~421 controls |
Approximately 80% of FedRAMP authorizations are at the Moderate impact level.
Authorization Paths
Agency Authorization
A specific federal agency sponsors and authorizes the cloud service. The Cloud Service Provider partners with a sponsoring agency, then engages a FedRAMP-recognized Third-Party Assessment Organization (3PAO) for independent assessment. The agency reviews the assessment package and grants an Authority to Operate. The authorization package is then submitted to FedRAMP for reuse by other agencies.
Joint Authorization Board (JAB) Authorization (Legacy)
The JAB, composed of CIOs from DoD, DHS, and GSA, previously issued Provisional ATOs. The FedRAMP Authorization Act restructured this process, and FedRAMP is transitioning to a more streamlined approach where the FedRAMP Program Management Office manages the authorization process directly.
Rev 5 Key Changes
FedRAMP Rev 5 incorporates NIST SP 800-53 Rev 5 control enhancements.
New Control Families
Supply Chain Risk Management (SR) is a new family addressing firmware integrity, component authenticity, and supplier security assessments. Personally Identifiable Information Processing (PT) consolidates privacy controls for PII handling.
Updated Controls
Zero Trust alignment brings enhanced controls for identity verification, microsegmentation, and continuous monitoring. Cloud-native security includes updated controls for container security, serverless, and infrastructure-as-code. Automation emphasis increases focus on automated security assessment and continuous monitoring.
Continuous Monitoring
All FedRAMP-authorized services must maintain continuous monitoring including monthly vulnerability scanning and remediation, annual security assessments by a 3PAO, ongoing Plan of Action and Milestones management, significant change reporting and assessment, and incident reporting to US-CERT within defined timelines.
FedRAMP Marketplace
The FedRAMP Marketplace lists all authorized cloud services, making it easy for agencies to identify pre-authorized solutions. As of early 2026, over 350 cloud services hold FedRAMP authorizations, with the majority at the Moderate impact level.
Major authorized CSPs include AWS GovCloud, Microsoft Azure Government, Google Cloud Platform, Oracle Cloud Infrastructure, and Salesforce Government Cloud.
Common Challenges
Timeline
The FedRAMP authorization process historically takes 12 to 18 months from initial engagement to ATO. The FedRAMP Authorization Act directed modernization to reduce this timeline, and the PMO has introduced automation initiatives to accelerate reviews.
Cost
Achieving FedRAMP authorization typically costs $1 to $3 million for Moderate and $2 to $5 million for High, including 3PAO assessment fees, remediation costs, and documentation. Annual continuous monitoring adds approximately $500K to $1 million.
Documentation
FedRAMP requires extensive documentation including a System Security Plan, Security Assessment Report, and Plan of Action and Milestones. The SSP alone can exceed 500 pages for a Moderate system.
Practical Steps
Work with your target federal agency to determine impact level and classify the data the cloud service will process. Compare current security controls against the applicable FedRAMP Rev 5 baseline. Agency authorization is typically faster for CSPs with an existing agency relationship. Select a FedRAMP-recognized assessment organization early in the process. Develop the SSP, policies, and procedures aligned with FedRAMP templates. Implement missing controls before the 3PAO assessment. Establish vulnerability management, POA&M tracking, and annual assessment processes before authorization.