FedRAMP Authorization Basics
Enforced by: FedRAMP PMO / OMB
Current as of November 22, 2022
Plain Language Summary
FedRAMP is mandatory for cloud services used by federal agencies. Based on NIST SP 800-53. Authorization takes 12-24 months. Once authorized, any agency can use your service ("do once, use many").
FedRAMP standardizes security assessment, authorization, and continuous monitoring for cloud products and services used by the US federal government. Three authorization paths: Agency Authorization (one agency sponsors), Joint Authorization Board (JAB) authorization (most rigorous, highest reuse), and FedRAMP Tailored (for Low-impact SaaS). Impact levels — Low, Moderate, High — are determined by the sensitivity of the data processed by the system.