A government-wide program standing on NIST SP 800-53 Rev. 5, run by GSA’s FedRAMP PMO. Two paths to authorization, four impact levels, ~125 to ~420 controls, depending on which you draw. Cloud Service Providers selling to federal agencies do not have a choice. Without a FedRAMP authorization, the contract does not get signed.
Our stance: boundary accuracy is the only FedRAMP move that compounds. Every CSO component you scope in is a control burden you carry forever; every one you can leverage from an authorized provider, you don’t.
§ 0 · Why it matters
FedRAMP isn't a vendor badge. It's the gate to every federal cloud dollar.
Federal mandateAuthorization Act of 2022; required for any cloud offering sold to a federal agency.
No ATO, no saleAn agency Authority to Operate is the eligibility gate. No authorization, no contract.
The boundary is the programThe authorization boundary is the single most-read, most-expensive decision in the package.
ConMon never stopsMonthly scans, monthly POA&M, continuous monitoring: authorization is a standing obligation.
Marketplace-visibleEvery federal contracting officer checks the FedRAMP Marketplace before signing.
What's at stake
FedRAMP is not a logo you license. It is the federal government's standardized authorization for cloud, and without it a Cloud Service Offering cannot be bought by a federal agency. The technical bar is real: a Moderate baseline runs roughly 325 NIST 800-53 r5 controls, a High baseline roughly 420, assessed by an independent 3PAO and authorized by a sponsoring agency's Authorizing Official. The authorization is not a one-time event: continuous monitoring runs monthly for the life of the offering, and a lapse can pull the offering from the Marketplace. The work is proving, every month, that the boundary still holds.
Authorization architecture
FedRAMP is a boundary, not a binder
One authorized offering. Every control accounted for.
Authorization boundary
System Security Plan
3PAO assessment
Agency ATO
Continuous monitoring
POA&M
FIPS-validated crypto
Marketplace listing
FedRAMP holds when the boundary is drawn right and the evidence keeps flowing — not when the binder is thick.
Federal cloud, authorized.
§ I · The program
What FedRAMP actually is, in plain English.
The one-line version
The federal government's standardized authorization for cloud — a full NIST 800-53 control assessment, an independent 3PAO report, and a sponsoring agency's signature. The rule, not a badge.
800-53 r5~325 / ~4203PAO-assessedindependentAgency ATOan AO signsMarketplacepublic registryConMonmonthly, for life
The program, in full
FedRAMP: the Federal Risk and Authorization Management Program: is a government-wide program that standardizes the security assessment, authorization, and continuous monitoring of cloud products used by federal agencies. It was established by an OMB memo in December 2011, codified into statute by the FedRAMP Authorization Act of 2022 (Title LIX of the FY23 NDAA), and is operated by GSA’s FedRAMP PMO on behalf of the federal CIO Council. It is not a private framework like SOC 2; it is not a law your competitors might dodge like a state privacy statute. If you are a Cloud Service Provider selling to a federal agency, FedRAMP is the rule.
The technical backbone is NIST SP 800-53 Rev. 5: the federal catalog of security and privacy controls: tailored by the FedRAMP PMO into baselines for Low, Moderate, and High impact levels (with a separate Li-SaaS tailoring for low-risk SaaS). A FedRAMP Moderate baseline is approximately 325 controls; High is approximately 420. Add to that program-specific overlays, agency-specific overlays for places like DoD IL4/5, and you have a heavyweight assessment regime that few firms walk through clean on the first try.
What gets authorized is your Cloud Service Offering (CSO): a defined system with a defined authorization boundary. The boundary diagram is the single most-read artifact in your whole package: it shows what is in scope, what is out, what services you leverage from already-authorized providers (think AWS GovCloud or Azure Government), and where federal data lives. Boundary mistakes are the most common, and most expensive, FedRAMP errors. A CSO authorized at Moderate by an agency lands on the FedRAMP Marketplace: the public registry every federal contracting officer checks before signing.
The boundary is the program
Inherit nothing — and you own all 325.
Build on an authorized provider.
Split the shared controls honestly.
Draw the boundary tight.
The agency sets your impact level. At Moderate that is roughly 325 NIST 800-53 r5 controls — and if you inherit nothing, every one of them is yours to implement, evidence, and monitor every month.
Stand the offering up on AWS GovCloud or Azure Government and the physical, environmental, and infrastructure controls move to the provider's authorization. You inherit them — you don't rebuild them.
Read the leveraged provider's Customer Responsibility Matrix line-by-line. Identity, configuration, and monitoring get split honestly — not claimed wholesale, not owned twice.
Scope the boundary to exactly the offering: what's in, what's out, what's customer-responsible. The 3PAO now assesses only what you actually run — a package nobody can argue with.
Controls you implement & monitor
325of ~325 Moderate baseline
You own 325
Inherited 0
≈325 in the baseline. ≈150 you implement. The other ~175 came from one decision — where the boundary sits.
§ II · Impact-level decoder
Which impact level do you need, and which baseline applies?
The agency sets your impact level under FIPS 199, on the worst-case impact of a breach to the data your CSO holds. Pick too low and you re-do the assessment a year later; too high and you carry control burden you didn’t need.
Interactive · 3 questions
FedRAMP impact-level check
1. What kind of data will the CSO process or store for the agency?
2. What is the worst-case availability impact if the CSO goes down?
3. Is the CSO a low-complexity SaaS: one app, no IaaS layer, low-risk data?
Answer above: we’ll tell you the likely FedRAMP baseline (Li-SaaS / Low / Moderate / High), whether DoD overlays are in play, and where the boundary work probably needs to start.
§ IV · Authorization route
Agency ATO vs JAB P-ATO: two doors, one of them just closed.
FedRAMP had two paths. Under the 2024 20x reform the JAB P-ATO is being wound down and the JAB replaced by the FedRAMP Board. Plan for an Agency ATO unless someone tells you otherwise in writing.
Default route · ~95% of new authorizations
Agency ATO
What this route involves
A sponsoring agency’s Authorizing Official issues the ATO from your SSP, the 3PAO’s SAR, and the POA&M — then it lands on the Marketplace for other agencies to reuse. You need a sponsor before you start.
SponsorAn agency willing to authorize and host you
Authorizing OfficialThe single signatory of risk
ReuseOther agencies authorize off your package
Timeline~12–24 months for a first authorization
Cost$500k–$2M+ across CSP, 3PAO, advisor
Legacy · being wound down
JAB P-ATO · replaced by FedRAMP Board
What this route involves
The Joint Authorization Board (DoD, DHS, GSA) issued P-ATOs any agency could leverage — but throughput of ~12 per year didn’t scale. The 2024 20x reform sunset the JAB; the new FedRAMP Board governs but does not issue P-ATOs.
StatusJAB sunset 2024, replaced by FedRAMP Board
Existing P-ATOsContinue under PMO oversight
New workFollows the Agency ATO path
FedRAMP BoardGovernance & strategy, not issuance
§ V · Authorization calendar
Engagement to ATO: realistic.
First-time Moderate authorizations historically ran 18–30 months; with a clean boundary and an engaged sponsor we plan for 12–18. The longest phase is almost always boundary & SSP — not the 3PAO assessment.
Mo 0 – 3
Boundary & sponsor
Authorization-boundary diagram. Leveraged-authorization read-through (CRMs from AWS GovCloud / Azure Government / etc.). Impact-level brief for the agency. Sponsoring agency engagement. Output: signed sponsorship letter, draft boundary, FIPS 199 categorization.
Mo 2 – 9
SSP & control implementation
SSP drafted control-by-control. Customer-responsibility matrix written. Inheritances claimed and documented. Gap-remediation: MFA, FIPS-validated crypto, audit retention, ConMon tooling. This is where 70% of the calendar lives.
Mo 7 – 12
3PAO readiness assessment
Optional but strongly recommended. RAR (Readiness Assessment Report) by an independent 3PAO. Identifies must-fix issues before the formal SAR. A clean RAR cuts months off the back end. POA&M opened for findings.
Mo 10 – 16
Full SAR & pen-test
3PAO Security Assessment. Test plan against every applicable 800-53 r5 control. Penetration test scoped to FedRAMP pen-test guidance. SAR delivered with findings. Final POA&M consolidated.
Mo 14 – 18
Agency review & ATO
Agency AO reads SSP / SAR / POA&M. Q&A rounds. Authorization decision. ATO letter issued; package posted to Marketplace. ConMon clock starts day one of operations.
Authorize once, reuse everywhere
One agency signs.
It goes on the Marketplace.
The next agency reuses it.
Authorize once. Sold government-wide.
A sponsoring agency’s Authorizing Official issues your ATO from the SSP, the 3PAO’s SAR, and the POA&M. One signature — and your offering is federally authorized.
The PMO posts your authorized package to the FedRAMP Marketplace — the public registry every federal contracting officer checks before they buy. You are now visible government-wide.
The next agency doesn’t start over. It reviews your existing package and issues its own ATO on top of it — weeks, not years. Every reuse is a sale you never re-earned.
This is the FedRAMP payoff: authorize once, sell to all of government. The deepest listings on the Marketplace are reused by dozens of agencies — each a contract at near-zero marginal assessment cost.
Agencies running your offering
1agencies authorized
one authorization · reused across government
One package. 28 agencies and counting — each a federal contract won without re-assessing a single control.
Why teams hire Nexurion
§ VI · How Nexurion runs it
Senior partner from day one. Boundary-led from week one.
Partner-led from kickoff. Boundary-led from week one. The package is audit-ready before the 3PAO ever opens fieldwork.
How we run the engagement
Most FedRAMP programs we inherit were built backwards: someone bought a control-management platform, started writing SSP narratives, and discovered at the 3PAO RAR that the boundary diagram is internally inconsistent and the inheritances don’t match the leveraged provider’s CRM. We start somewhere else. The first eight to twelve weeks of every engagement are boundary work: what is the CSO, what does it leverage, where does federal data live, what is customer-responsible. The boundary diagram we produce in week eight often surprises CTOs; it always reduces the assessment surface meaningfully.
Once the boundary is locked, we run control implementation against the 3PAO’s eventual evidence list. We work shoulder-to-shoulder with engineering on FIPS-validated crypto and PIV-friendly authentication, with security on ConMon tooling and audit retention, with HR and supply chain on personnel screening and SBOM. We rehearse the harder narratives: SC-7 boundary protection, CA-7 ConMon strategy, SR-3 SCRM plan: before the 3PAO reads them. 3PAOs read them very carefully.Read our methodology.
The 3PAO is hired separately. We are scope & readiness; they are independent assessment. We’ve walked clean engagements with most major A2LA-accredited 3PAOs and will introduce you to firms calibrated to your impact level, agency context, and engagement temperament. The 3PAO you pick on day one is the 3PAO you should still want on day 365 of ConMon. Choose with that in mind. See engagement outcomes.
01
Senior partner, day one
The name on the engagement letter reads your evidence and sits in your stand-ups. No junior hand-off.
02
Boundary-led, week one
The first 8–12 weeks are boundary work — it cuts the assessment surface before a control is written.
03
Ready before the 3PAO
We rehearse SC-7, CA-7 and SR-3 narratives before the assessor ever reads them.
04
Independent of the 3PAO
We’re scope & readiness, never your assessor. No conflict, by design.
Engagement structure
Inherit first. Customer-responsible only when you must. Then argue about parameter values.
If you can leverage AWS GovCloud, Azure Government, or another FedRAMP-authorized provider for an entire control family, do that: you’ve dropped dozens of controls from your ownership without touching your code. If you must own a control, own it cleanly: one process, one tool, one piece of evidence. Every control you treat as half-inherited and half-yours becomes an audit conversation that takes longer than the control itself. Read the leveraged provider’s Customer Responsibility Matrix before you argue about a single parameter value.3PAOs & the PMO »
What a senior partner prevents
§ VII · Where engagements stall
Six places FedRAMP programs go sideways.
After running these for years, the failure modes are remarkably consistent. The technical ones are easier than the organizational ones.
01 / Boundary drift
A diagram that doesn’t match the cloud.
Why it happens
Engineering ships a new microservice into the production VPC; the SSP boundary diagram still shows last year’s topology. The 3PAO walks the cloud config in week one and the boundary discussion eats a month. Boundary updates are part of significant-change management, not annual hygiene.
02 / Inheritance fantasy
Claiming controls the IaaS does not own.
Why it happens
A CSO inherits PE-3 (physical access) from AWS GovCloud: correct: but also tries to inherit AC-2 (account management) for its own application. That’s not how the CRM works. Read every leveraged-authorization CRM line-by-line. Inheritance is generous but not infinite.
03 / Non-validated crypto
AES-256 that isn’t FIPS-validated.
Why it happens
The algorithm is right; the module is not on the CMVP list. The 3PAO marks it. The remediation is to deploy a FIPS-validated module: sometimes a six-month project, sometimes a config flag. Catch this in week six, not week sixty.
04 / Personnel screening surprise
Tier 2 / Tier 4 only after hiring.
Why it happens
PS-3 requires federal-grade personnel screening for staff with privileged access. Companies discover this when their engineers can’t pass clearance, or when foreign-national restrictions pull people off the project. Plan personnel composition against the impact level: before the SSP, not after.
05 / ConMon falls behind
Six monthly POA&Ms missed in a row.
Why it happens
ATO is the start, not the finish. Monthly scans, monthly POA&M updates, deviation requests, significant-change notifications: all on the agency’s desk on time. CSPs that go quiet on ConMon get suspended; in extreme cases, the ATO is rescinded. ConMon is a function, not a project.
06 / SSP reads like a brochure
Marketing prose where implementation detail belongs.
Why it happens
Each control implementation needs to describe what is implemented, how, and where: with enough specificity that a 3PAO can design a test against it. “We follow industry best practices” is a finding. Write SSPs the way you’d write a runbook.
§ VIII · The PMO & the 3PAOs
One PMO sets the rules. One 3PAO writes your SAR.
PMO sets the rulesTemplates, OSCAL, the Marketplace, the 20x agenda — but agencies authorize, not the PMO.
3PAO writes your SARA2LA-accredited, independent. RAR → SAP → the SAR the AO reads.
Agency AO signsOwns the risk — and the suspend / rescind call after an incident.
We’re readinessWe don’t sign your SAR; we make the package one the AO will sign.
How the PMO, the 3PAO, and the agency fit together
The FedRAMP PMO at GSA owns the templates, OSCAL packaging, the Marketplace and the reform agenda — but it does not authorize CSOs; a sponsoring agency’s Authorizing Official does. The FedRAMP Board (created by the 2022 Act, standing up under 20x) provides governance and replaces the old JAB.
A 3PAO is an A2LA-accredited firm that produces your RAR, SAP and SAR. Firms vary widely in depth, pen-test rigor, and how they handle change during ConMon — pick deliberately, because the 3PAO you choose on day one is the one you’ll see every month for as long as you hold the ATO. Our role is the inverse of theirs: we don’t sign your SAR, we make the package the 3PAO assesses one that earns the agency AO’s signature — and after an incident, that same AO decides whether the ATO continues.
§ IX · Cross-mapping
FedRAMP against the rest of the stack.
FedRAMP is the deepest cloud-control framework in commercial use, and most CSPs run it alongside one or more commercial frameworks for non-federal customers. Where they overlap; where they don’t.
The stack
FedRAMP against the rest of the stack.
Line weight indicates approximate control overlap with FedRAMP Moderate. Higher overlap means more of the work you do for FedRAMP carries directly into that framework. Detailed crosswalk below.
The stack
FedRAMP is the deepest control set.
Overlap with adjacent frameworks — tap any row
StateRAMP
90%▾
Carries over
Same 800-53 control catalog — built explicitly on FedRAMP for state & local agencies.
Still needed
Separate StateRAMP Marketplace listing & sponsorship; reciprocity is improving but not automatic.
DoD CC SRG IL4/5
80%▾
Carries over
FedRAMP Moderate/High is the foundation the DoD overlay builds on.
Still needed
DISA Provisional Authorization, DoD incident reporting, US-personnel & location requirements.
~65%: CMMC L2 is built on NIST 800-171, itself a tailoring of 800-53 Mod for non-federal systems holding CUI. Big overlap, different audience.
FedRAMP applies to your cloud offering used by federal agencies; CMMC applies to defense contractors processing CUI on their systems. Both can be in scope at once.
StateRAMP
Built explicitly on the FedRAMP framework: for state & local agency cloud procurement. Sister program; same control catalog.
StateRAMP Marketplace listing & sponsorship are separate from FedRAMP. Reciprocity is improving but not automatic.
DoD CC SRG (IL4 / IL5)
FedRAMP Moderate / High is the foundation; DoD adds an overlay for IL4/5/6 covering CUI / NSS / classified data.
DISA Provisional Authorization (DISA PA) on top of FedRAMP. DoD-specific incident reporting, personnel, location requirements.
~30%: FedRAMP’s privacy & access controls cover much of HIPAA Security Rule mechanically.
HIPAA Privacy Rule, BAA chain, breach-notification clock: entirely separate from FedRAMP.
Reference & lookupEverything below stays on the page in full — the 800-53 r5 control families, the 20x reform, adjacent frameworks, frequently-asked questions, and field notes. It is here when you need it, and folded away when you don't.
§ III · The control families
NIST 800-53 r5, tailored: how the families actually map to engagement work.
800-53 r5 organizes controls into 20 families. FedRAMP baselines tailor that catalog, so a Moderate baseline draws ~325 controls and parameter values across the families; High draws ~420. We group the families here as we group them in engagements: five operational clusters the 3PAO walks through. Tap each tab for the heavy-hitter controls and the artifacts a 3PAO will demand.
RequiredAC · IA · SC: Identity, access & boundary
Where the boundary is enforced. This is where most agency reviewers and 3PAOs spend their first month. If the SSP’s authorization-boundary diagram, the AC controls, and the SC-7 boundary-protection narrative don’t agree with each other, and with the actual cloud config, everything else gets paused until they do.
AC-2 / AC-6
Account management & least privilege
Account-lifecycle procedures: provisioning, modification, disable, removal. Periodic review (annual + on personnel change). Privileged-account inventory. Separation of duties. Service / break-glass accounts inventoried and monitored.
IA-2 / IA-5
MFA & authenticator management
Phishing-resistant MFA for all privileged access (post-OMB M-22-09). PIV / CAC accepted for federal users. FIPS-validated authenticators. Authenticator policy: complexity, lifetime, revocation, replay protection.
SC-7
Boundary protection
Documented boundary diagram. Managed interfaces at every external connection. Deny-by-default; allow-by-exception. Interconnections to federal systems require an Interconnection Security Agreement.
SC-8 / SC-13
Transmission & cryptography
FIPS 140-3 (or 140-2 in transition) validated cryptographic modules. TLS 1.2+ (1.3 preferred). Documented inventory of CMVP certs. Non-validated crypto is a finding even if the algorithm is “the same.”
SC-12 / SC-28
Key management & data at rest
Documented KMS lifecycle. CMVP-validated. AES-256 at rest for federal data. HSM-backed for High. Key rotation, escrow, dual control where required.
RequiredSI · SC · CM: System & information integrity
Vulnerability management, malicious-code protection, change control. r5’s SR family (supply-chain risk) leans heavily on these too. Patch cadence and CVE response are line items on every monthly ConMon report, and the most common reason a CSO loses authorization between assessments.
SI-2
Flaw remediation & patch cadence
FedRAMP-defined SLAs: high-severity vulns within 30 days, moderate within 90, low within 180 (from scan date). POA&M items opened for misses. Vendor-EOL patches tracked separately.
SI-4
System monitoring
Continuous monitoring at the boundary, host, and application layer. IDS / IPS where applicable. Anomalous-behavior detection tuned to the CSO, not generic vendor defaults.
SI-7
Software / firmware integrity
Integrity-verification tools deployed; alerts on unauthorized change to system / application files. Signed-image deployment. Tamper-evident logs.
CM-3 / CM-6
Change control & baselines
Documented configuration baselines per system type (CIS / DISA STIG). Change-control board for material changes. Significant Change requests filed with the agency / PMO ahead of time.
CM-7 / CM-8
Least functionality & inventory
Periodic review of installed software / services / ports. Authorized-software list. Component inventory accurate (spot-checked by 3PAO).
RequiredAU · IR · CP: Audit, incident, contingency
Logging, incident response, contingency planning. Federal incident reporting is on a one-hour clock to US-CERT for confirmed major incidents, and agency contracts often add tighter notification windows on top. The CP family asks if you can actually fail over and recover; tabletop exercises are the artifact of choice.
AU-2 / AU-3 / AU-12
Audit events & content
Auditable events list reviewed annually. Required content per record. Audit generation enabled across all in-scope systems. Time-sync to authoritative source (NTP w/ FIPS-validated where applicable).
AU-6 / AU-11
Audit review & retention
Daily review (automated + sampled human). 12-month online retention; 3-year offline retention per FedRAMP. Logs of log-system access kept separately.
IR-4 / IR-6
Incident handling & reporting
Documented IR plan; tested annually. Confirmed major incidents reported to US-CERT within 1 hour + agency notifications per the agency’s incident appendix. Forensic readiness procedures.
CP-2 / CP-4
Contingency plan & testing
Documented CP. Annual testing for Moderate; tabletop + functional for High. Recovery objectives (RTO / RPO) per agency expectations. After-action report into POA&M.
CP-9 / CP-10
Backup & recovery
Backup of user-level + system-level info per defined frequency. Backup integrity testing. Recovery exercises that prove the RTO: not just the procedure.
RequiredRA · CA · PL: Risk, assessment & authorization
The package itself. SSP, SAR, POA&M, ConMon. The artifacts the 3PAO and the agency authorizing official actually read. r5 introduced a sharper risk-management posture (RA-3 enhancements, RA-9 critical-component identification) that aligns with NIST RMF and the FedRAMP-required risk register.
RA-3 / RA-5
Risk assessment & vuln scanning
Documented risk-assessment process, repeated on significant change. Authenticated vulnerability scans of OS, web app, and database, monthly minimum. Findings tracked into POA&M with SI-2 SLAs.
CA-2 / CA-7
Security assessment & ConMon
Annual security assessment (3PAO-performed). Continuous monitoring per FedRAMP ConMon strategy: monthly POA&M, monthly scan results, deviation requests, significant-change notifications. Annual is the floor; monthly is the rhythm.
CA-3 / CA-9
Interconnections
Documented ISA / MOU per external connection. Internal-system connections inventoried under CA-9. Federal-agency interconnections re-papered at agency cadence.
PL-2 / PL-8
SSP & security architecture
System Security Plan: the central document. Authorization boundary, control implementations, customer responsibility, leveraged authorizations, parameter values. Updated on every significant change, not annually.
PL-4 / PL-10
Rules of behavior & baseline tailoring
Documented rules-of-behavior, signed by users. PL-10 codifies the FedRAMP baseline tailoring: the parameter values you set, the controls inherited, the controls flagged customer-responsible.
The families that catch most readiness teams off guard. Personnel screening at federal Tier 2 / Tier 4 levels for Moderate / High, not the same as a vendor background check. Physical controls live with the leveraged provider in most CSOs but are inherited explicitly. SR (supply chain), introduced in r5, is the family that keeps growing.
PS-3
Personnel screening
Federal personnel-security screening at Tier 2 (Mod) or Tier 4 (High) for staff with privileged access. National-agency check minimum. Re-investigation cadence per OPM. Foreign-national restrictions per agency.
PE-3
Physical access
Largely inherited from FedRAMP-authorized IaaS. The CSP must explicitly inherit, not silently assume. Customer-responsibility for any CSP-operated facilities, even ancillary (corporate offices touching dev / build).
MP-6
Media sanitization
NIST SP 800-88 procedures. Records of sanitization for all media leaving the boundary. Cloud-provider attestation for inherited media-handling.
SR-3 / SR-5
Supply-chain controls
Documented SCRM plan. Component-supplier inventory. Acquisition strategies for critical components, new in r5, inspected closely on new authorizations.
SR-11
Component authenticity
Anti-counterfeit & tamper-detection processes. SBOM where applicable. EO 14028 / OMB M-22-18 secure-software self-attestation overlays here.
§ X · FedRAMP 20x & the move to 800-53 r5
The biggest reform since 2011.
FedRAMP 20x is a reform program launched by the FedRAMP PMO in 2024 following the codification of FedRAMP into statute by the FedRAMP Authorization Act of 2022. The headline goals are speed (compress authorizations from years to months), automation (machine-readable packages via OSCAL), and reuse (cleaner inheritance, common-control catalogs). The first technical pilots launched in 2024-25; widespread adoption is rolling out through 2026. This is the biggest structural change to FedRAMP since the program began.
Statutory grounding. The FedRAMP Authorization Act of 2022 (Title LIX, FY23 NDAA) put FedRAMP in law. The PMO now operates under a statutory mandate, not just an OMB memo. It also established the FedRAMP Board, which replaced the JAB.
Move to 800-53 r5. The baselines are tailored against NIST SP 800-53 Rev. 5, including the new Supply Chain Risk Management (SR) family, expanded privacy controls, and refined parameter conventions. r4 baselines have been retired.
OSCAL-first packages. The PMO is moving to require OSCAL (Open Security Controls Assessment Language) for SSPs, SARs, and POA&Ms. Machine-readable packages enable automated reuse and continuous authorization. Tooling is maturing; expect this to be required, not optional, going forward.
20x technical pilots. Streamlined authorization for low-risk SaaS and infrastructure leveraging existing authorizations. Faster review cadences. Continuous-authorization-style models for mature CSPs with strong ConMon track records.
JAB sunset. The Joint Authorization Board has been replaced by the FedRAMP Board. New authorizations go via the agency-ATO route. Existing JAB P-ATOs continue under PMO oversight.
EO 14028 / M-22-09 / M-22-18 overlays. Phishing-resistant MFA, secure-software self-attestation, SBOM expectations, layered onto FedRAMP via PMO guidance and agency contract clauses.
Read our deeper take in Field Notes Vol. VII: “FedRAMP 20x: what readiness firms should be doing now to prepare for OSCAL-first packages.”
§ XI · Pairs with
FedRAMP is rarely the only framework.
A short list of what we typically scope alongside it, in order of how often the question comes up.
No, but it’s the closest FedRAMP gets. You are FedRAMP-authorized at the granted impact level, by a specific agency Authorizing Official, for a specific Cloud Service Offering. The artifact is an ATO letter from the agency; the public listing is on the FedRAMP Marketplace. There is no “FedRAMP certified” logo; marketing should say “FedRAMP Moderate authorized via [Agency], package on the FedRAMP Marketplace.”
What does a FedRAMP engagement cost? +
Three costs to separate. Nexurion readiness: $250–800k for a Moderate first-time authorization depending on stack complexity, current posture, and whether a 3PAO RAR is included: senior-led, boundary-first, evidence pre-built. 3PAO assessment: $200–700k separately, paid to the assessor firm, scope-driven. Internal investment: commonly $500k–$2M+ in tooling, FIPS-validated infra, personnel screening, and engineering remediation. We do not collect 3PAO fees, and we do not refer to a 3PAO we have a financial relationship with. See pricing structure »
Do we need an agency sponsor to start? +
For a full ATO, eventually yes: an agency Authorizing Official has to sign. You can do prep work before sponsorship: boundary, SSP, 3PAO RAR, control implementation, ConMon tooling. But the ATO itself requires a sponsoring agency to land. Many CSPs land sponsorship through a small initial contract or pilot with an agency that needs the offering. If you don’t know your sponsor by month 6 of readiness, that’s a flag.
Is FedRAMP Tailored / Li-SaaS the easy mode? +
For a narrow set of low-risk SaaS, yes: the Li-SaaS baseline tailors a much smaller control set against the FedRAMP Low impact level. Eligibility is strict: no PII (beyond login credentials), no CUI, no federal-financial data, single SaaS application, no IaaS / PaaS layer of your own. The 20x reform is expected to expand and modernize this lane. If you genuinely qualify, Li-SaaS is the right starting point; if you don’t, claiming it just means redoing the assessment as Moderate later.
Can we leverage AWS GovCloud and call it done? +
No: but you can leverage GovCloud (or Azure Government, Google for Government, etc.) for a meaningful share of your control set. The leveraged provider’s ATO covers their layer of the stack; your CSO sits on top and inherits some controls, customer-shares others, and owns the rest. Read the leveraged provider’s Customer Responsibility Matrix line-by-line before drawing your boundary: it tells you exactly which controls you can inherit, which you must own, and which are shared.
Does SOC 2 satisfy FedRAMP? +
No. They overlap meaningfully on access control, logging, change management: but SOC 2 has no concept of a FedRAMP impact level, no 800-53 control catalog, no FIPS-validation requirement, no federal personnel screening, no agency Authorizing Official, no Marketplace listing. A clean SOC 2 report is good supporting evidence in a FedRAMP engagement; it is not an ATO.
What changed under FedRAMP 20x? +
Three things, in plain terms. One: the JAB sunset; new authorizations go via the agency-ATO path, with the FedRAMP Board providing governance. Two: the move to NIST 800-53 r5 baselines, including the SR (supply-chain) family. Three: a push toward OSCAL-native machine-readable packages, faster review cadences, and continuous-authorization-style models for mature CSPs. The reform is being rolled out in stages through 2026; expect more change, not less.
What about continuous monitoring: how heavy is it? +
Heavier than most teams plan for. Monthly: vulnerability-scan results, POA&M update, deviation requests if you have them, significant-change notifications if applicable. Annually: control assessment by a 3PAO, contingency-plan test, security-controls re-assessment, agency review meeting. Continuously: incident reporting on US-CERT’s clock and the agency’s tighter clock, log retention, configuration baseline maintenance. CSPs that go quiet on ConMon get suspended; in extreme cases, the ATO is rescinded. Plan for ConMon as a function with named owners, not a quarterly project.
FedRAMP on the calendar? Get the 5-minute boundary memo.
Five questions. One reply. Within 48 hours, a senior practitioner sends a written boundary memo: the impact level you should be planning for, the leveraged authorization you should be building on, an honest read on your sponsor situation, and a realistic calendar to a clean agency ATO. The booking link is at the bottom of the memo.
