What Is FedRAMP? Federal Cloud Authorization in the 20x Era

What FedRAMP® is, in plain terms

The purpose of FedRAMP®

Before FedRAMP®, every federal agency evaluated cloud services on its own. A single product serving 10 agencies might go through 10 separate security reviews—each producing its own findings, its own paperwork, and its own backlog. The result was duplicative work, inconsistent security judgments across government, and a strong disincentive for commercial cloud providers to invest in the federal market.

FedRAMP® was created to solve that. Its guiding principle is "do once, use many times": a cloud service is assessed once against a standardized set of security requirements, and any federal agency can then adopt the service without repeating the underlying review. Agencies get faster, more defensible access to secure cloud services. Providers get a single nationally recognized credential that opens the door to the entire federal market.

The security framework behind it

FedRAMP® doesn't invent its own security controls. It takes the existing NIST SP 800-53 control catalog—the catalog the federal government already uses to meet its security obligations under the Federal Information Security Modernization Act (FISMA)—and tailors those controls to the cloud context. The result is a set of three control baselines (Low, Moderate, and High) that apply to cloud services based on the sensitivity of the data they handle.

The program is administered by the GSA, with oversight from FedRAMP® Program Management Office, and assessments are performed by independent Third Party Assessment Organizations (3PAOs) accredited specifically for the role.

What it covers—and what it doesn't

FedRAMP® covers cloud service offerings—SaaS, PaaS, and IaaS—that store, process, or transmit federal data. That includes analytics platforms, collaboration tools, infrastructure services, identity providers, and AI services delivered as a service.

What FedRAMP® does not cover: on-premises software, hardware products, professional services, and cloud services that never touch federal data. It also doesn't replace other federal or industry-specific requirements—a healthcare analytics service still needs HIPAA alignment, a defense workload still needs to address DoD-specific requirements, and a service handling Controlled Unclassified Information (CUI) still needs NIST SP 800-171 controls where applicable. FedRAMP® sits alongside these frameworks, not above them.

Who needs FedRAMP® (and why)

Federal agencies

Federal agencies are required to procure cloud services from FedRAMP®-authorized providers for production workloads. This requirement flows from FISMA, is reinforced through Office of Management and Budget (OMB) policy, and is enforced in federal procurement. For an agency CIO or CISO, using a non-authorized cloud service for production federal data is not a gray area—it's a compliance failure.

The practical benefit for agencies is speed. An agency evaluating an authorized service inherits the existing security assessment package and can move to an Authority to Operate (ATO) decision in weeks rather than the months or years an original assessment would take.

Cloud service providers (CSPs) selling to the federal market

For any commercial cloud provider targeting federal customers, FedRAMP® is the price of admission. Without an authorization, the addressable federal market is effectively zero for production workloads. Providers pursuing the federal market therefore treat FedRAMP® as a strategic investment—not a checkbox—because authorization takes 12 to 18 months under the traditional path, requires a 3PAO engagement, and carries ongoing continuous monitoring obligations.

The payoff is material. A single authorization qualifies a service for use across every federal agency, and the credential itself signals a level of security rigor that often accelerates adjacent enterprise sales in regulated industries.

Contractors, state/local entities, and the expanded reach of FedRAMP®

The requirement reaches further than the federal perimeter. Federal contractors and subcontractors whose cloud environments handle government information inherit FedRAMP® obligations through their contracts. State and local government projects that process federal grant data or integrate with federal systems frequently require FedRAMP®-authorized services as well. And in regulated adjacencies—healthcare, financial services, defense supply chain—FedRAMP® authorization has become a commercial-market expectation, not just a federal one.

Certification vs. compliance vs. authorization

One of the most common sources of confusion in federal cloud procurement is that buyers, analysts, and vendors use three different words to describe the same thing. Searches for "FedRAMP certification," "FedRAMP compliance," and "FedRAMP authorization" together generate more than 4,000 queries a month—and strictly speaking, only one of those terms is correct.

• FedRAMP® authorization is the accurate term. It's the formal status a cloud service receives after an agency issues an Authority to Operate (ATO) based on a completed security assessment. This is the word used on FedRAMP.gov and in federal policy.
• FedRAMP® compliance is widely used as a shorthand for "meets FedRAMP® requirements." It's informal but generally understood.
• FedRAMP® certification is technically incorrect—FedRAMP® does not issue certifications—but persists because "certification" is the more familiar compliance vocabulary. When someone asks whether a service is "FedRAMP® certified," they almost always mean "FedRAMP® Authorized."

The practical guidance: use "authorization" in formal contexts, and recognize that the three terms are effectively interchangeable in everyday conversation.

The 3 FedRAMP® impact levels

Not all federal data carries the same sensitivity, and FedRAMP® reflects that with three control baselines—Low, Moderate, and High—determined by FIPS 199 categorization across confidentiality, integrity, and availability. The baseline a cloud service pursues is determined by the highest-sensitivity data it will handle.

Source: https://www.vanta.com/collection/fedramp/fedramp-levels-baselines

FedRAMP® Low

FedRAMP® Low applies to cloud services handling publicly releasable information or data where a breach would cause limited adverse effect to agency operations. Agency public websites, open data portals, and basic communications tools typically fall here. The control baseline is the lightest of the three, but still considerably more rigorous than typical commercial security posture.

FedRAMP® Moderate

Moderate is the most common baseline and applies to the majority of federal systems. It's the right level for day-to-day federal business data, personally identifiable information (PII), and non-classified mission workloads where a breach would cause serious adverse effect. Most analytics, collaboration, and productivity services pursuing the federal market target Moderate as their initial authorization.

FedRAMP® High

High is reserved for the most sensitive unclassified data—law enforcement records, emergency services systems, financial data, and health information where a breach could cause severe or catastrophic effect to operations or individuals. The control set is significantly larger than Moderate, and operational requirements are correspondingly tighter.

A note on DoD impact levels

Defense workloads layer an additional classification on top of FedRAMP®. The Department of Defense Cloud Computing Security Requirements Guide (SRG) defines DoD Impact Levels—IL2, IL4, IL5, and IL6—that apply to cloud services handling DoD information, Controlled Unclassified Information (CUI), and classified data. A cloud service serving DoD customers typically holds a FedRAMP® authorization as a prerequisite and then addresses DoD IL requirements on top.

How FedRAMP® authorization works

Under the traditional (Rev. 5) authorization path, earning FedRAMP® Authorized status takes a well-prepared cloud provider between 12 and 18 months. The process moves through four stages, with one important milestone—FedRAMP® Ready—earned partway through rather than at the end.

Source: https://secureframe.com/blog/fedramp

Step 1: Readiness assessment and FedRAMP® Ready

A cloud provider begins by engaging a FedRAMP®-accredited Third Party Assessment Organization (3PAO)—an independent auditor qualified to evaluate cloud services against FedRAMP® requirements. The 3PAO produces a Readiness Assessment Report (RAR) that documents the provider's security architecture and evaluates how its controls map to the target baseline.
If the RAR meets FedRAMP® expectations, the service earns FedRAMP® Ready status and is listed on the FedRAMP® Marketplace. This is an important milestone—it's independent confirmation that a provider's security posture is strong enough to pursue full authorization, and it's often the signal federal agencies use to begin procurement conversations while the rest of the process continues.
Teradata VantageCloud Lake on AWS achieved FedRAMP® Ready status for Moderate Impact Level in U.S. West and U.S. East regions, confirming that the platform has passed independent 3PAO assessment against the requirements for full FedRAMP® authorization.

Step 2: Full security assessment (SAR and POA&M)

With FedRAMP® Ready status in hand, the provider moves into a full security assessment—a comprehensive 3PAO audit against every control in the target baseline. The assessment produces two key artifacts: a Security Assessment Report (SAR), which documents how each control is implemented, tested, and operating, and a Plan of Action and Milestones (POA&M), which catalogs any gaps or deviations and the remediation plan for each. Together, the SAR and POA&M form the evidence base for the authorization decision that follows.

Step 3: Authorization and agency ATO

Under the current FedRAMP® model, authorization is granted when a federal agency reviews the full security package and issues an Authority to Operate (ATO). The agency acts as the authorizing official, takes on risk acceptance for its use of the service, and signals to the rest of government that the service has cleared the bar.
Once an ATO is issued, the service moves to FedRAMP® Authorized status on the Marketplace and is available for use by any federal agency. The historical Joint Authorization Board (JAB) path has been deprioritized under FedRAMP® 20x and is no longer the primary route to authorization.

Step 4: Continuous monitoring

Authorization is not a one-time event. Authorized providers are required to maintain their security posture through ongoing continuous monitoring (ConMon)—monthly vulnerability scans, regular reporting, incident notification, configuration management, and annual assessments. Findings are tracked in an updated POA&M and shared with the authorizing agency.
This is the requirement that separates FedRAMP® from most point-in-time compliance frameworks. A cloud service does not just have to be secure on the day it's assessed—it has to prove it stays secure every month afterward.

FedRAMP®, FISMA, and NIST 800-53

These three terms appear together constantly in federal cloud conversations and are frequently conflated. They are related but distinct, and understanding how they fit together is the difference between sounding informed in a procurement conversation and sounding approximate.

FISMA: The law

The Federal Information Security Modernization Act (FISMA) is a U.S. federal law, most recently updated in 2014, that requires federal agencies to develop, document, and implement programs to protect their information and information systems. FISMA applies to everything the government runs—cloud or otherwise—and assigns agency heads responsibility for the security of their systems.

NIST SP 800-53: The control catalog

NIST Special Publication 800-53 is the catalog of security and privacy controls federal agencies use to satisfy FISMA's requirements. Published by the National Institute of Standards and Technology and currently in Revision 5, it covers everything from access control and incident response to supply chain risk management and privacy engineering. NIST 800-53 is the common control language of federal cybersecurity.

FedRAMP®: The cloud implementation

FedRAMP® takes the relevant NIST 800-53 controls, tailors them to the cloud context, organizes them into the Low, Moderate, and High baselines, and defines the standardized assessment, authorization, and continuous monitoring process that cloud service providers follow.
In three sentences: FISMA is the law. NIST 800-53 is the control catalog. FedRAMP® is the cloud-specific implementation of both.

What FedRAMP® 20x changes

On March 24, 2025, the GSA announced FedRAMP® 20x—the most significant overhaul of the program since it was established in 2011. FedRAMP® 20x is not an incremental revision. It's a ground-up rebuild of how cloud services are assessed, authorized, and continuously monitored, designed around automation and continuous validation rather than static documentation and manual review.

Why FedRAMP® 20x exists

The traditional FedRAMP® process was built for a federal cloud market that did not yet exist. Over time, authorization timelines stretched to years, documentation packages grew to thousands of pages, and manual review by the FedRAMP® Program Management Office became the central bottleneck for every CSP. FedRAMP® 20x exists to reset those dynamics—to compress timelines from years to weeks, shift evidence from narrative to machine-readable data, and scale federal cloud adoption at the pace the market now requires.

The 4 core changes

• Automation-first validation: The goal is for more than 80% of security requirements to be validated automatically, using machine-readable evidence generated directly from cloud environments—no narrative write-ups required
• Key Security Indicators (KSIs): Rather than documenting each control in prose, CSPs demonstrate security through measurable, outcome-based indicators that can be continuously reported and verified
• Continuous validation over annual assessment: Point-in-time annual audits are replaced by always-on automated checks that provide ground truth about a service's security posture at any moment
• Industry-led solutions: FedRAMP® sets the standards, and private industry builds the tools, frameworks, and automation that meet them, with ongoing collaboration through public working groups

Where FedRAMP® 20x stands today

FedRAMP® 20x is rolling out in phases. Phase 1 ran from April to September 2025 and focused on Low-impact pilot authorizations; 26 cloud service providers submitted pilot packages, and the first authorizations were granted in July 2025. Phase 2 is currently active and is expanding pilot authorizations to Moderate impact, with approximately 10 Moderate pilot authorizations targeted. Formal government-wide launch is targeted for Q3 2026, with a multi-year transition window for providers already authorized under the traditional Rev. 5 path.

What It means for CSPs already in the traditional process

The traditional Rev. 5 authorization path remains open. Providers already in process under Rev. 5 can continue, and existing Rev. 5 authorizations will be honored through a transition window expected to extend into 2027 and beyond. The practical guidance for agencies and CSPs alike is to treat FedRAMP® 20x as the forward direction—not something to watch from the sidelines—and to plan for automation-based evidence as the future of federal cloud compliance.

FedRAMP® FAQs

Still have questions about FedRAMP®? Here are answers to some of the most common questions.