← Glossary·Frameworks

FedRAMP

Also known as: Federal Risk and Authorization Management Program
FedRAMP

Standardised US government program for cloud-service authorisation, based on NIST 800-53.

FedRAMP authorises cloud service offerings (CSOs) for use by US federal agencies. Impact levels (Low, Moderate, High) drive control baselines drawn from NIST 800-53; authorisation paths are Agency ATO or Joint Authorisation Board (JAB) P-ATO.

Why it matters
FedRAMP Moderate is the table-stakes baseline for SaaS sold to civilian federal agencies. Authorisation typically costs $250K–$2M and takes 12–18 months, but unlocks an addressable market of $90B+ in federal cloud spend.

Related terms

NIST SP 800-53
NIST catalogue of 1000+ security and privacy controls for federal information systems (Rev 5).
FISMA
US law requiring federal agencies (and their contractors) to implement an information-security program based on NIST standards.
CMMC
DoD certification model required of defense contractors handling FCI / CUI; three levels (Foundational, Advanced, Expert).

Does your program actually cover FedRAMP?

Run a free ComplianceIQ audit against FedRAMP and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free FedRAMP auditBack to glossary