The Ultimate FedRAMP Guide 2021

The ultimate FedRAMP guide 2021

This guide goes over everything you need to know about FedRAMP. Learning the background of the program, why it exists and how to navigate it is key for both agencies and vendors. There are a lot of rules and a broad legal framework that is important to know. You will understand what the main FedRAMP requirements are. We go in-depth on how vendors get FedRAMP certification and sell to federal agencies. Finally, this guide covers how best to navigate the marketplace and avoid common pitfalls.

Table of Contents

What is FedRAMP?

  • Why is FedRAMP Important?
  • History of FedRAMP
  • FedRAMP Legal Framework
  • FedRAMP NIST Risk Management Framework (RMF)
  • FedRAMP Governance
  • FedRAMP Partnership Ecosystem

How to get FedRAMP Authorized

  • Difference Between P-ATO and ATO FedRAMP Authorization
  • What P-ATO FedRAMP Authorization Means
  • What ATO FedRAMP Authorization Means
  • Choosing Between P-ATO and ATO

Preparing for Authorization

  • JAB Provisional Authorization to Operate (P-ATO) Authorization Process
  • FedRAMP Agency Authorization to Operate (ATO) Authorization Process
  • How Long Does The FedRAMP Authorization Take Under ATO?
  • How to Get FedRAMP Agency Authorization (ATO)

What is the FedRAMP Marketplace?

  • What’s the difference between FedRAMP Ready, In Process and Authorized?
  • What is the difference between FedRAMP High, Moderate, Low and LI-SaaS Impact Levels?

What are the FIPS 199 Security Objectives?


FedRAMP Facts and Statistics (Fiscal Year 2020)

  • Over 1,500 FedRAMP Authorizations have been issued, with over 80% under reuse 
  • 200 Cloud Service Offerings have received FedRAMP Authorizations 
  • 160 Cloud Service Offerings have Agency ATO Authorizations 
  • 40 Cloud Service Offerings have JAB P-ATO Authorizations
  • The top Agencies with the largest number of Authorizations are Department of Health and Human Services, Department of Commerce, Department of Energy, Department of Defense and Department of the Treasury
  • Cybersecurity Federal budget was $18.8 billion 

Sources: Internal research based on publicly available information

What is FedRAMP? 

FedRAMP (Federal Risk and Authorization Management Program) is a federal program that standardizes the security authorizations of cloud products and services.  This allows federal agencies to adopt approved cloud services knowing that they have already passed acceptable security standards. Primary goals include increasing adoption of the latest cloud technology, lower IT costs and standardize security requirements. The program also lays out the requirements that agencies must follow to use cloud services.  It also defines the responsibilities of executive department and agencies that maintain FedRAMP.  

FedRAMP goals:

  • Ensure use of cloud services protects and secures federal information
  • Enable reuse of cloud services across the federal government to save money and time

Here are five areas on how FedRAMP achieves these goals:

  1. Have a single rigorous security authorization process that can be used reused to minimize redundant efforts across agencies
  2. Leverage FISMA and NIST for assessing security in the cloud
  3. Increase collaboration across agencies and vendors 
  4. Standardize best practices and drive uniformity across security packages
  5. Increase cloud adoption by creating a central repository that facilitates re-use among agencies. 

Why is FedRAMP Important?

The US government spends billions of dollars each year on cybersecurity and IT security. FedRAMP is critical to improving those costs. The program lowers cloud adoption costs while maintaining stringent security standards.  It standardizes the security authorization process for both agencies and vendors.  

Before FedRAMP, each agency would have to define its own security requirements and allocate dedicated resources.  This would increase complexity and create a security nightmare across agencies. Many agencies don’t have the resources to develop their own standards. They also can’t test every vendor. 

Depending on other Agencies is also problematic. Sharing data and security authorizations across agencies is slow and painful.  An agency may not trust the work done by another agency. The use case for one agency may not be applicable to another. Thus, an agency may launch a redundant authorization process itself.  

Cloud vendors also face extreme difficulty without standardization. Vendors have their own security standards. They would have to tailor their system to meet each agency’s custom requirements. The investment into each process became high. Thus many vendors became discouraged while working with agencies. 

History of FedRAMP

The roots of this program go back almost two decades ago.  Congress enacted the E-Government Act of 2002 to improve electronic government services. The act establish a Federal Chief Information Officer within the Office of Management and Budget (OMB).  One key component was introduction of the Federal Information Security Management Act of 2002 (FISMA). This promoted using a cybersecurity framework to protect against threats.  

Since then, advancements such as cloud technology have continued to accelerate.  Cloud products and services allow the government to leverage the latest technology. This results in more effective services for citizens.  Cloud technology also drives procurement and operating costs down, translating into billions of savings.  Despite the huge cost savings, agencies still need to prioritize security.

On December 2, 2011, the Federal CIO of the OMB (Steve VanRockel) sent out a Memorandum for Chief Information Officers to establish FedRAMP.  It was the first government-wide security authorization program under FISMA.  The memo required each agency to develop, document, and implement information security for systems.

FedRAMP Legal Framework

Who Is Responsible For Implementing FedRAMP 

Three parties are responsible for implementing FedRAMP: Agencies, Cloud Service Providers (CSPs) and Third Party Assessment Organization (3PAOs).  

The FedRAMP Law and Legal Framework

FedRAMP is required for Federal Agencies by law. There’s no way getting around it, so all parties must go through the same standardized process. The law states that each Agency must grant security authorizations to use cloud services.

Diagram of FedRAMP Legal Framework For Federal Agencies: Law, Mandate, Policy, Authorize

Here are the four pillars of the FedRAMP legal framework:

  • Law: FISMA requires all agencies to perform cybersecurity
  • Mandate: OMB states that when agencies implement FISMA, they must use the NIST framework (OMB Circular A-130)
  • Policy: Agencies must use NIST under FedRAMP requirements 
  • Authorize: Each agency must individually authorize a system for use – it cannot have a different agency authorize on its behalf

FedRAMP NIST Risk Management Framework (RMF)

Per FISMA, Agencies must use the NIST framework as required by law. This risk management framework provides several key objectives. First, it standardizes the risk management process of systems. These federal systems must be consistent with the organization’s goals. These standardized security requirements are integrated into the risk process and technology infrastructure. There must also be continuous monitoring system and process to update system security. The framework also supports consistent, well informed, and ongoing security authorization decisions.

The latest NIST guide released was on December 2018, under publication NIST SP 800-37 Revision 2.  This new document replaces the old framework, which originally had six phases.

The NIST Risk Management Framework has seven main phases (updated from six phases):

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor

Here are the definitions of the NIST RMF

  1. Prepare: Carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risk.
  2. Categorize: Inform organizational risk management processes and tasks. Determine the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.
  3. Select: Select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk.
  4. Implement: Implement the controls in the security and privacy plans for the system and organization. Document in a baseline configuration, the specific details of the control implementation.
  5. Assess: Determine if the controls selected for implementation are correctly implemented, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements.
  6. Authorize: Provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) is acceptable
  7. Monitor: Maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.

Who is Responsible for Implementing the NIST Risk Management Framework?

Agencies, Cloud Service Providers (CSPs) and Third Party Assessment Organizations (3PAOs) are responsible for implementing this framework.  Here are the responsibilities for the seven phases.

  1. Agencies Prepare and align the risk framework to the organization’s mission. The Head of Agency, CIO and supporting officials are responsible for establishing the organization’s risk management strategy, org structure, process, security policies and requirements, and other key systems and policies.
  2. CSPs Categorize and document the characteristics of their system.  This involves conducting a security categorization. Vendors can use FIPS 199 to establish a single impact level for a system (Low, Moderate, High) or CNSSI 1253.  
  3. CSPs Select and document the Control baselines necessary to protect the system commensurate with risk. These fall under NIST 800-53 governance. CSPs implement hundreds of security controls as required by security authorizations.
  4. CSPs Implement and document the controls required for authorization (such as the System Security Plan or SSP). CSPs must fully document and have an independent auditor validate the security of their system.
  5. 3PAOs Assess and ensure that system meets the organization’s security and privacy requirements. This assessment requires extensive examination and thousands of pieces of evidence to validate vendors. The process takes months given the complexity. All parties should be aware of the costs and time involved.
  6. Agencies Authorize when the system is ready for use by issuing an Authorization to Operate (ATO) Letter.  Each Agency must issue its own authorization as required by FISMA.  The benefit of FedRAMP is that it enables re-use.
  7. CSPs and 3PAOs Monitor the security and privacy of the system on a recurring basis, such as monthly or yearly.

FedRAMP Governance

FedRAMP Governance is comprised of different executive branch entities that work collaboratively on the program. 

  1. Joint Authorization Board (JAB)
  2. FedRAMP Program Management Office (PMO)
  3. Department of Homeland Security (DHS)
  4. National Institute for Standards and Technology (NIST)
  5. CIO Council
  6. Office of Management and Budget (OMB)

  1. Joint Authorization Board (JAB): Acts as the primary governance and decision-making body. The JAB is a board committee that includes the Chief Information Officers from the General Services Administration (GSA), the Department of Defense (DoD), and the Department of Homeland Security (DHS). This board provides government-wide requirements baselines. Baselines address the minimum security needs associated with the cloud. These requirements also establish 3PAO standards. The JAB also provides joint provisional security authorizations for a limited number of cloud solutions. Agencies can then leverage these services by granting Authority to Operate at their respective organizations.
  2. FedRAMP Program Management Office (PMO): Established within GSA, the PMO handles the development of the FedRAMP program and manages day to day operations. The office provides a unified process for all agencies to follow. It also works closely with the JAB. The PMO helps to prioritize vendors to achieve authorizations. It organizes, schedules, and prepares JAB meeting agendas and minutes. Finally, a key role is to support CSPs and agencies through the FedRAMP process.
  3. Department of Homeland Security (DHS): Manages the FedRAMP continuous monitoring strategy. DHS monitors and reports on security incidents. DHS also assists with data feed criteria, reporting structure, threat notification coordination, and incident response. It also updates Federal standards for FISMA reporting and ongoing cybersecurity standards.
  4. National Institute for Standards and Technology (NIST): Establishes basic FISMA technical standards. NIST advises FedRAMP on FISMA compliance requirements and assists in developing the standards for the accreditation of independent 3PAOs. As required by FISMA, NIST’s security standards (SP 800-53, FIPS-199, FIPS-200, and risk management framework (SP 800-37)) serve as the foundation for FedRAMP.
  5. Office of Management and Budget (OMB): Governing body that issued the FedRAMP policy memo, which defines the key requirements and capabilities of the program.
  6. CIO Council: Disseminates FedRAMP information to Federal CIOs and other representatives through cross-agency communications and events

FedRAMP Partnership Ecosystem

FedRAMP has five key partners responsible for executing the program

  1. Joint Authorization Board (JAB)
  2. FedRAMP PMO
  3. Agencies
  4. Cloud Service Providers (CSPs)
  5. Third Party Assessment Organization (3PAOs)

Joint Authorization Board (JAB): Establishes requirement baselines, 3PAO standards and provides provisional security authorizations for a limited number of cloud solutions.

FedRAMP PMO: Runs the day-to-day operations. The PMO standardizes the process for all agencies to follow. Both the JAB and PMO work together to prioritize vendors and issue authorizations. This office also supports all CSPs and agencies throughout the authorization process. It also maintains a secure repository of FedRAMP ATOs to enable authorization reuse.

Agencies: Responsible for adhering to the FedRAMP requirements and integrating them into agency specific policies and procedures. They are also responsible for the contracting and negotiation with CSPs. Per FISMA, each agency must authorize cloud services individually under FedRAMP requirements.

Cloud Service Providers (CSPs): Entity that has a saleable cloud offering that transmits or stores data via a hosted service. A CSP can be a commercial vendor or government entity. CSPs are responsible for ensuring that their product or service meets and maintains the security requirements under NIST/FedRAMP standards. Detailed security and process documentation is critical. Providers must submit comprehensive documentation for their FedRAMP application. This ensures that CSPs meet the high standards of the federal government. 

Providers must contract with a 3PAO that will perform consulting and assessment activities to validate the system’s security. This includes performing initial and annual assessments. FedRAMP is not a one-time hurdle. CSPs must implement continuous monitoring requirements to maintain its FedRAMP authorization. Lack of compliance will invalidate the CSP’s security authorization.

Third Party Assessment Organization (3PAOs): Independent entities that perform initial and periodic security assessments of cloud systems. They do not provide government cloud services themselves. Their independence is critical security assessment process. Without it, it would break the security assessment chain. This is in accordance to ISO standards. 

CSPs contract in good faith with 3PAOs to receive consulting and assessment activities. 3PAOs assess the CSP’s security control implementations. They apply rigorous analysis, both from a process and technical architecture standpoint. This includes gathering thousands of pieces of evidence in support of the security analysis. Then they combine their findings to create Security Assessment Reports, including test results and evidence. These reports verify the CSPs’ security implementations and detail the overall risk posture of its cloud environment.

How to get FedRAMP Authorized

There are two paths for vendors to get FedRAMP Authorized

  1. JAB Provisional Authorization to Operate (P-ATO)
  2. Agency Authorization to Operate (ATO)

Difference Between P-ATO and ATO FedRAMP Authorization

The main difference is that the vendor can get authorization either from the FedRAMP PMO to get a P-ATO authorization or directly from an Agency that runs its own ATO process. Both P-ATO and ATO result in the same FedRAMP Authorization status. The end goal is the same: drive the government adoption of secure and diverse cloud products.

But the implications for each path are very different. The differences are one of the most common questions that agencies and vendors ask. 

What P-ATO FedRAMP Authorization Means

The P-ATO authorization process runs through the FedRAMP PMO’s office. Both agencies and vendors see it as the gold standard for getting authorization because of the rigor of review by the JAB. It’s like getting a stamp of approval by the head governing body. Agencies can have a high degree of confidence that the security meets FedRAMP standards. The cloud offering does not present any unidentified or unanticipated risks. Thus, agencies can re-use it. 

Keep in mind that P-ATO is provisional. Under FISMA, Agencies have to individually authorize the cloud offering. Agencies must ensure that it fits with their organization and mission requirements. But both the agency and vendor won’t have to go through the entire authorization process. That’s because the vendor’s offering is FedRAMP Authorized. Agencies can leverage the P-ATO and re-use the offering. It only has to grant a security authorization and accompanying ATO for use within their own agency. CSPs still need to get authorization from each agency it contracts with. The benefit is that they don’t have to redo the complete security assessment. It’s an extra step, but may be well worth it to get the JAB’s stamp of approval first.

Keep in mind that the P-ATO process can take twice as long as the ATO process.

What ATO FedRAMP Authorization Means

The ATO authorization process refers to an individual Agency’s process. Agencies can apply the same rigor under FedRAMP guidelines and drive the authorization process themselves. This approval process is better suited for cloud products that are more niche and benefit a small set of agencies. The ATO process takes about half the time of a P-ATO process. 

Note that the FedRAMP PMO still does a final review after the Agency issues an ATO letter. Thus, all Authorizations must go through the PMO. A key difference for the ATO path is that the Agency conducts the security assessment. The PMO conducts the security assessment under the P-ATO path.

Other agencies can re-use these security packages. But they would have to rely on the approving agency’s ATO process and have a good understanding of the use cases. An agency must ensure that the security package fits within its own requirements. Remember that each agency must individually authorize the use of security packages. So they must analyze the Agency’s work on ATO. It’s often easier to rely on the JAB P-ATO given they ensure that the authorization given is for broader use cases.

Choosing Between P-ATO and ATO

Cloud provider must determine how broad or narrow its platform is on addressing use cases. If the offering can benefit many agencies, then the P-ATO route is best. If the offering is more specific and benefits a few agencies, then the ATO route will be the best path. Keep in mind that many vendors think that it’s best to pursue the P-ATO because it has a broader designation. But the JAB has limited resources and only evaluates a few CSPs each year. Competition for spots are high. It can be very difficult to get priority into the approval process.

FedRAMP classifies authorizations based on “necessary” and “unique”. A “necessary” cloud platform is one that is multi-tenant in nature and has a broad use case of capabilities. The JAB reviews cloud services that have government-wide purposes. CSPs should pursue the P-ATO if they fall under this category.

If there is only interest from one or two agencies in the cloud product, then a “unique” agency ATO authorization is the appropriate path. Agency authorizations are best suited for unique and niche cloud services. 

Another consideration is timing. The P-ATO process can take 6-9 months, while the ATO process can take 2-4 months.

In practice, the P-ATO and ATO designation both lead to FedRAMP Authorization. So most agencies accept either designation. Many do not weigh one over the other one. It is more use case specific on whether the application is a good fit for the Agency.

Preparing for Authorization

Regardless of the path a CSP chooses, they need to be fully prepared and committed to go through the process when then apply.

The CSP must have these requirements before applying for FedRAMP Authorization

  • Fully built and functional system
  • Mature organizational and security processes
  • Previous experience with federal security authorizations
  • Committed CSP leadership team
  • Dependencies on other CSOs (including leveraging another hosting provider or external providers that provide functionality)
  • Proven maturity (CMMI Level 3+, ISO Organizational Certifications)
  • Other certifications (SOC2, ISO27001, PCI)

JAB Provisional Authorization to Operate (P-ATO) Authorization Process

Be sure to check out our main guide to getting JAB P-ATO.

Remember that the JAB consists of a group of CIOs from the DoD, the DHS, and the GSA. It’s the primary governance and decision making body. The actual authorization process goes through the FedRAMP PMO. This process can be very difficult if there is insufficient agency demand for the product. The PMO prioritizes applications based on demand by a wide variety of Agencies.

Flowchart diagram of the three stages to obtain FedRAMP JAB P-ATO Authorization: Readiness Assessment Report, Full Security Assessment, Authorization Process

There are three phases to obtain JAB P-ATO Authorization

  1. Readiness Assessment 
  2. Full Security Assessment
  3. Authorization Process

1. JAB P-ATO Readiness Assessment

Here are the key steps for the Readiness phase

  • Ensure system is fully operational
  • Notify FedRAMP PMO of intention to submit Readiness Assessment Report (RAR) (via [email protected])
  • Engage 3PAO to conduct readiness assessment
  • Support and facilitate 3PAO readiness assessment
  • Support FedRAMP PMO during RAR review
  • Secure FedRAMP Ready Status

Note that in most cases, it is strongly recommended that the CSP obtains the RAR well before this process starts. Technically, the CSP can secure FedRAMP Ready status after applying. Due to the limited number of spots, it’s a prerequisite to be FedRAMP Ready before applying. That gives the highest chance of success because it shows the PMO that you’re committed to the process. 

2. JAB P-ATO Full Security Assessment

Here are the key steps for the Full Security Assessment phase

  • Finalize SSP
  • Engage 3PAO to conduct full assessment
  • Oversee and facilitate 3PAO assessment activities
  • Submit finalized security assessment package to FedRAMP PMO one weekprior to kick-off
  • Support FedRAMP PMO completeness check and kick-off coordination activities

3. JAB P-ATO Authorization Process Phase

Kick-Off Meeting (1 week)

  • Support PMO Reviewers in gaining an in-depth understanding of the system, its architecture, and associated risks, typically through a combination of briefings and informal Q&A
  • Ensure representatives are present who can answer in-depth questions about the system architecture, risk management activities, actual risks to the system, and remediation planning/status

Review (3-4 weeks)

  • Support PMO Reviewers by addressing questions and comments in a timely manner
  • Participate in regular meetings among CSP, 3PAO, and PMO
  • Submit monthly ConMon deliverables

Remediation (3 weeks)

  • Remediate system and documentation issues as needed to satisfy PMO Reviewer comments
  • Ensure all comments from PMO Reviewers are appropriately addressed
  • Deliver CSP portion of revised package
  • Provide finalized authorization package with all PMO Reviewer comments addressed

Final Review (4 weeks)

  • Receive ATO decision and formal authorization from FedRAMP PMO

FedRAMP Agency Authorization to Operate (ATO) Authorization Process

Be sure to check out our main guide to getting Agency ATO.

The ATO process involves the Agency and the cloud provider. The JAB does not get involved, but the PMO office does do a final review at the very end. This process is faster than a JAB P-ATO and is also suitable for LI-SaaS and Low Impact levels.

Flowchart diagram of the four stages to obtain FedRAMP Agency ATO Authorization: Partnership Establishment, Full Security Assessment, Authorization Process, Continuous Monitoring

There are four phases to obtain Agency ATO Authorization

  1. Partnership Establishment
  2. Full Security Assessment
  3. Authorization Process
  4. Continuous Monitoring

1. Partnership Establishment

The Agency and CSP must formalize a partnership under FedRAMP’s In Process Requirements. Both must have full commitment to go through the Authorization process. This is done by the Agency issues a formal written Attestation to [email protected]

It’s highly recommended that the cloud provider secure a FedRAMP Ready status in advance. This indicates that a 3PAO has evaluated the system and has a higher chance of success. Acquiring this status requires completion of a Readiness Assessment Report (RAR).

At a minimum, the CSP must create a System Security Plan (SSP). An SSP is a security blueprint of the system. The evaluating Agency must review and approve the SSP before moving forward. 

Then the CSP must create Security Assessment Plan (SAP) with their 3PAO. The SAP is a testing plan to assess the system’s security controls.

2. Full Security Assessment

This phase tests the system’s full security, including penetration testing. No changes to code are possible. The 3PAO then creates a Security Assessment Report (SAR) and details the findings. Then the CSP develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.

3. Authorization Process

The Agency reviews the entire package: SSP, SAP, SAR and POA&M. There’s typically a remediation phase to cure security issues. A remediation plan and key measures of success comes from the sponsoring Agency. The CSP must work with the 3PAO to ensure documentation remains in sync and re-testing occurs as needed. Once the Agency approves the remediation, it can move on to the final step. 

The Agency must submit the cloud service offering’s authorization package to the Agency AO for final approval. Then it can proceed with issuance of the ATO. FedRAMP provides a required ATO Letter template. 

All the documents go directly to FedRAMP. The PMO will then review the authorization package within 1-2 weeks of submission. If successful, the PMO will issue a FedRAMP Authorized status to the product.

4. Continuous Monitoring

FedRAMP is not a one-time test. The CSP must continually uphold the security of the system to maintain its Authorized status. That CSP must provide monthly continuous monitoring deliverables to the Agencies using their service. These deliverables may include an updated POA&M, scan results/reports or system change information/request.

The CSP must also complete an annual security assessment and upload the results to FedRAMP.

How Long Does The FedRAMP Authorization Take Under ATO?

The Agency Authorization (ATO) process takes 4-5 months. The pre-authorization work such as partnership establishment takes two weeks. Then the security assessment takes one month. Once all the planning is complete, the CSP can move forward to the authorization stage. This final stage takes 3 months.

How to Get FedRAMP Agency Authorization (ATO)

Phase 1: Partnership Establishment

The CSP must formalize a partnership with a specific Agency via FedRAMP’s In Process Requirements. There are two key components to get a FedRAMP In Process designation with an agency. First, the CSP must commit to completing an Authorization process. Second, the Agency must issue written confirmation of the Agency’s intent to authorize and fulfill at least one of four additional requirements.

The Agency Attestation must contain:

  • The CSP name
  • The CSO name
  • An attestation that the partnering agency is actively working with the CSP to grant an ATO in:
    • 12 months for Low, Moderate, and High authorizations, or
    • Three months for FedRAMP Tailored authorizations
  • The impact level (e.g., Low, Moderate, or High) at which the agency will authorize the service offering
  • The agency and CSP points of contact who will work with FedRAMP 
  • The full 3PAO assessment is planned for no more than six months from the date of email

Additional Requirements (At Least One of Four):

  1. The agency provides proof of a contract award for the use of the CSO
  2. The agency and CSP demonstrate use of the service offering to the PMO (Note: An email from the Agency AO stating the product is being used by the agency will meet this requirement)
  3. The CSO is currently listed as FedRAMP Ready on the Marketplace
  4. Completion of a formal kick-off meeting that includes the agency, CSP, FedRAMP PMO, and, if applicable, 3PAO

CSPs should have full commitment to go through the entire process. Often, a vendor may already be under contract or acquisition process with an agency. At a minimum, the vendor should have one technical writer, one technical SME, and one project manager. They should also complete FedRAMP Training in advance.

The CSPs must complete their System Security Plan (SSP) and have gone through the agency review process before moving to the next phase. Then the Agency partner must approve and sign off on the SSP prior to testing. 

After approval, the CSP must create Security Assessment Plan (SAP) with their 3PAO. The SAP is a test plan to assess the system’s security controls. This plan includes a penetration test plan, rules of engagement and inventory worksheet.

Phase 2: Full Security Assessment

Once the SAP is complete, the 3PAO tests the CSP’s system. No changes can be made to the system. The CSP must freeze code development. 

The 3PAO then creates a Security Assessment Report (SAR) after completing the test. The SAR contains detailed findings and whether to recommend the system for FedRAMP Authorization.

The CSP develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.

Phase 3: Authorization Process

The sponsoring Agency reviews the assessment, including the SAR and POA&M. It will then request remediation and additional testing if required. 

Here is a checklist for the agency:


  • Incomplete implementation statements
  • Blank fields
  • Conflicting implementation status
  • Missing or outdated SSP attachments


  • Blank fields
  • Missing or outdated evidence artifacts
  • Skewed methodology and scope


  • Conflicting risk levels between SAR Tables 4.1, 5.1, 5.2, 5.3, False Positives, vulnerability scans, and the POA&M
  • The inventory to documented in the SAR (Appendix C,D, and E) needs to matches the scanned inventory


  • Missing POA&M dates or dates that are beyond FedRAMP requirements for remediation

The Agency review of remediation work can happen on an iterative or linear basis depending on Agency reviewer, CSP, and 3PAO preferences. Once the CSP fixes outstanding issues, the Agency will then conduct a final review. At the end of the remediation phase, there is an in-person remediation close-out meeting to review all changes.

The Agency AO must hold a final briefing. The briefing must contain:

  • Overall risk posture and authorization recommendation
  • High to Medium or High to Low risk adjustments
  • Organizational requirements and why they are required
  • Alternative control implementations and why they are necessary
  • Continuous monitoring maturity and progress during the ATO process

If the Agency accepts the risk of using the system, it will issue an ATO letter. But that does not mean the Authorization is done. The Agency or CSP then uploads the entire security package, the FedRAMP checklist, and ATO letter to FedRAMP’s Secure Repository on OMB MAX. 

The PMO must review the entire package and request remediation. The CSP must fix all technical issues. Once fixes are complete, the PMO will issue the official FedRAMP Authorization.

Phase 4: Continuous Monitoring

FedRAMP Authorization is not a one-time process. The CSP must perform ongoing tasks to retain the Authorization. For example, the CSP must provide monthly continuous monitoring deliverables to the Agencies using their service. These may include an updated POA&M, scan results/reports, system change information/requests. CSPs may use the FedRAMP repository to share monthly material with Agency representatives. However, they do not need to share these materials with the FedRAMP PMO. 

The CSP must also complete an annual security assessment with a 3PAO to ensure the risk posture of the system remains acceptable. CSPs then upload the annual assessment, along with updated security authorization package documentation, to the FedRAMP secure repository.

What is the FedRAMP Marketplace?

The FedRAMP Marketplace lists all Cloud Service Providers, Agencies, and Assessors that offer or use services under the FedRAMP program. The PMO maintains this site with updates on the latest authorizations, changes in designation, providers, agencies and assessors. It’s a well-run central repository that facilitates interaction across ecosystem partners. Visitors can sort, filter and export the database of all offerings and usage across all agencies. 

What’s the difference between FedRAMP Ready, In Process and Authorized?

FedRAMP Authorized is the only status that allows Agencies to use the cloud service without the need to go through an authorization process. In Process indicates that the PMO or an Agency is actively reviewing the service. Ready indicates that the provider has completed a Readiness Assessment Report (RAR), but not started the Authorization process.

Each service can only have one designation 

  • FedRAMP Authorized means the service is available for use by an Agency. The service has either a Provisional Authorization to Operate (P-ATO) or an Authorization to Operate (ATO).
  • FedRAMP In Process means that the service is currently under review for a JAB P-ATO or Agency ATO. The service is not ready for agency re-use.
  • FedRAMP Ready means the cloud service provider has completed a Readiness Assessment Report (RAR) that has secured approval by the FedRAMP PMO. The approval takes approximately one week of review. This does not mean that the service has begun the actual authorization process. FedRAMP Ready is the earliest and easiest designation to obtain. The service is not ready for agency re-use.

What is the difference between FedRAMP High, Moderate and Low Impact Levels?

The levels refer to how severe an impact an agency would face if the system had unauthorized access, faced unauthorized modification of its data or encountered disruption. High, Moderate, and Low correspond respectively to a severe or catastrophic, serious, or limited adverse effect on the agency. The PMO uses these security categories as defined by FIPS 199. LI-SaaS is a separate designation under the FedRAMP Tailored program. See our detailed guide to navigating FedRAMP Tailored and LI-SaaS.

How Many Security Controls Are There for LI-SaaS, Low, Moderate and High?

Each impact level must satisfy a number of security controls

  • High Impact: 421
  • Moderate Impact: 325
  • Low: 125
  • LI-SaaS: Minimum of 37, documented and assessed. The remaining security controls depend on situation or must have an attestation where applicable.
Table listing all FedRAMP security control types for High, Moderate, Low, Li-SaaS, DoD

Low Impact Level

Low Impact is most appropriate for systems that have a limited negative impact to agencies if compromised. Scenarios include managing data intended for public use or mass consumption. There are two baselines: Low and LI-SaaS (Low-Impact Software-as-a-Service). LI-SaaS is a lightweight version of the Low baseline. Such as system would not store any PII (personally identifiable information) other than login credentials. Vendors targeting Low Impact should not go through the JAB P-ATO process, rather they should get an Agency ATO.

Moderate Impact Level

Moderate Impact is the most common designation that satisfies most agency use cases. Systems that are Moderate will have security in place to protect against serious impact if compromised. This standard is most appropriate for systems that handle non-public government data. One key additional criteria that differentiates this from Low is considering if there could be non-physical harm to individuals. PII (personally identifiable information) falls under this category since breaches can harm individuals directly. Most vendors aim to achieve this level to meet the needs of most agencies. The security controls are much stronger than Low and require more investment. 

High Impact Level

High Impact is best for the most government’s most sensitive, unclassified data. This is the strongest level of protection because a compromised system could lead to severe or catastrophic consequences. A key difference here versus other levels is that the data could impact the protection of life and financial ruin. Law Enforcement, Emergency Services, Financial, and Health systems are the most common systems that need a High level. This is the most difficult to obtain, but can be well worth the investment as this can meet the highest security standards and re-used across all agencies.

What are the FIPS 199 Security Objectives?

There are three broad security objectives under FIPS 199.

  • Confidentiality: Data remains confidential. Authorization restrictions are in place.
  • Integrity: Data integrity and authenticity upheld. Guards against improper modification or destruction.
  • Availability: Data is readily available. Access to the system is reliable.

Agencies must decide which impact level applies to each security goal if compromised. Common terminology used to classify impact include Low-Low-Low or L-L-L, M-M-M or H-H-H. They must only select the vendors that can meet those minimum requirements. If impacts are L-M-L, then the system used must either be Moderate or High since the highest impact listed is Moderate.


FedRAMP is the central program that connects government agencies with cloud technology providers. It accelerates the adoption of cloud technology by enforcing security standards and lowering cloud adoption costs. This program is hard to navigate, so it is important to work with a provider that can guide you through the complexities and nuances. The reward of serving dozens of Agencies is significant and worth the effort.

Learn more about what Box has to offer

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.

Free 14-day trial.
No risk.

Box free trial includes native e‑signatures, let's you securely manage, share and access your content from anywhere.

Try for free