The FedRAMP process isn’t exactly known for being straightforward to comply with, particularly for teams trying to work out what it means for day-to-day security.
However, it’s becoming increasingly relevant. As of 2025, there are now over 400 authorized cloud services due to the recent FedRAMP 20x initiative aimed at automating the process as much as possible.
That kind of growth means more teams, both in government and industry, need to understand how the FedRAMP process works in practice.
What Is FedRAMP?
When the U.S. federal government introduced its “Cloud First” strategy back in 2011, one of the main obstacles agencies faced was a lack of confidence in public cloud security. The response to that was FedRAMP, the Federal Risk and Authorization Management Program.
It provides a standardized way to assess, authorize, and monitor the security of cloud services. It’s how agencies make sure a cloud provider meets strict security requirements so that other agencies can also use the service.
Each cloud service a provider offers has to be evaluated and approved on its own, which is important to keep in mind, particularly when you’re dealing with large providers that have dozens of different services.
FedRAMP is built on NIST SP 800-53, a robust catalog of security controls, and is codified into law as part of the 2023 National Defense Authorization Act.
Understanding FedRAMP Impact Levels
The FedRAMP process has three impact levels, which are ranked according to how sensitive the data is and the potential damage that could result from a breach.
- Low Impact is for systems where a security issue would cause only minimal disruption, for example, public-facing websites, digital brochures, or basic collaboration tools where there’s no sensitive data.
- Moderate Impact is the most common level, covering about 80% of FedRAMP authorizations. At this level, a compromise could result in serious consequences, such as exposing personal data. It includes systems that have HR data, citizen-facing portals, or case management tools.
- High Impact is for the most sensitive data, where a breach could cause severe or even life-threatening harm, for example, on healthcare platforms that process medical records, law enforcement systems, or financial systems that support critical infrastructure.
Each level comes with its own set of required security controls. As the level increases, so do the expectations, not just in terms of technology, but also in how teams manage and demonstrate ongoing security.
If your organization is working toward Moderate or High authorization, you’ll likely need to train teams across security, engineering, and operations to understand how these controls should be applied.
Inherited Controls
To explain inherited controls, an example could be if you’re building a SaaS platform on top of AWS GovCloud, which already has FedRAMP authorization. You can “inherit” many of the controls that AWS has in place, saving time and effort during the assessment.
However, you’re still responsible for demonstrating how your application layers enforce security. Inherited controls help, but they don’t replace the need for a thorough review.
Who’s Involved in the FedRAMP Process?
FedRAMP comprises several U.S. government bodies and independent assessors, each playing a specific role in the security review process.
-
Program Management Office: The FedRAMP PMO sets the rules, provides templates, and maintains the official list of cloud providers that are authorized. They are the coordinators who keep the program running and organized.
-
NIST (National Institute of Standards and Technology): This is the U.S. agency that defines the technical security standards behind FedRAMP. Their guidelines, especially NIST SP 800-53, are the foundation for how security is measured.
-
The Joint Authorization Board (JAB): A group of senior officials from three major U.S. government departments that collectively approve high-priority cloud services. They grant something called a “provisional authorization,” which other agencies can then choose to use.
-
Third-Party Assessment Organization (3PAOs): These are independent assessors that review cloud providers’ security setups. They’re officially accredited and act as neutral auditors.
-
Defense Oversight (DISA): This agency supports the U.S. military and has extra requirements for cloud security, which go beyond standard FedRAMP rules. These stricter standards are sometimes called “FedRAMP+.”
-
Federal Government Agencies: These are the end users of the cloud services. A federal agency can also sponsor a provider’s security assessment and issue authorizations for the services they plan to use.
-
U.S. Congress: Lawmakers helped turn FedRAMP into law, and they continue to shape it through new policies and oversight. Their goal is to make the process more efficient and transparent.
Each one of these entities plays a part in either enforcing or navigating the FedRAMP process. If you’re a cloud service provider or an organization considering FedRAMP solutions, knowing who does what is the first step in understanding FedRAMP.
How Cloud Services Get FedRAMP-Authorized
There are two ways a cloud service can become officially FedRAMP-authorized, and both require a detailed security review:
1. Provisional Authorization
A small team of senior government cybersecurity leaders that represent defense, homeland security, and procurement can review and provisionally authorize a cloud service.
This process is highly selective (only about 12 services are approved this way each year) and is typically reserved for cloud products with wide potential use across multiple federal agencies.
2. Agency-Sponsored Authorization
More common, this path involves a specific agency sponsoring the service. The agency works with the cloud provider and an independent assessor to complete the assessment and issue an Authorization to Operate (ATO), which other agencies can reuse.
What About Providers Still in Progress?
Not every cloud provider is fully authorized yet. FedRAMP uses two labels to show where they are in the process:
-
FedRAMP Ready: The provider has passed an initial, high-level review and is preparing for the complete assessment.
-
FedRAMP In Process: The provider is actively undergoing a detailed security review with either a government agency or the review board.
An important note: FedRAMP approval applies only to specific services, not to the entire company. Just because a provider has some FedRAMP-authorized services doesn’t mean all of their tools and features are covered.
It’s essential to check which services are authorized, what level of security they’re approved for, and whether that matches your organization’s risk requirements.
Continuous Monitoring
Authorization doesn’t mean that’s the end of it, as providers still need to maintain their security posture over time with continuous monitoring.
This includes:
-
Routine vulnerability scanning.
-
Scheduled penetration testing.
-
Log review and audit trails.
-
Ongoing updates to key documents like the System Security Plan (SSP) and Security Assessment Report (SAR).
The GSA and JAB monitor these updates and expect providers to respond quickly to issues and patch vulnerabilities to maintain operational security.
Cloud Security Risks FedRAMP Helps Address
Cloud services come with a long list of potential cloud security risks, some well-known, but others are more subtle. These risks are especially relevant for cloud computing services used by federal agencies.
Here are a few main risks that FedRAMP helps mitigate:
-
Misconfigurations: Still one of the top reasons cloud environments get breached. FedRAMP enforces baseline configurations and regular checks.
-
Unauthorized access: Strong identity and access management (IAM) practices, including MFA, are embedded into FedRAMP. The goal is to make sure only certain people have access to specific data.
-
Data leakage: FedRAMP pushes for encryption both at rest and in transit, plus strict boundary controls to keep sensitive information from leaking.
-
Supply chain vulnerabilities: Cloud providers have to document and manage their third-party components. That helps reduce the risk of hidden dependencies turning into attack vectors.
-
Insider threats: With continuous monitoring and detailed audit logs, it’s easier to catch unusual behavior and hold users accountable.
-
Insecure APIs: FedRAMP requires regular vulnerability scans and penetration tests so exposed interfaces and weak integrations don’t become entry points.
-
Incident response preparation: It’s not just about preventing issues; FedRAMP also makes sure providers have updated plans in place to detect, respond to, and recover from incidents when they happen.
How SecureFlag Helps Secure Cloud Environments
SecureFlag offers cloud security training through virtualized labs that reflect real-world risks across AWS, Azure, and GCP. These labs help teams build the skills to secure what they’re responsible for while understanding what’s handled by the cloud provider.
That same approach extends into threat modeling with ThreatCanvas, which includes risk templates for AWS, Azure, and GCP. Teams can visualize how cloud services are structured and model threats based on FedRAMP impact levels.
Integrating FedRAMP Into Threat Modeling
Once teams understand the shared responsibilities in cloud environments and the expectations associated with each FedRAMP impact level, the next step is to put that into practice.
ThreatCanvas comes with a built-in FedRAMP risk template that helps teams turn security requirements into practical, visual threat models that are aligned with NIST SP 800-53 controls.
Teams can:
-
Model threats according to FedRAMP Low, Moderate, or High impact levels.
-
Visualize where responsibilities are shared across cloud services.
-
Identify risks early in the design process or during vendor assessments.
-
Communicate risks and mitigations in a way that’s easy to understand and track.
Overall, it helps align FedRAMP requirements with how systems are designed and deployed so teams can focus on real risks, rather than only documentation.
