FedRAMP Compliance: 2026 Complete Guide

FedRAMP compliance is the body of security, assessment, and continuous monitoring obligations imposed by the Federal Risk and Authorization Management Program on any cloud service offering used by a U.S. federal agency. It is the single largest cloud security regime in the United States, and after the FedRAMP Authorization Act of 2022 it is codified into federal law.

This guide is written for cloud product leaders, SaaS founders selling into government, security engineers, and compliance directors building a FedRAMP program. It covers what FedRAMP requires in 2026, the three impact baselines, the two authorization pathways, how a Third Party Assessment Organization (3PAO) actually tests you, the real cost and timeline, what continuous monitoring looks like after authorization, and how the FedRAMP Marketplace works for buyers.

This is the pillar guide. For tighter answers on cost, timeline, and the four-step process, see our companion FedRAMP authorization FAQ. Most companies underestimate the lift. FedRAMP is a continuous control environment with monthly scans, annual reassessments, and a public marketplace listing your status to every agency in the country.

💡 Pro Tip

Quick orientation: FedRAMP has three impact baselines (Low, Moderate, High), two authorization paths (JAB Provisional Authorization, called P-ATO, and Agency Authorization, called ATO), one mandatory pre-authorization milestone (FedRAMP Ready), and one independent assessor (the 3PAO). The security baseline itself is NIST SP 800-53 Rev 5, with FedRAMP-specific parameters layered on top.

For deeper companion pieces, see NIST 800-53, NIST 800-171, CMMC, and SOC 2.

What is FedRAMP compliance?

FedRAMP is the U.S. government program that standardizes how cloud products and services are security-assessed, authorized, and continuously monitored for federal use. It was established by Office of Management and Budget memorandum M-11-08 in December 2011 and is operated jointly by the General Services Administration, the Department of Defense, the Department of Homeland Security, and the FedRAMP Program Management Office (PMO).

The core promise is "do once, use many times." Instead of every federal agency separately assessing the same cloud service, a single FedRAMP authorization can be reused by every agency that wants to consume that service. This is what makes a single authorization commercially valuable: it unlocks the entire federal market rather than one contract.

FedRAMP applies to any cloud service offering (CSO) that processes, stores, or transmits federal information. Software as a Service, Platform as a Service, and Infrastructure as a Service all fall in scope. On-premises software delivered as a perpetual license to a single agency typically does not. The cloud delivery model is the trigger.

The legal foundation changed in 2022. Congress passed the FedRAMP Authorization Act as Title LIX of the FY2023 National Defense Authorization Act, signed into law in December 2022. The Act codified the program into statute, established a Federal Secure Cloud Advisory Committee, required automation where feasible, and directed GSA to publish a presumption of adequacy for authorizations across agencies.

Who FedRAMP covers

FedRAMP covers three categories of organization:

Cloud service providers (CSPs). Any company offering a cloud product or service that a federal agency wants to consume. The CSP pursues authorization, builds the system security plan, and pays for the 3PAO assessment.
Federal agencies. Civilian, defense, and independent agencies acquiring cloud services. The agency either sponsors a new authorization or reuses an existing one.
Third Party Assessment Organizations (3PAOs). Independent assessors accredited by A2LA under the FedRAMP 3PAO Requirements. The 3PAO performs the security assessment and issues the Security Assessment Report (SAR).

Resellers and integrators that handle federal data inside a CSP's environment are covered by the CSP's authorization. Subcontractors that operate their own systems may need their own FedRAMP coverage.

What FedRAMP compliance covers

FedRAMP compliance is built on three pillars: a security control baseline, an independent assessment, and ongoing continuous monitoring.

The control baseline is derived from NIST SP 800-53 Rev 5, the federal catalog of security and privacy controls. FedRAMP selects a subset of those controls for each impact level and tightens many of the parameters. A control like AC-2 (Account Management) exists in NIST 800-53 in generic form; the FedRAMP baseline specifies the audit frequency, the maximum account inactivity period, and the documentation requirements that agencies expect.

The assessment is performed by a 3PAO against the NIST Risk Management Framework, defined in NIST SP 800-37 Rev 2. The RMF has seven steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor). FedRAMP is the RMF applied to commercial cloud.

Continuous monitoring is the operational discipline after authorization: monthly vulnerability scans, monthly Plan of Action and Milestones (POA&M) updates, annual penetration tests, and significant change requests for major architectural changes.

FedRAMP impact baselines: Low, Moderate, High

FedRAMP uses three baselines that map to the FIPS 199 categorization of federal information. The baseline depends on the worst-case impact (confidentiality, integrity, or availability) of a security breach on the system.

Baseline	Control count (Rev 5)	Data sensitivity	Typical use cases	Approximate share of authorizations
Low (LI-SaaS variant available)	~156	Public information, low-impact CUI	Public websites, collaboration tools without sensitive data, dev environments	~10%
Moderate	~325	Most Controlled Unclassified Information (CUI), PII, financial data	Email, HR, CRM, most federal SaaS	~80%
High	~421	Law enforcement, emergency services, financial systems where breach is severe or catastrophic	AWS GovCloud, Azure Government, Oracle Government, criminal justice systems	~10%

The "Low Impact SaaS" or LI-SaaS baseline is a streamlined Low variant for simple SaaS products that do not store agency data beyond user credentials and basic configuration. It is the lightest entry point into FedRAMP.

The mapping to FIPS 199 is the gating decision. If any of the three security objectives (confidentiality, integrity, availability) is High, the system is High. If the worst is Moderate, the system is Moderate. Agencies sometimes ask a CSP to authorize at a higher baseline than the data alone would require, to keep the option to expand usage later. Roughly 80% of FedRAMP authorizations sit at Moderate, which is why most budgets and timelines in this guide use Moderate as the default reference.

The 3PAO: what an assessment actually looks like

A Third Party Assessment Organization is an independent firm accredited by A2LA to perform FedRAMP security assessments. The CSP selects and pays the 3PAO directly. The 3PAO is not chosen by the agency.

What the 3PAO does:

Readiness Assessment. Optional but recommended. The 3PAO walks the environment, reviews documentation, and issues a Readiness Assessment Report (RAR). A passing RAR earns the CSP a FedRAMP Ready designation, listed publicly on the Marketplace.
Security Assessment Plan (SAP). Before testing begins, the 3PAO publishes the scope, schedule, and test procedures, approved by the CSP and authorizing official.
Full Security Assessment. The 3PAO tests every control in the baseline through documentation review, staff interviews, configuration inspection, automated scanning, and authenticated penetration testing of the boundary.
Security Assessment Report (SAR). Findings are categorized as Critical, High, Moderate, or Low. Critical and High findings typically must be remediated before authorization. Moderate and Low findings can be carried as POA&M items.
Annual reassessment. Each year the 3PAO re-tests a subset of controls and validates significant changes.

The 3PAO market is small. As of 2026 the FedRAMP Marketplace lists fewer than 50 accredited 3PAOs. Pricing for a Moderate baseline full assessment typically falls between $150,000 and $400,000 depending on system complexity and whether the firm also performs the readiness assessment. Ask for references from CSPs with comparable infrastructure before signing.

The two authorization pathways: JAB P-ATO vs Agency ATO

FedRAMP offers two ways to reach authorization. The security work is identical. The difference is who reviews the package and how broadly it is trusted.

JAB Provisional Authorization (P-ATO)

The Joint Authorization Board is composed of the CIOs of the General Services Administration, the Department of Defense, and the Department of Homeland Security. A JAB P-ATO is the closest thing FedRAMP has to a gold standard.

Strengths:

Highest cross-agency credibility. A JAB P-ATO carries a strong presumption of adequacy.
Most efficient for CSPs targeting broad federal demand. A single P-ATO can be reused by every agency.
The most rigorous review process, which is itself a marketing asset.

Constraints:

The JAB is selective. It runs a connect process called FedRAMP Connect and prioritizes CSOs with broad demand signals from multiple agencies.
Timelines are longer. Twelve to eighteen months for Moderate is typical, with some High systems running longer.
Requires FedRAMP Ready designation as a prerequisite.

The JAB selects a limited number of CSPs each cycle. If selected, the CSP works against a shared schedule, with reviews by the JAB technical representatives in parallel.

Agency Authorization (Agency ATO)

In the Agency path, a specific federal agency sponsors the authorization. The agency's Authorizing Official (AO) reviews the package and issues the Authority to Operate. The FedRAMP PMO then performs a separate review before the CSO is listed on the Marketplace as Authorized.

Strengths:

Faster than JAB. Six to twelve months for Moderate is realistic when the CSP and agency are aligned.
Works for any CSP that already has a federal customer or pending contract.
More flexibility on control interpretation, because a single AO is making the risk decision.

Constraints:

Requires an agency sponsor. Without a federal customer willing to be the AO, the Agency path is not available.
Cross-agency reuse depends on the FedRAMP Marketplace listing and any agency-to-agency briefings.
Historically perceived (sometimes unfairly) as less rigorous than JAB. The 2024 program modernization changes reduced this perception by tightening PMO review of agency packages.

For most CSPs in 2026, the Agency path is the realistic default. The JAB path is appropriate when broad federal demand is already established and the CSP wants the JAB stamp as a competitive moat.

After the FedRAMP Authorization Act of 2022, Congress directed the program to publish a presumption of adequacy. The practical effect is that a Marketplace-listed authorization from either path now carries similar legal weight when an agency consumes the service.

FedRAMP Ready: the entry milestone

FedRAMP Ready is a milestone, not a final authorization. A CSP earns Ready by engaging an accredited 3PAO, completing a Readiness Assessment, receiving a passing RAR, and submitting it to the FedRAMP PMO for review.

Once accepted, the CSP is listed on the FedRAMP Marketplace with a Ready designation. Ready signals to agencies that the CSP is assessment-ready, is a prerequisite for JAB FedRAMP Connect selection, and is a marketing milestone federal sales teams can quote to procurement.

Ready is not the same as Authorized. A CSP can be Ready but still need 6 to 18 months of additional work to reach In Process and then Authorized. Agencies cannot consume a Ready-only service for production federal data, although they can engage commercially and run pilots in non-production environments.

Timeline and cost

A first-time FedRAMP Moderate authorization for a mid-sized SaaS company runs 12 to 24 months end to end:

Months 1 to 4: Preparation. Gap assessment, boundary definition, SSP development, control implementation, evidence gathering.
Months 4 to 8: Readiness. 3PAO Readiness Assessment, RAR submission, PMO review for the Ready designation.
Months 8 to 14: Full Assessment. 3PAO full assessment, remediation of Critical and High findings, POA&M development, SAR finalization.
Months 14 to 18: Authorization. Submit the package to JAB or sponsoring agency, address review questions, receive authorization.
Months 18 onward: Continuous monitoring. Monthly scans, monthly POA&M updates, annual reassessment.

Costs for a Moderate baseline in 2026 typically fall in the ranges below. LI-SaaS programs land at the low end; complex multi-cloud or High baselines run two to three times higher.

Cost category	Year one (initial authorization)	Year two and beyond (annual)
Gap assessment and remediation	$50,000 to $200,000	$0 to $50,000
System Security Plan and documentation	$75,000 to $200,000	$25,000 to $75,000
3PAO Readiness Assessment	$50,000 to $150,000	n/a
3PAO Full Security Assessment	$150,000 to $400,000	$100,000 to $250,000 annual reassessment
Authenticated penetration testing	$50,000 to $150,000	$50,000 to $150,000
Vulnerability scanning and continuous monitoring tooling	$50,000 to $200,000	$50,000 to $200,000
Internal staff (2 to 4 FTEs)	$400,000 to $1,200,000	$400,000 to $1,200,000
FedRAMP advisory or consulting	$100,000 to $400,000	$0 to $100,000
Total estimated range	$925,000 to $2,900,000	$625,000 to $2,025,000

Two factors swing the budget more than anything else. The first is boundary scope: a tightly scoped boundary with a single data plane is fundamentally cheaper than one that pulls in marketing systems, support tooling, and corporate IT. The second is the underlying infrastructure. A SaaS built on AWS GovCloud or Azure Government inherits hundreds of authorized controls; a SaaS on a custom data center or commercial-cloud-only stack inherits none. For most CSPs, a single agency contract typically covers the initial investment within the first year.

Continuous monitoring

Authorization is the start of the operational program, not the end. Continuous monitoring (ConMon) is the discipline that keeps the authorization valid year over year.

The core ConMon obligations:

Monthly vulnerability scans. Authenticated scans of operating systems, web applications, and databases inside the boundary. Findings must be reported to the authorizing official within the timelines specified by FedRAMP guidance (typically 30 days for High severity findings, 90 days for Moderate, 180 days for Low).
Monthly Plan of Action and Milestones updates. The POA&M is the living register of all open findings, with target remediation dates, status, and risk acceptance documentation where applicable.
Annual penetration testing. Performed by the 3PAO using attack vectors specified in FedRAMP Penetration Test Guidance.
Annual security assessment. The 3PAO re-tests a subset of controls each year, with the full set re-tested over a three-year rolling window.
Significant change requests. Any architectural change above the threshold (new data flow, sub-service, region, or major component upgrade) requires approval before deployment.
Incident reporting. Reportable incidents go to US-CERT and the authorizing agency within timelines defined by CISA Cyber Incident Reporting guidance.

ConMon is where many programs lose momentum. The first six months after authorization often go well. By month twelve, the scan cadence and POA&M discipline can erode if the program is treated as a project rather than an operating function. CSPs that maintain authorization cleanly staff ConMon as a continuous capability.

The FedRAMP Marketplace

The FedRAMP Marketplace is the public directory of every cloud service offering at every status: In Process, Ready, Authorized, and (when applicable) decommissioned. It is the central source of truth for agencies, integrators, and procurement officials.

Each listing shows the CSP and CSO name, impact level, authorization path (JAB or Agency, with sponsoring agency named), current status, agency reuses, the assessing 3PAO, and authorization date.

Agencies use the Marketplace as a procurement filter. When a federal acquisition includes a cloud component, contracting officers are directed to start with Marketplace-Authorized services. The 2022 Act's presumption of adequacy reinforced this default. For CSPs, the listing is the highest-value federal sales artifact: status badge, agency reuse counter, and authorization date signal credibility no slide deck can match.

The FedRAMP Authorization Act of 2022 and the 2024 modernization

The FedRAMP Authorization Act of 2022 was the most significant statutory change to the program since its 2011 launch. The headline changes:

Codification. FedRAMP is now a creature of statute, not just OMB policy. This makes the program harder to roll back and gives agencies firmer legal grounding to rely on authorizations.
Presumption of adequacy. Agencies must accept a FedRAMP authorization unless they document a specific reason it is insufficient for their use case.
Federal Secure Cloud Advisory Committee. A statutory advisory body with industry, agency, and assessor representation to advise the GSA Administrator.
Automation mandate. GSA was directed to automate the security assessment, authorization, and continuous monitoring process where feasible. The OSCAL (Open Security Controls Assessment Language) effort accelerated under this mandate.

The 2024 modernization that followed brought several operational changes. Rev 5 of NIST SP 800-53 became the baseline for all new authorizations, with existing CSPs working through Rev 4 to Rev 5 transition plans. PMO review of Agency packages was tightened, narrowing the historical perception gap between JAB and Agency authorizations. The Marketplace UI was updated to surface reuse data and authorization age more prominently.

For new CSPs in 2026, the practical implication is that the JAB versus Agency choice matters less than it did in 2020. Agency ATO trustworthiness has converged toward JAB levels, and the FedRAMP brand sits on the Marketplace listing more than on the specific path that produced it.

How FedRAMP connects to other frameworks

FedRAMP does not exist in isolation. Programs operating under adjacent frameworks share substantial control overlap.

NIST 800-53. The direct source of every FedRAMP control. A mature 800-53 program has done the heaviest lifting.
NIST 800-171. A subset of 800-53 covering Controlled Unclassified Information. The 110 controls map cleanly into FedRAMP Moderate.
CMMC. DoD's contractor model, built on 800-171. CMMC Level 2 shares most controls with FedRAMP Moderate.
NIST Cybersecurity Framework. A higher-level governance frame. Identify, Protect, Detect, Respond, Recover maps cleanly to FedRAMP control families.
SOC 2. A commercial AICPA assurance report. A Type 2 demonstrates many of the operational controls FedRAMP requires, but evidence sets are not interchangeable.
Cybersecurity compliance more broadly. For a survey alongside HIPAA, PCI DSS, and ISO 27001.

For tighter answers on the four-step process and per-baseline costs, see the companion FedRAMP authorization guide.

Frequently Asked Questions

What is FedRAMP compliance?

FedRAMP compliance is the body of security, assessment, and continuous monitoring requirements imposed by the Federal Risk and Authorization Management Program on any cloud service used by a U.S. federal agency. The baseline is drawn from NIST SP 800-53 Rev 5. Authorization is granted by either the Joint Authorization Board or a sponsoring agency.

What are the FedRAMP impact baselines?

FedRAMP has three baselines aligned to FIPS 199: Low (about 156 controls, including the LI-SaaS variant), Moderate (about 325 controls, covering most CUI and PII), and High (about 421 controls, covering law enforcement and systems where breach impact is severe or catastrophic). Roughly 80% of authorizations are at Moderate.

What is a 3PAO?

A 3PAO is a Third Party Assessment Organization, an independent firm accredited by A2LA. The 3PAO performs the Readiness Assessment, the full Security Assessment, the annual reassessment, and the annual penetration test. It is selected and paid by the cloud service provider, not the government.

What is the difference between JAB P-ATO and Agency ATO?

A JAB Provisional Authorization is issued by the Joint Authorization Board (CIOs of GSA, DoD, and DHS). An Agency Authorization is issued by a single sponsoring agency's Authorizing Official with PMO review. The security work is identical. JAB carries the strongest cross-agency presumption but is selective and slower; Agency is the default for most CSPs in 2026.

How long does FedRAMP authorization take?

Twelve to twenty-four months end to end for a first-time Moderate. The JAB path typically runs 12 to 18 months from selection. The Agency path can run 6 to 12 months once a sponsor is in place.

How much does FedRAMP authorization cost?

Year-one budgets for a Moderate authorization typically range from about $925,000 to $2.9 million. Year-two and ongoing budgets settle to $625,000 to $2 million per year. LI-SaaS lands at the low end; High and complex multi-cloud architectures at the high end.

What changed with the FedRAMP Authorization Act of 2022?

The Act codified FedRAMP into statute as Title LIX of the FY2023 NDAA, established a presumption of adequacy across agencies, created the Federal Secure Cloud Advisory Committee, and directed GSA to automate authorization workflows. The 2024 modernization brought Rev 5 baselines, tighter PMO review of Agency packages, and an updated Marketplace.

Bottom line

FedRAMP is the cost of entry to the U.S. federal cloud market, and after the 2022 Authorization Act it is statutory. Companies that succeed treat it as an operating program, not a one-time audit: tight boundary, a 3PAO experienced in their architecture, Agency path by default, and continuous monitoring staffed as a steady-state function.

For most cloud companies, a single federal contract pays back the initial investment inside the first year. The moat compounds from there: every agency reuse, every renewed authorization, and every Marketplace update makes the next federal sale faster.

Primary Sources

This article references the following authoritative sources:

FedRAMP official site. The Federal Risk and Authorization Management Program
FedRAMP program basics. Pathways, baselines, and process overview
FedRAMP Marketplace. Authorized, In Process, and Ready cloud service offerings
GSA FedRAMP page. Program governance and policy
FedRAMP Authorization Act of 2022. Statutory codification (Title LIX of the FY2023 NDAA)
NIST SP 800-53 Rev 5. Security and privacy controls catalog
NIST Risk Management Framework (SP 800-37 Rev 2). The RMF that underpins FedRAMP
NIST SP 800-171 Rev 3. Controlled Unclassified Information in non-federal systems
FIPS Publication 199. Standards for Security Categorization of Federal Information and Information Systems
CISA Cyber Incident Reporting. Federal incident reporting guidance
NIST Cybersecurity Framework. Cross-cutting governance framework