Knowledge Center / FedRAMP
US FedRAMP PMO / GSA · United States

FedRAMP

The US government authorisation programme for cloud services.

FedRAMP (Federal Risk and Authorization Management Program) standardises security assessment, authorisation and continuous monitoring for cloud products and services used by US federal agencies. It is built on NIST SP 800-53 control baselines.

Impact levels

LevelData impactApprox. controls
Low (incl. LI-SaaS)Limited adverse impactSmaller baseline
ModerateSerious adverse impact (most SaaS)The most common baseline
HighSevere/catastrophic impactLargest baseline

Authorisation paths

  • Agency ATO — sponsored by a federal agency that grants an Authorisation to Operate.
  • JAB P-ATO — a provisional authorisation from the Joint Authorization Board (now evolving under FedRAMP modernisation).
  • A 3PAO (Third-Party Assessment Organization) performs the independent security assessment.

The journey

  1. Categorise the system and select the FedRAMP baseline (Low/Moderate/High).
  2. Implement 800-53 controls and document the System Security Plan (SSP).
  3. Engage a 3PAO for the Security Assessment (SAR) and penetration testing.
  4. Remediate and produce the POA&M; obtain the ATO.
  5. Operate continuous monitoring (monthly scans, annual assessment).
How CyberSigma helps
We help cloud providers prepare for FedRAMP — control implementation, SSP development, readiness assessment and continuous-monitoring setup — ahead of the 3PAO assessment.

Frequently asked questions

Is FedRAMP the same as NIST 800-53?
FedRAMP uses NIST 800-53 baselines but adds a specific assessment, authorisation and continuous-monitoring programme for cloud services used by the US government.
Official documents

Need help with FedRAMP?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.