The Ultimate Guide to

Federal Risk and Authorization Management Program (FedRAMP)

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services.

Protect mission-critical data

The US federal government is one of the largest buyers of cloud technology and knows that innovative Cloud Service Providers can save agencies time and resources while meeting their critical mission needs. In fact, a 2020 FedRAMP survey found that 45% of federal agencies and 52% of state and local governments are currently storing mission-critical data in the cloud, and nearly every respondent said that they use the cloud to store at least some of their systems or solutions.

In order to protect data stored in the cloud, the General Services Administration (GSA) created the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized security framework for all cloud products and services that is recognized by all executive federal agencies. Cloud Service Providers (CSPs) only need to go through the FedRAMP Authorization process once for each Cloud Service Offering (CSO) and perform continuous monitoring. Meanwhile, all agencies can review the same continuous monitoring deliverables, creating efficiencies across the government.

What is the purpose of FedRAMP?

The purpose of FedRAMP is to:

Ensure that cloud applications and services used by government agencies have sufficient security safeguards to protect federal information.

Enable the procurement of information systems/services in an efficient and cost-effective manner.

Eliminate duplicative efforts and risk management costs across government entities.

Does my business need to be FedRAMP authorized?

If your company provides cloud computing services or SaaS applications and plans on having the U.S. government as a customer, then you will need to become FedRAMP authorized. Don’t let the size of your company deter you, either. Over 30% of FedRAMP Cloud Service Providers are small businesses.

Did you know that Hyperproof can save you hours of time by automatically generating the SSP reports required for FedRAMP?

Demo Now

The 4 phases to the authorization process: How to get FedRAMP certified

1. Prepare and plan

There are six steps in the preparation/planning phase, and the process can take weeks or multiple months depending on the maturity of your current security compliance program.

Step 1: Establish a partnership with a federal agency

The first step is to find a federal agency that is interested in using your product and willing to go through the authorization process with you. You’ll need to formalize this partnership by submitting an In Process Request (IPR) letter and work breakdown structure (WBS) to obtain confirmation and an In Process listing on the FedRAMP Marketplace.

Step 2: Determine your authorization path

Under the current FedRAMP policy established by OMB Memo M-24-15, you work directly with a federal agency to obtain an Authority to Operate (ATO) letter. For services that will be used by multiple agencies, you can pursue a joint multi-agency authorization where multiple agencies with similar needs can pool resources and share the authorization workload.

Step 3: Determine the security impact level and security objective for your application

As a Cloud Service Provider, you can be one of four levels: low, moderate, high, or Low-Impact Software as a Service (LI-SaaS). Each level determines your security control requirements. You must determine the security categorization using the FedRAMP FIPS 199 Categorization Template and NIST Special Publication 800-60 Volume 2 Revision 1. Each level determines your security control requirements, with LI-SaaS having the most streamlined requirements for low-impact SaaS applications that don’t store PII beyond basic login information.

Step 4: Implement security controls

Once you know your correct security impact level, you will need to fulfill the requirements from the FedRAMP security controls baseline. Security controls for each baseline can be found within the FedRAMP Security Controls Template.

Step 5: Document your control set

After you’ve implemented the appropriate set of controls, you’ll need to document the details in a System Security Plan (SSP). Ensure your system is fully built and functional before proceeding, as this is a prerequisite for the authorization process.

Step 6: Prepare supporting documents and conduct a kickoff meeting

Lastly, FedRAMP requires you to submit a set of supporting documents along with your SSP. The templates for these documents can be downloaded at www.fedramp.gov. The final activity in this phase is conducting a Kickoff Meeting with your agency partner to discuss system functionality, technical security architecture, customer responsible controls, compliance gaps, and project milestones.

2. Assess

Once you finish phase one, you’ll need to hire an independent assessor to test and verify your controls’ implementation and effectiveness. When the testing is completed, the independent assessor will prepare a Security Assessment Report (SAR) that documents all results of the testing conducted, including assessment results, identified risks, and recommendations for mitigation.. After you’ve reviewed the report, your assessor will share it with the security team at the agency you’re working with or with the JAB. In the meantime, you can start developing your Plan of Action & Milestones (POA&M), which addresses how you will resolve the vulnerabilities in your report and submit this to the same agency.

3. Authorize

After the assessment and documents have been delivered, you’ll need to submit the entire security package to your authorizing official (AO) at the agency. The AO will review the materials and either approve them or request further testing. A final review is then conducted that decides whether you will have an Authority to Operate (ATO). For agency authorization, a signed ATO letter will be given to you by your Authorizing Official.

4. Monitor

Even after you receive the ATO, your work isn’t finished. To maintain the authorization, you’ll need to have continuous monitoring implemented and maintain an appropriate risk level associated with your security impact level. The agency can revoke the authorization if you fail these steps. You can learn more about the authorization using the Agency Authorization page or the FedRAMP Agency Authorization playbook.

Should I get a FedRAMP agency authorization or pursue a multi-agency authorization?

If your product will be used by multiple federal agencies, you should consider pursuing a joint multi-agency authorization. Under the current FedRAMP policy established by OMB Memo M-24-15, multiple agencies with similar needs can pool resources and achieve consensus on an acceptable risk posture. When agencies collaborate on a joint authorization, they can share the workload and costs associated with the security assessment while ensuring the cloud service meets their collective requirements.

The multi-agency authorization process requires an accredited third-party assessment organization (3PAO) to complete the readiness assessment — something you’ll need before beginning a FedRAMP assessment. Once you partner with the collaborating agencies and are deemed FedRAMP ready, you’ll complete a System Security Plan and use your 3PAO for the full assessment. The agencies will then conduct their joint review of the authorization package, and upon successful completion, the participating agencies’ authorizing officials will issue their Authority to Operate. This process can take months to complete, but provides broader government-wide reuse potential.

On the other hand, if you want to gain authorization to work with a single federal agency or if your product has niche demand, you can work directly with an agency to obtain a single agency FedRAMP Authority to Operate (ATO). Going this direction may be quicker since you only need to satisfy one agency’s specific requirements and risk tolerance. However, other agencies wanting to use your service would need to conduct their own authorization process or leverage the existing authorization through the FedRAMP Marketplace.

After any agency authorization is issued, FedRAMP performs a quality, security, and risk review to determine the service’s suitability for government-wide reuse. This “do once, use many” approach allows other agencies to leverage your authorization, potentially expanding your market reach even if you initially pursued a single-agency path.

How does FedRAMP fit into your overall compliance program?

While FedRAMP is used specifically for work with the U.S. government, the controls needed to safeguard a cloud service offering are similar to those used by other infosecurity standards and certifications. In fact, the JAB used the NIST SP 800-53 catalog of controls as a baseline, although many other framework requirements will overlap. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2® Type 2), you may already have done a lot of the work needed for FedRAMP.

GuIDE

The Compliance Operations Methodology

Manage IT risks in a disciplined, proactive manner and efficiently prove to customers that you can keep sensitive data safe.

If you’ve already implemented an information security framework in the Hyperproof platform and want to meet FedRAMP security controls baseline, the Hyperproof platform will recommend which existing controls you can leverage to fulfill them, making it significantly easier and faster to complete the standard. Conversely, the controls you implement for FedRAMP can be reused to meet the requirements of other information security standards and frameworks.

Note that FedRAMP does not supersede local or regional laws, government regulations, or other legal requirements.

What security controls does FedRAMP require?

When creating the baseline for FedRAMP, the Joint Authorization Board (JAB), in cooperation with the Office of Management and Budget (OMB), used the NIST SP 800-53 catalog of controls with certain modifications for the unique risks for cloud computing environments. The FedRAMP Program Management Office (PMO) maintains and updates the baseline security controls, documentation, and templates. It’s likely that many controls already in your organization will satisfy controls in the FedRAMP templates. Some controls might require you to implement new tools, while others will need changes to be made in existing systems. For a full list of requirements and controls, you can download the Security Controls Baseline. It’s important to remember that the baseline is the minimum you’ll need to do, and the agency you work with might require additional requirements above the baseline.

What security impact level and security level do I need?

FedRAMP categorizes Cloud Service Providers into four security impact levels, and each has different security control requirements.

Low Impact

In most cases, companies will be at this level if their applications do not store personal identifiable identification beyond what’s generally required for login capability, such as username, password, and email. The loss of this information such as confidentiality, integrity and availability would have limited adverse effects on an agency’s operations, assets or individuals.

Moderate Impact

This level accounts for nearly 80% of CSP applications that receive FedRAMP authorization and are most appropriate for CSOs where the loss of information would have serious adverse effects on the agency’s operations, assets, or individuals.

High Impact

High-impact data is in systems where the loss of confidentiality, integrity, or availability would be severe or catastrophic. You can find this data in law enforcement and emergency services systems, financial systems, or health systems.

Low-Impact Software as a Service (LI-SaaS)

This is a specialized category for Software as a Service applications that contain no PII except what’s needed for login capability (username, password, and email address), are Low security impact as defined by FIPS PUB 199, and are hosted within a FedRAMP Authorized PaaS or IaaS. LI-SaaS has streamlined security control requirements compared to the standard Low impact level.

FedRAMP: Frequently Asked Questions

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to standardize the security assessment, authorization, and continuous monitoring processes for cloud products and services used by federal agencies.

The goal of FedRAMP is to ensure that cloud services meet strict security requirements, ultimately protecting federal data and promoting the adoption of secure cloud technologies across government agencies.

Hyperproof is currently pursuing FedRAMP compliance. Want to learn about our journey? Check out our podcast, Drafting Compliance.

FedRAMP certification comes with many benefits, including:

Market access

Authorization enables Cloud Service Providers (CSPs) to offer their services to federal agencies, ultimately expanding their market reach.

Enhanced security

Achieving FedRAMP authorization demonstrates an organization’s commitment to stringent security controls, enhancing not only overall security posture but also trust and credibility within the market. It ensures the organization adheres to a standardized set of security requirements vetted by federal agencies.

Standardization

FedRAMP simplifies the security assessment process by providing a unified approach, reducing the need for multiple assessments by different agencies. This standardization also ensures consistency in the security of cloud services used by federal agencies.

Cost savings

Authorization reduces the time and resources required for individual agency assessments, leading to cost savings for both CSPs and federal agencies. The standardized approach eliminates redundancy and streamlines the authorization process.

Competitive advantage

FedRAMP certification distinguishes certified CSPs from competitors, showcasing their dedication to high-security standards and compliance with federal requirements.

FedRAMP compliance is required for any CSP that offers services to federal agencies. This includes any third-party vendors that store, process, or transmit federal data as part of their cloud-based solutions for government entities. Compliance is mandatory to ensure that cloud services meet the stringent security standards necessary to protect sensitive federal information.

NIST (National Institute of Standards and Technology) provides the foundational security controls and guidelines through NIST SP 800-53, which outlines security and privacy controls for federal information systems and organizations. FedRAMP, on the other hand, builds upon NIST guidelines by adding specific requirements and processes tailored for cloud service providers. While NIST provides the baseline controls, FedRAMP standardizes the security assessment, authorization, and continuous monitoring processes for cloud services used by federal agencies.

Starting the FedRAMP certification process involves several key steps:

Understand requirements: Familiarize yourself with FedRAMP requirements and guidelines, including the FedRAMP security controls baseline and determine the security categorization of your data using the FedRAMP FIPS 199 Categorization Template and NIST Special Publication 800-60 Volume 2 Revision.
Choose your authorization path: Select the appropriate authorization path – Agency Authorization (working directly with a federal agency) or pursue a joint multi-agency authorization where multiple agencies with similar needs can pool resources.
Establish an agency partnership: Find a federal agency that is interested in using your product and willing to go through the authorization process with you. Formalize this partnership by submitting an In Process Request (IPR) letter and work breakdown structure (WBS) to [email protected].
Esnure system readiness: Your system must be fully built and functional before proceeding, and you need a leadership team that is committed and fully on board with the FedRAMP process. Submit a CSP Information Form to receive your FedRAMP ID.
Conduct gap analysis and implement security controls Conduct a gap analysis to identify areas needing improvement to meet FedRAMP requirements, then implement the appropriate security controls based on your security impact level.
Develop a System Security Plan (SSP): Document your security controls and procedures in an SSP, which includes detailed information about the system’s security posture and how it meets the FedRAMP requirements.
Optional: Pursue FedRAMP Ready designation: You may elect to pursue the FedRAMP Ready designation by working with a FedRAMP-recognized third-party assessment organization (3PAO) to complete a Readiness Assessment. This designation is available for Moderate and High impact levels and is valid for one calendar year.
Conduct a kickoff meeting: Prepare for and conduct a Kickoff Meeting with your agency partner to discuss system functionality, technical security architecture, customer responsible controls, compliance gaps, and project milestones.
Engage a third-party assessment organization: Work with an accredited third-party assessment organization (3PAO) to conduct an independent security assessment, including testing the implementation of security controls.
Remediate findings and submit for review: Address any findings from the 3PAO assessment to ensure compliance with FedRAMP requirements, then submit your authorization package for agency review.
Achieve authorization: Upon successful review, receive your FedRAMP Authority to Operate (ATO) from the authorizing federal agency. Once issued, FedRAMP performs a quality, security, and risk review to determine the service’s suitability for government-wide reuse.
Implement continuous monitoring: Implement a continuous monitoring program to regularly assess the system’s security posture and provide monthly deliverables to maintain your authorization.

FedRAMP compliance requires meeting a set of stringent security requirements.

Implement NIST SP 800-53 controls

NIST 800-53 controls must be implemented and the appropriate security controls should be applied based on the cloud service’s impact level (Low, Moderate, High, or LI-SaaS).

Document security measures

Detailed documentation must be created and maintained. This documentation includes:

System Security Plan (SSP)
Security Assessment Plan (SAP)
Security Assessment Report (SAR)
Plan of Action and Milestones (POA&M)
Continuous Monitoring Strategy

Continuous monitoring

Implement ongoing monitoring processes to ensure continuous compliance and address emerging threats. This includes regular security assessments and updates to security documentation.

Independent assessment

An organization must undergo regular assessments by an accredited Third-Party Assessment Organization (3PAO) to validate compliance. This includes initial assessments and annual reviews.

Authorization

Obtain an Authority to Operate (ATO) from a federal agency.

Low: For systems with low impact on an organization’s operations, assets, or individuals if compromised. Suitable for less sensitive information.

Moderate: For systems with moderate impact, requiring more stringent controls. Most federal cloud services fall under this category.

High: For systems with high impact involving highly sensitive data. Requires the highest level of security controls and continuous monitoring.

LI-SaaS (Low-Impact Software as a Service): For low-impact SaaS applications that contain no PII except what’s needed for login capability (username, password, and email address). This category has streamlined security control requirements compared to the standard Low impact level.

The time required to achieve FedRAMP authorization varies based on the organization’s complexity, readiness, and chosen authorization path. Typically, the process can take anywhere from six to eighteen months. However, the time frame can vary significantly. Conducting a thorough gap analysis and preparing comprehensive documentation can help expedite the process.

FedRAMP assessments must be conducted annually. Cloud service providers are required to undergo annual security assessments by an accredited Third-Party Assessment Organization (3PAO) to ensure ongoing compliance with FedRAMP requirements. Continuous monitoring is mandatory, including monthly vulnerability scans and regular updates to the System Security Plan (SSP) to address new threats and vulnerabilities. These continuous monitoring activities are essential to maintain the authorization to operate (ATO) status.

Maintaining FedRAMP compliance involves:

Continuous monitoring: Implementing ongoing monitoring processes to detect and respond to security incidents, including monthly vulnerability scans, automated security assessments, and continuous logging and alerting.
Annual assessments: Undergoing annual assessments by an accredited 3PAO to validate ongoing compliance and ensure the security controls are effective.
Updating documentation: Regularly updating the System Security Plan (SSP) and other documentation to reflect changes in the system or environment, ensuring all controls and procedures are current and accurate.
Incident reporting: Promptly reporting any security incidents to the appropriate federal agencies and taking corrective actions, following the incident response procedures defined in the Incident Response Plan (IRP).
Plan of Action and Milestones (POA&M) management: Maintaining and addressing POA&Ms to track the remediation of any identified weaknesses or deficiencies.

FedRAMP Ready: Indicates that a CSP has a high likelihood of achieving FedRAMP Authorization. It is an initial designation based on a readiness assessment by an accredited 3PAO. This status shows that the CSP’s documentation and security controls are prepared for the full security assessment.

In Process: Signifies that a CSP is actively working towards achieving FedRAMP Authorization, through an agency sponsor.

Authorized: Means that a CSP has successfully met all FedRAMP requirements and has been granted an Authority to Operate (ATO) by an authorizing federal agency. This status indicates that the CSP’s service offering has been thoroughly vetted and approved for use by federal agencies.

Common challenges in achieving FedRAMP compliance include:

Complex documentation: Preparing detailed and comprehensive documentation can be time-consuming and challenging.
Stringent security controls: Implementing the required security controls and demonstrating their effectiveness can be difficult, especially for smaller organizations.
Resource intensive: The process requires significant time, effort, and financial resources.
Continuous monitoring: Maintaining ongoing compliance through continuous monitoring and regular assessments can be demanding.

Several resources are available to assist with FedRAMP certification:

The FedRAMP website, which provides detailed guidance, templates, and documentation.
Accredited 3PAOs which offer independent assessment services and guidance on meeting FedRAMP requirements.
Consulting firms which specialize in helping organizations navigate the FedRAMP certification process.
Training programs which provide education on FedRAMP requirements and best practices.
A GRC tool which streamlines the FedRAMP certification process by automating compliance workflows, centralizing documentation, and providing real-time monitoring and reporting capabilities.

Learn how Hyperproof can make the FedRAMP certification process easier

Yes, a company can lose its FedRAMP certification if it fails to maintain compliance with FedRAMP requirements. This can occur due to deficiencies identified during continuous monitoring or annual assessments, failure to address security incidents promptly, or significant changes in the system that are not adequately documented or managed.

FedRAMP maps to the following frameworks:

Hyperproof for FedRAMP Compliance

Hyperproof’s compliance operations software solution helps organizations understand FedRAMP requirements, document controls for their business, streamline and automate the evidence management process, generate SSP reports, and monitor their security controls to ensure ongoing effectiveness. Plus, it comes with templates for FedRAMP High, Moderate and Low Impact levels requirements to help you hit the ground running. Learn more about simplifying your journey to FedRAMP compliance with Hyperproof.

Smiling man with glasses standing behind a shield that says FR, meaning FedRAMP

A pre-built template to help you implement controls quickly and correctly

The ability to jumpstart the FedRAMP process by reusing controls from another security compliance framework

Automated and efficient evidence collection tools to document your efforts and gauge readiness towards FedRAMP compliance

Automatically generate SSP reports for FedRAMP compliance

Frictionless collaboration between compliance teams, internal stakeholders, and a 3rd-party their auditor

Assign Control assignments to program participants so you can keep team members on track

Dashboards to gauge progress, monitor controls, and view assessment preparedness posture

Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get FedRAMP assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Drafting Compliance: Follow us on our FedRAMP journey

Hyperproof will be FedRAMP Moderate in 2025. Subscribe to our YouTube series, Drafting Compliance, where we rate beers and talk about how we’re becoming FedRAMP compliant.