code/+/trust primary logo full color svg

FedRAMP

Definition

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government''s standardized authorization framework for cloud services sold to federal agencies. A FedRAMP Moderate authorization covers 80% of federal civilian use cases, takes 12-24 months to achieve, and costs $500,000-$2,000,000 -- but unlocks a $100 billion+ federal cloud services market with a single reusable authorization.

Before FedRAMP, every federal agency independently assessed cloud vendors -- the same vendor might conduct 50 separate security assessments for 50 agencies. FedRAMP establishes a "authorize once, use many" model: one authorization from a Sponsoring Agency or the JAB (Joint Authorization Board) is recognized across all federal agencies.

FedRAMP authorization levels

  • Low -- systems where breach impact is limited; rare for cloud services
  • Moderate -- covers most civilian agency use cases; 325 security controls
  • High -- law enforcement, financial, health data; 421 controls; highest cost and effort

FedRAMP authorization paths

Agency-sponsored path: a federal agency agrees to sponsor your authorization. JAB path (FedRAMP Connect): compete for a slot on the JAB prioritization list. Agency path is faster if you have a federal customer willing to sponsor. The 3PAO (Third Party Assessment Organization) conducts the independent security assessment regardless of path.

Related terms

ATO (Authority to Operate)

An Authority to Operate (ATO) is the formal approval granted by a federal Authorizing Official that allows a software system to operate within a government environment after completing the NIST Risk Management Framework assessment process. ATOs are required before any federal system goes live and must be continuously maintained -- typically reviewed annually and triggered by significant system changes.

CMMC (Cybersecurity Maturity Model Certification)

CMMC (Cybersecurity Maturity Model Certification) is the DoD''s third-party verification program for cybersecurity practices on defense contracts. CMMC Level 2 -- required on most DoD contracts handling Controlled Unclassified Information by 2026 -- mandates independent assessment of all 110 NIST SP 800-171 practices by a Certified Third-Party Assessment Organization (C3PAO).

NIST SP 800-171

NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Any company that handles CUI under a DoD contract must implement all 110 requirements and submit a self-assessment score to the Supplier Performance Risk System (SPRS).

SOC 2

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates a software company''s controls over security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report -- covering 6-12 months of operating effectiveness -- is increasingly required by enterprise buyers and is a de facto procurement requirement for B2B SaaS vendors.

← Back to full glossary

Need help implementing this in your business?

Code and Trust translates AI concepts like fedramp into working implementations — starting with a workflow audit that shows exactly where it creates ROI.

Schedule AI Audit →