What is FedRAMP? A plain-English primer for SaaS founders

A federal agency prospect asks for your FedRAMP authorization. You open the FedRAMP Marketplace, see a list of 300-odd authorized cloud services, do not see yourself, and try to work out what the next twelve months of your life look like.

This post is the primer we wish existed the first time a US SaaS company we work with hit that exact moment. It covers what FedRAMP actually is, the four impact levels, the two authorization paths, what a 3PAO does, the document stack, and the parts of the timeline and budget that catch founders out.

What FedRAMP is

FedRAMP is the Federal Risk and Authorization Management Program, an OMB-mandated program that standardizes how US federal agencies assess, authorize, and monitor the cloud services they buy. Instead of every agency running its own cloud security review, FedRAMP produces a single package of evidence that any agency can reuse. The FedRAMP Marketplace is the public directory of authorized cloud service offerings, authorizing agencies, and recognized 3PAOs.

The legal backbone is OMB Memorandum M-24-15 (the 2024 update to the original 2011 memo) and the FedRAMP Authorization Act of 2022. Together they make FedRAMP authorization the baseline any cloud service needs before a federal agency can use it with anything beyond public, non-sensitive data.

Who runs FedRAMP

The FedRAMP Program Management Office (PMO) sits inside the General Services Administration (GSA) and runs the program day to day: the Marketplace, the templates, the reviewer pool, the policy updates.

The security baseline itself comes from NIST SP 800-53 Rev 5. FedRAMP does not invent controls. It selects and tailors a subset of 800-53 for each impact level and adds a handful of FedRAMP-specific parameters. Much of the same control catalog sits under a SOC 2 Type II program, which is why evidence reuse between the two is so efficient.

Historically, the Joint Authorization Board (JAB), CIOs from DoD, DHS, and GSA, issued Provisional Authorizations (P-ATOs) for cloud services with broad federal demand. The 2024 memo restructured the program and the board that replaced it in practice is the FedRAMP Board, but most in-market content still uses JAB language. Either way, the board's role is small relative to the Agency path, which we will get to.

Impact levels: Low, Moderate, High, Li-SaaS

Your impact level is not a sales choice. It is driven by FIPS 199 data categorization of the information your service will handle for the agency, scored across confidentiality, integrity, and availability.

• Low, about 125 controls. Data whose loss would cause limited adverse effect. Public-facing information, low-sensitivity workflows.
• Moderate, about 325 controls. The workhorse level. Most non-public federal data that is not classified or law-enforcement-sensitive lives here. If you are a generic B2B SaaS selling to civilian agencies, this is almost certainly your target.
• High, about 410 controls. Data whose loss would cause severe or catastrophic effect. Law enforcement, emergency services, financial systems, health data for federal populations.
• Li-SaaS (FedRAMP Tailored Low), a lighter baseline of around 40–50 controls for low-impact SaaS that meets specific criteria (low-impact data only, no persistent federal data, collaborative or productivity-style tools). Useful when it fits, but it fits a narrower set of products than founders hope.

Pick the wrong level and you rebuild the package. Have your prospective agency sponsor sign off on the FIPS 199 categorization before you scope anything with a 3PAO.

The two authorization paths: JAB P-ATO vs Agency ATO

There are two ways a cloud service gets authorized. Both produce a package on the Marketplace that other agencies can reuse.

JAB P-ATO (Provisional ATO). The board reviews your package and issues a provisional authorization. Historically this was reserved for cloud services with demonstrated demand across multiple agencies, selected through a competitive "FedRAMP Connect" process a few times a year. Very few CSPs go through this door, and the path has been reshaped by the 2024 memo.

Agency ATO. A specific federal agency acts as your sponsor. Their Authorizing Official reviews the package and issues the ATO for their own agency's use. Once issued, the package is posted on the Marketplace and any other agency can review and issue their own ATO on top of it without repeating the assessment.

The Agency ATO is the path the overwhelming majority of CSPs now take. It requires a named agency sponsor who actually wants to use your product, which is the real gating item. If you have no federal customer asking for FedRAMP, you do not have an Agency ATO path.

What a 3PAO is and does

A 3PAO (Third Party Assessment Organization) is an independent assessor accredited by A2LA against FedRAMP's accreditation criteria (based on ISO/IEC 17020). The 3PAO performs the security assessment: they review your System Security Plan, execute the test cases in the FedRAMP Security Assessment Plan, run the scans and sampling, and draft the Security Assessment Report (SAR) that becomes the core of your authorization package.

A 3PAO is a required participant. Your agency sponsor will not accept an ATO package without 3PAO testing, and JAB never did.

SecurancePro is not a 3PAO. We are a CPA firm. We perform SOC 1, SOC 2, and SOC 3 attestations. We do not assess FedRAMP packages, we do not write SARs, and we cannot issue the 3PAO sign-off you need for an Agency ATO. What we do, for clients heading toward FedRAMP, is run the SOC 2 or SOC 1 engagement that sits alongside it, many of the control activities overlap heavily with the NIST 800-53 Moderate baseline, so the evidence library built for your SOC 2 Type II becomes reusable input for the 3PAO. If you want to see how buyers read that SOC 2, we wrote a short field guide on exactly that.

The 3PAO tests. A consultant (or an internal team) gets you ready. The CPA firm attests to your SOC 2. Three different roles, three different organizations, for the same reason ISO 27001 keeps its CB separate from its consultants.

The documentation stack

Every FedRAMP package is built around four core documents. You will spend most of your twelve months inside these four files.

• System Security Plan (SSP). The authoritative description of your system and how every applicable 800-53 control is implemented. FedRAMP publishes the SSP template; expect a 300–500 page document when you finish.
• Security Assessment Report (SAR). The 3PAO's report of what they tested and what they found. Findings feed directly into the POA&M.
• Plan of Action and Milestones (POA&M). The living tracker of open findings, their severity, and their remediation dates. The POA&M never empties, agencies expect to see it tended, not closed.
• Continuous monitoring (ConMon) artifacts. Monthly vulnerability scans, quarterly reporting, annual assessment of a subset of controls, significant-change requests. Authorization is not the finish line; it is the point at which ConMon starts.

If you are already maintaining something like an Annex A evidence library for ISO 27001, a lot of the control narrative work is reusable. The numbering is different; the underlying practices mostly are not.

Timeline and cost reality

The honest picture: FedRAMP Moderate, Agency ATO path, first time, with a product that is already running on a FedRAMP-authorized IaaS like AWS GovCloud or Azure Government, takes twelve to twenty-four months from decision to ATO. The split is roughly:

• Three to six months of pre-work: environment build-out, documentation, control implementation, internal readiness.
• Three to six months of 3PAO assessment.
• Three to nine months of agency review, back-and-forth on findings, and the ATO decision itself.

Costs are in the six-to-seven figures all-in. 3PAO fees alone run mid-six-figures for a Moderate package. Add FedRAMP-specific engineering work (FIPS-validated cryptography, boundary hardening, often a separate GovCloud environment), full-time or near-full-time program staff, your advisory costs, and ongoing ConMon.

The smallest credible FedRAMP Moderate program we have seen a client run had two full-time people on it for the eighteen months leading up to ATO.

When NOT to pursue FedRAMP

FedRAMP is a revenue decision, not a security decision. It is the right call when you have a real federal pipeline that cannot close without it. It is the wrong call in a few specific situations:

• No actual federal customer pipeline. If no agency has named you as a preferred vendor and no contract is contingent on authorization, you are paying seven figures for a marketplace listing. Get the sponsor first.
• You are selling into DoD programs that need IL4 or IL5. DoD Impact Levels 4 and 5 are a separate DISA-run authorization regime that starts from a FedRAMP Moderate or High baseline and adds DoD-specific controls. If your buyer is DoD-only, plan for the IL path, not civilian FedRAMP alone.
• Your customers are state and local government. Most state and local agencies do not accept or require FedRAMP. The emerging overlay for that market is StateRAMP, which reuses FedRAMP templates and NIST baselines but is run separately.
• Your customers are federal healthcare contractors or HHS components handling federal ePHI. FedRAMP is still the cloud authorization vehicle, but the HIPAA Security Rule sits on top. Who the HIPAA Security Rule applies to covers that scope question separately.

Related programs briefly

StateRAMP. State and local equivalent. Same NIST 800-53 baselines, different governance, different marketplace. Worth considering if your federal pipeline is really state-and-local in disguise.

CMMC 2.0. DoD's contractor cybersecurity regime, separate from FedRAMP, targeting defense-industrial-base companies handling Controlled Unclassified Information. If you sell to DoD primes or subs rather than civilian agencies, CMMC is the program to understand first. We walk through levels and assessor roles in CMMC 2.0 explained.

SOC 2. Not a federal program, but the attestation that most commonly sits underneath a FedRAMP effort in a US SaaS company. If you have not picked a SOC 2 scope yet, start here before you scope anything federal.

What to do before you engage a 3PAO

1. Get a named federal agency sponsor. In writing, with an owner you can email. Without one, stop here.
2. Confirm the FIPS 199 categorization with that sponsor. Low, Moderate, High, or Li-SaaS is a sponsor decision, not a CSP decision.
3. Pick your FedRAMP-authorized IaaS landing zone and stand up the environment. GovCloud, Azure Government, and GCP Assured Workloads are the usual options.
4. Build the SSP outline and map existing SOC 2 or ISO 27001 evidence to 800-53 controls. You will find 60–70% overlap at Moderate.
5. Then shortlist three 3PAOs from the A2LA-accredited list on the FedRAMP Marketplace and get quotes.

The order matters. Companies that sign a 3PAO contract before they have a sponsor or a stood-up environment almost always renegotiate that contract, at cost.

---

If you are lining up FedRAMP and need the SOC 2 or SOC 1 attestation that sits alongside it, one evidence library, two frameworks, no 3PAO work on our end, get in touch. Our services overview covers exactly where we fit and where we do not.