
The Ultimate Guide to
Federal Risk and Authorization Management Program (FedRAMP)
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services.
Protect mission-critical data
The US federal government is one of the largest buyers of cloud technology and knows that innovative Cloud Service Providers can save agencies time and resources while meeting their critical mission needs. In fact, a 2020 FedRAMP survey found that 45% of federal agencies and 52% of state and local governments are currently storing mission-critical data in the cloud, and nearly every respondent said that they use the cloud to store at least some of their systems or solutions.
In order to protect data stored in the cloud, the General Services Administration (GSA) created the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized security framework for all cloud products and services that is recognized by all executive federal agencies. Cloud Service Providers (CSPs) only need to go through the FedRAMP Authorization process once for each Cloud Service Offering (CSO) and perform continuous monitoring. Meanwhile, all agencies can review the same continuous monitoring deliverables, creating efficiencies across the government.
What is the purpose of FedRAMP?
The purpose of FedRAMP is to:
Ensure that cloud applications and services used by government agencies have sufficient security safeguards to protect federal information.
Enable the procurement of information systems/services in an efficient and cost-effective manner.
Eliminate duplicative efforts and risk management costs across government entities.
Does my business need to be FedRAMP authorized?
If your company provides cloud computing services or SaaS applications and plans on having the U.S. government as a customer, then you will need to become FedRAMP authorized. Don’t let the size of your company deter you, either. Over 30% of FedRAMP Cloud Service Providers are small businesses.
The 4 phases to the authorization process: How to get FedRAMP certified
1. Prepare and plan
There are six steps in the preparation/planning phase, and the process can take weeks or multiple months depending on the maturity of your current security compliance program.
The first step is to find a federal agency that is interested in using your product and willing to go through the authorization process with you. You’ll need to formalize this partnership by submitting an In Process Request (IPR) letter and work breakdown structure (WBS) to obtain confirmation and an In Process listing on the FedRAMP Marketplace.
Under the current FedRAMP policy established by OMB Memo M-24-15, you work directly with a federal agency to obtain an Authority to Operate (ATO) letter. For services that will be used by multiple agencies, you can pursue a joint multi-agency authorization where multiple agencies with similar needs can pool resources and share the authorization workload.
As a Cloud Service Provider, you can be one of four levels: low, moderate, high, or Low-Impact Software as a Service (LI-SaaS). Each level determines your security control requirements. You must determine the security categorization using the FedRAMP FIPS 199 Categorization Template and NIST Special Publication 800-60 Volume 2 Revision 1. Each level determines your security control requirements, with LI-SaaS having the most streamlined requirements for low-impact SaaS applications that don’t store PII beyond basic login information.
Once you know your correct security impact level, you will need to fulfill the requirements from the FedRAMP security controls baseline. Security controls for each baseline can be found within the FedRAMP Security Controls Template.
After you’ve implemented the appropriate set of controls, you’ll need to document the details in a System Security Plan (SSP). Ensure your system is fully built and functional before proceeding, as this is a prerequisite for the authorization process.
Lastly, FedRAMP requires you to submit a set of supporting documents along with your SSP. The templates for these documents can be downloaded at www.fedramp.gov. The final activity in this phase is conducting a Kickoff Meeting with your agency partner to discuss system functionality, technical security architecture, customer responsible controls, compliance gaps, and project milestones.
2. Assess
Once you finish phase one, you’ll need to hire an independent assessor to test and verify your controls’ implementation and effectiveness. When the testing is completed, the independent assessor will prepare a Security Assessment Report (SAR) that documents all results of the testing conducted, including assessment results, identified risks, and recommendations for mitigation.. After you’ve reviewed the report, your assessor will share it with the security team at the agency you’re working with or with the JAB. In the meantime, you can start developing your Plan of Action & Milestones (POA&M), which addresses how you will resolve the vulnerabilities in your report and submit this to the same agency.
3. Authorize
After the assessment and documents have been delivered, you’ll need to submit the entire security package to your authorizing official (AO) at the agency. The AO will review the materials and either approve them or request further testing. A final review is then conducted that decides whether you will have an Authority to Operate (ATO). For agency authorization, a signed ATO letter will be given to you by your Authorizing Official.
4. Monitor
Even after you receive the ATO, your work isn’t finished. To maintain the authorization, you’ll need to have continuous monitoring implemented and maintain an appropriate risk level associated with your security impact level. The agency can revoke the authorization if you fail these steps. You can learn more about the authorization using the Agency Authorization page or the FedRAMP Agency Authorization playbook.
Should I get a FedRAMP agency authorization or pursue a multi-agency authorization?
If your product will be used by multiple federal agencies, you should consider pursuing a joint multi-agency authorization. Under the current FedRAMP policy established by OMB Memo M-24-15, multiple agencies with similar needs can pool resources and achieve consensus on an acceptable risk posture. When agencies collaborate on a joint authorization, they can share the workload and costs associated with the security assessment while ensuring the cloud service meets their collective requirements.
The multi-agency authorization process requires an accredited third-party assessment organization (3PAO) to complete the readiness assessment — something you’ll need before beginning a FedRAMP assessment. Once you partner with the collaborating agencies and are deemed FedRAMP ready, you’ll complete a System Security Plan and use your 3PAO for the full assessment. The agencies will then conduct their joint review of the authorization package, and upon successful completion, the participating agencies’ authorizing officials will issue their Authority to Operate. This process can take months to complete, but provides broader government-wide reuse potential.
On the other hand, if you want to gain authorization to work with a single federal agency or if your product has niche demand, you can work directly with an agency to obtain a single agency FedRAMP Authority to Operate (ATO). Going this direction may be quicker since you only need to satisfy one agency’s specific requirements and risk tolerance. However, other agencies wanting to use your service would need to conduct their own authorization process or leverage the existing authorization through the FedRAMP Marketplace.
After any agency authorization is issued, FedRAMP performs a quality, security, and risk review to determine the service’s suitability for government-wide reuse. This “do once, use many” approach allows other agencies to leverage your authorization, potentially expanding your market reach even if you initially pursued a single-agency path.
How does FedRAMP fit into your overall compliance program?
While FedRAMP is used specifically for work with the U.S. government, the controls needed to safeguard a cloud service offering are similar to those used by other infosecurity standards and certifications. In fact, the JAB used the NIST SP 800-53 catalog of controls as a baseline, although many other framework requirements will overlap. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2® Type 2), you may already have done a lot of the work needed for FedRAMP.
If you’ve already implemented an information security framework in the Hyperproof platform and want to meet FedRAMP security controls baseline, the Hyperproof platform will recommend which existing controls you can leverage to fulfill them, making it significantly easier and faster to complete the standard. Conversely, the controls you implement for FedRAMP can be reused to meet the requirements of other information security standards and frameworks.
Note that FedRAMP does not supersede local or regional laws, government regulations, or other legal requirements.
What security controls does FedRAMP require?
When creating the baseline for FedRAMP, the Joint Authorization Board (JAB), in cooperation with the Office of Management and Budget (OMB), used the NIST SP 800-53 catalog of controls with certain modifications for the unique risks for cloud computing environments. The FedRAMP Program Management Office (PMO) maintains and updates the baseline security controls, documentation, and templates. It’s likely that many controls already in your organization will satisfy controls in the FedRAMP templates. Some controls might require you to implement new tools, while others will need changes to be made in existing systems. For a full list of requirements and controls, you can download the Security Controls Baseline. It’s important to remember that the baseline is the minimum you’ll need to do, and the agency you work with might require additional requirements above the baseline.
What security impact level and security level do I need?
FedRAMP categorizes Cloud Service Providers into four security impact levels, and each has different security control requirements.
Low Impact
In most cases, companies will be at this level if their applications do not store personal identifiable identification beyond what’s generally required for login capability, such as username, password, and email. The loss of this information such as confidentiality, integrity and availability would have limited adverse effects on an agency’s operations, assets or individuals.
Moderate Impact
This level accounts for nearly 80% of CSP applications that receive FedRAMP authorization and are most appropriate for CSOs where the loss of information would have serious adverse effects on the agency’s operations, assets, or individuals.
High Impact
High-impact data is in systems where the loss of confidentiality, integrity, or availability would be severe or catastrophic. You can find this data in law enforcement and emergency services systems, financial systems, or health systems.
Low-Impact Software as a Service (LI-SaaS)
This is a specialized category for Software as a Service applications that contain no PII except what’s needed for login capability (username, password, and email address), are Low security impact as defined by FIPS PUB 199, and are hosted within a FedRAMP Authorized PaaS or IaaS. LI-SaaS has streamlined security control requirements compared to the standard Low impact level.
FedRAMP: Frequently Asked Questions
Hyperproof for FedRAMP Compliance
Hyperproof’s compliance operations software solution helps organizations understand FedRAMP requirements, document controls for their business, streamline and automate the evidence management process, generate SSP reports, and monitor their security controls to ensure ongoing effectiveness. Plus, it comes with templates for FedRAMP High, Moderate and Low Impact levels requirements to help you hit the ground running. Learn more about simplifying your journey to FedRAMP compliance with Hyperproof.

Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get FedRAMP assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.
Drafting Compliance: Follow us on our FedRAMP journey
Hyperproof will be FedRAMP Moderate in 2025. Subscribe to our YouTube series, Drafting Compliance, where we rate beers and talk about how we’re becoming FedRAMP compliant.