A Guide to FedRAMP: FAQs & Key Takeaways

Updated on May 26, 2025

FEDRAMP CONTAINER SCANNING SOLUTIONS DOWNLOAD FEDRAMP PREASSESSMENT

FedRAMP Vulnerability Scanning solution illustration

Navigate To

Table of Contents

There’s a whole lot to know about FedRAMP, and while there are countless resources available that ensure information on the subject is in no short supply, it can be daunting to sift through, especially when what you really need are quick, straightforward answers.

That’s why our team at Anchore put together this comprehensive list of FedRAMP FAQs, complete with real-world perspectives and examples where you need them most. Simply find your question in the table of contents on the left, jump down to find the answer, and bookmark this page for when you have future FedRAMP questions and need an answer in a pinch.

Some Background on FedRAMP

What is FedRAMP? What purpose does it serve?

FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a US Federal compliance program. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Essentially, it enables federal agencies to take advantage of the latest SaaS/Cloud offerings. The last 15 years have seen the software industry transition from a perpetual license business model to a subscription business model. What this means is that the most innovative software with the highest productivity gains are only available via a SaaS/Cloud deployment model. This effectively barred federal agencies from access to an entire generation of software vendors. FedRAMP was created in order to address this gap.

The main purposes FedRAMP serves are—

Ensuring security: It establishes a set of standardized security requirements for cloud service providers (CSPs) who want to work with federal agencies.
Promoting efficiency: By creating a “do once, use many times” framework, FedRAMP reduces the time and cost associated with security assessments for both government agencies and CSPs.
Enhancing consistency: It provides a uniform process for assessing and authorizing cloud services across different federal agencies.
Increasing confidence: FedRAMP helps federal agencies feel more confident in adopting cloud technologies by ensuring that approved services meet rigorous security standards.
Supporting modernization: By streamlining the adoption of secure cloud services, FedRAMP aids in the federal government’s IT modernization efforts.

What are the governing bodies of FedRAMP?

FedRAMP has several key governing bodies that oversee its operations and ensure its effectiveness.

FedRAMP Program Management Office (PMO)

The FedRAMP PMO serves as the operational hub of the FedRAMP program with several key responsibilities:

Reviewing and auditing FedRAMP documents/deliverables
Updating CSP FedRAMP status on the FedRAMP Marketplace
Developing and maintaining FedRAMP processes, templates, and guidance
Coordinating between agencies, cloud service providers, and 3rd-party assessment organizations (3PAOs)

Office of Management and Budget (OMB):

OMB provides the policy guidance for FedRAMP
It issued the original policy memo that created FedRAMP and continues to provide oversight

National Institute of Standards and Technology (NIST):

While not a direct governing body, NIST plays a crucial role by providing the risk framework and security controls that FedRAMP is based on (i.e., Risk Management Framework (RMF), NIST 800-37 and the Control Catalog, NIST 800-53)

These bodies work together to ensure that FedRAMP remains effective, up-to-date, and aligned with federal cybersecurity needs. Their collaborative efforts help maintain the program’s integrity and its ability to serve federal agencies and cloud service providers effectively.

What’s the difference between FedRAMP & FISMA?

The Federal Information Security Management Act of 2002 (FISMA) is a federal law that requires all federal agencies to implement an information security program to protect the agency’s data. FedRAMP is a compliance program that proves a cloud service provider is in compliance with FISMA and can be adopted by federal agencies.

Here are the key differences:

1. Purpose:

FISMA: Establishes a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.
FedRAMP: Provides a standardized approach specifically for assessing, authorizing, and continuously monitoring cloud products and services.

2. Scope:

FISMA: Applies to all federal agencies and their information systems, including both cloud and non-cloud systems.
FedRAMP: Focuses exclusively on cloud service providers (CSP) used by federal agencies.

3. Authorization Approach:

FISMA: Each agency is responsible for authorizing its own systems (self-authorization).
FedRAMP: CSPs must go through a formal authorization process managed by the FedRAMP PMO (third-party). After achieving FedRAMP authorization a CSPs service can be easily deployed for any other federal agency.

4. Historical Context:

FISMA: Enacted in 2002 (updated in 2014 as FISMA Reform Act) to address overall federal information security.
FedRAMP: Established in 2011 specifically to support the government’s cloud-first initiative.

Making the Decision to Pursue FedRAMP ATO

Who needs to be FedRAMP certified?

FedRAMP certification is primarily required for:

Cloud Service Provider (CSP)

Any company offering cloud-based products or services that wants to do business with US federal government agencies needs to be FedRAMP certified. This includes:

Software-as-a-Service (SaaS) providers: e.g., Salesforce, Atlassian, Zoom, etc.
Infrastructure-as-a-Service (IaaS) providers: e.g., Amazon Web Services, Microsoft Azure, Google Cloud, etc.
Platform-as-a-Service (PaaS) providers: e.g., Cloudflare Workers developer platform, Vercel, DigitalOcean App Platform, etc.

Sponsoring Federal Agency

A US federal agency acts as the “sponsor” for CSPs pursuing their initial FedRAMP authorization. While agencies don’t get FedRAMP-authorized themselves, they are required to use FedRAMP-authorized cloud services for their deployments that involve controlled—but not classified—data. This includes agencies like:

Department of Commerce (DoC)
Centers for Disease Control and Prevention (CDC)
Food and Drug Administration (FDA)
United States Secret Service (USSS)

It’s important to note that non-cloud software products and services used by federal agencies fall under different security frameworks (e.g., FISMA, SSDF, etc.) and don’t require FedRAMP authorization. This primarily refers to software that runs “on-premise” in an agency’s cloud environment.

3rd-Party Assessment Organizations (3PAOs)

3PAOs are independent entities that perform the initial and periodic security assessments for CSPs seeking FedRAMP authorization. To serve in this capacity, these organizations must themselves be accredited by the FedRAMP PMO. A current list of authorized 3PAOs is available on the FedRAMP Marketplace website.

What are the benefits? Is FedRAMP certification worth it?

The decision to pursue FedRAMP certification can be significant for a company. Here are the key benefits and considerations to help determine if it’s worth it:

Benefits

Access to Federal Market:

Opens up a large market of federal agencies as potential customers. The US government spends billions annually on cloud services.

Competitive Advantage:

Differentiates your company in the marketplace; can be attractive to non-federal customers who value high security standards.

Improved Security Posture:

The rigorous process often leads to overall improvements in a company’s security practices.

Reusability:

Once certified, the authorization can be leveraged across multiple federal agencies.

Streamlined Compliance:

Jump starts progress towards other compliance certifications (e.g., HIPAA, SOC 2) due to overlapping controls.

Watch Now

Advertisement for webinar, "FedRAMP and SSDF Compliance: How to Sell to the Federal Government" by Anchore

Considerations

Cost:

The certification process can be expensive, potentially costing hundreds of thousands to millions of dollars.

Time Investment:

The process is lengthy, often taking 12-18 months or more.

Ongoing Maintenance:

Requires continuous monitoring and regular reassessments.

Resource Intensive:

Demands significant staff time and may require hiring specialized personnel.

Complexity:

The process is rigorous and complex, requiring a deep understanding of security practices.

Is it worth it?

Whether FedRAMP certification is worth it depends on:

Your target market (how important federal customers are to your business strategy)
Available resources (both financial and personnel)
Long-term business goals
Current security posture (how much work is needed to meet FedRAMP requirements)

For companies with a strong focus on serving federal agencies or those in industries where security is paramount, the benefits often outweigh the costs. However, for smaller companies or those not targeting federal customers, the investment may not be justified.

How long does it take to get FedRAMP certified?

The FedRAMP certification process can be lengthy and complex. While the duration can vary depending on several factors, here’s a general timeline:

Typical Duration

On average, the full FedRAMP certification process takes about 12-18 months.
Some organizations may complete it in as little as 6-9 months, while others might take 2 years or more.

Factors Affecting Timeline

Readiness of the Cloud Service Provider (CSP)
Complexity of the system
Level of security authorization required (Low, Moderate, or High)
Chosen authorization path (Agency Authorization or JAB Provisional Authorization)
Responsiveness of the CSP to assessment findings
Current workload of the reviewing bodies

Key Phases and Approximate Durations

Preparation and Readiness Assessment: 1-3 months
Documentation Development: 3-6 months
Third-Party Assessment: 2-4 months
Agency Review and Authorization: 3-6 months

Continuous Monitoring (ConMon)

After initial authorization, continuous monitoring is ongoing

Considerations

It’s important to note that this timeline assumes a relatively smooth process. Delays can occur if:

The system has significant security gaps that need addressing
Documentation is incomplete or inadequate
There are delays in remediation of identified issues
The reviewing agency has a backlog

To expedite the process, CSPs are advised to:

Thoroughly prepare before starting the formal process
Engage with a FedRAMP consultant or experienced advisor
Ensure all documentation is complete and accurate from the start
Be responsive to inquiries and quick to address any identified issues

Remember, while the initial certification is a significant milestone, FedRAMP compliance is an ongoing process requiring continuous monitoring and periodic reassessments.

What is the cost of achieving FedRAMP ATO?

The cost of achieving FedRAMP Authorization to Operate (ATO) can vary significantly depending on several factors. Here’s a breakdown of the typical costs and considerations:

Overall Cost Range

Generally, costs can range from $500,000 to $2 million or more.
Some organizations report spending up to $5 million for complex systems or high-impact level authorizations.

Key Cost Factors

Size and complexity of the cloud system
Current security posture and how much work is needed to meet FedRAMP requirements
Level of authorization sought (Low, Moderate, or High impact)
Whether using internal resources or external consultants

Specific Cost Areas

Internal Labor Costs:
- Often the largest expense, typically ranging from $400,000 to $1 million+
- Includes time for security team, developers, management, etc.
Third-Party Assessment Organization (3PAO) Fees:
- Usually between $150,000 to $300,000 for initial assessment
- Ongoing annual assessments can cost $50,000 to $150,000
Consulting Fees (if used):
- Can range from $100,000 to $500,000 or more
- Helps with readiness, documentation, and guidance through the process
Technology and Tools:
- $50,000 to $200,000 for security tools, monitoring systems, etc.
Documentation and Preparation:
- Can cost $100,000 to $300,000 if outsourced

Ongoing Costs

Annual continuous monitoring and maintenance can cost 30-50% of the initial authorization cost

Hidden Costs

Potential system upgrades or redesigns to meet security requirements
Opportunity costs of dedicating resources to FedRAMP instead of other projects

Cost-Saving Strategies

Thorough preparation before starting the formal process
Leveraging existing security controls and documentation
Using FedRAMP-compliant cloud infrastructure providers, like AWS GovCloud

It’s important to note that while these costs are significant, they should be weighed against the potential return on investment from accessing the federal market and the overall improvement in security posture.

Companies considering FedRAMP authorization should conduct a thorough cost-benefit analysis and potentially consult with FedRAMP advisors to get a more accurate estimate based on their specific situation.

The FedRAMP Certification Process

What are the FedRAMP impact levels?

FedRAMP categorizes cloud systems into three impact levels based on the potential impact of a security breach. These levels are directly aligned with the Federal Information Processing Standard (FIPS) 199. Here are the three FedRAMP impact levels:

LI-SaaS

Specifically designed for Low Impact Software-as-a-Service (SaaS) applications that process only limited types of data (e.g., no PII beyond username, password and email address)
Features streamlined documentation requirements and fewer security controls compared to standard Low baseline
Enables faster authorization path for low-risk cloud services

Low Impact

For systems where the loss of confidentiality, integrity, and availability would have a limited adverse effect on an agency’s operations, assets, or individuals.
Typically involves publicly available information or non-sensitive data.
Requires implementation of the FedRAMP Low baseline security controls.

Moderate Impact

For systems where a loss would have a serious adverse effect on an agency’s operations, assets, or individuals.
This is the most common level for federal systems.
Covers a wide range of sensitive but unclassified data.
Requires implementation of the FedRAMP Moderate baseline security controls.

High Impact

For systems where a loss could have a severe or catastrophic adverse effect on organizational operations, assets, or individuals.
Involves highly sensitive information, including certain types of law enforcement and emergency services data, financial data, health records, and other critical assets.
Requires implementation of the FedRAMP High baseline security controls, which are the most rigorous.

Key points

The impact levels are a pyramid, each higher level incorporates all the controls from the lower levels—plus additional ones.
The number of security controls increases significantly with each level (LI-SaaS: at least 37, Low: 125, Moderate: 325, High: 421 controls).
Agencies determine the appropriate impact level based on the type of data they plan to store or process in the cloud system.
Cloud Service Providers (CSPs) can choose which impact level(s) to pursue certification for, based on their target market and capabilities.

The impact level determines the depth and breadth of the security assessment, influencing both the cost and time required for FedRAMP authorization. Higher impact levels generally require more extensive security measures and more rigorous assessments.

What are the FedRAMP requirements for each impact level?

The FedRAMP requirements for each impact level are inherited from NIST 800-53, which serves as the authoritative reference for security controls for many federal compliance programs (e.g., SSDF, ATO/cATO, CMMC, etc).

Watch Now

Advertisement for webinar, "NIST 800-53: The Important Things to Know" by Anchore

Here’s an overview of the requirements for each impact level:

Low Impact SaaS

Total Controls: 37 controls (may expand to ~50–60 if the service touches PII, supports mobile apps, etc.)

Key Requirements:

Focus area	Representative requirements
Access & auth	MFA for privileged accounts and all remote administrative sessionsLeast-privilege RBAC documented in an ACL matrix
Encryption	FIPS 140-2/140-3-compliant encryption in transit (TLS 1.2+ preferred)
Audit & monitoring	Central log retention: 30-day online; 12-month cold storageMonthly vulnerability scansAnnual penetration test
Incident response (IR) & continuity	IR plan with 1 business-day reporting window to FedRAMP PMOBackup plan that meets a 24-hour RPO/RTO
Documentation	FedRAMP SSP “lite,” POA&M, and customer-facing SLA with security provisions

Low Impact

Total Controls: 125

Key Requirements: everything in LI-SaaS, plus…

Boundary protection (SC-7): basic firewalling/segmentation between CSP internal zones and the FedRAMP-authorized service boundary
System hardening (CM-6) using DISA STIGs/CIS benchmarks; configuration drift scans at least quarterly
Contingency Planning (CP) with annual tabletop exercise
Identification & Authentication (IA) for all users (MFA for privileged, strong passwords for others)
Continuous Monitoring strategy aligned to FedRAMP ConMon (monthly scanning, quarterly SAR updates)

Moderate Impact

Total Controls: 325

Key Additional Requirements: all Low requirements, plus key upgrades such as…

Encryption at rest for all customer data; keys managed in a FIPS 140-validated module or HSM
MFA for every user (privileged and non-privileged) when accessing via the public Internet
Vulnerability scanning frequency increased to weekly (internally) and monthly (externally); 72-hr remediation of critical findings
Event logging depth increased (full packet/header data, administrator commands, security-relevant API calls); 90-day hot / 12-month cold retention
Incident response testing (functional exercise) at least quarterly, with results fed into POA&M
Personnel security: Tier 2 background checks; annual security & privacy training refreshers
System interconnection agreements (ISA/MOU) required for every external interface

High Impact

Total Controls: 421

Key Additional Requirements: all Moderate controls, plus stricter safeguards, including…

Segmentation & isolation down to subnet / VLAN or container namespace; internal traffic inspection (east-west IDS)
Hardware-backed crypto controls (FIPS 140-3 Level 3+) for key storage; two-person rule for key operations
Near-real-time continuous monitoring: automated event correlation & alerting within 60 minutes; daily manual log review
Supply-chain & code-integrity: code-signing, SBOM, tamper-evident build pipeline, and third-party component vetting
Advanced vulnerability management: authenticated scans of all hosts daily; web-app scans daily; quarterly red-team exercise
Enhanced personnel vetting: Tier 3 (or higher) background investigations; insider-threat and privileged-user monitoring program
Physical security comparable to NIST High: mantraps, 24×7 guards, CCTV retention ≥ 90 days
Recovery time objectives tightened (e.g., RTO ≤ 8 hours, RPO ≤ 1 hour) and annual operational fail-over test

Common themes

Focus area	Representative requirements
Multi-factor authentication	Always for admins; increasingly for all users as impact rises
Encryption	Mandatory for data in transit (all levels) and at rest (Moderate/High)
Vulnerability management	Authenticated scanning, penetration testing, defined remediation windows
Configuration & change management (CM)	Hardened baselines, documented change control, and routine drift detection
Audit & monitoring (AU)	Centralized logging, time-sync (NTP), role separation for log review, retention ≥ 12 months
Incident response (IR)	Formal IR plan, 1-hour to 24-hour notification to US-CERT/FedRAMP depending on severity
Contingency planning & backups	Tested backups, defined RTO/RPO, alt site or cloud-native replication
Personnel & training	Background checks, annual security & privacy training, role-based training for admins
Documentation & third-party assessment	SSP, SAP, SAR, POA&M, customer-facing system description, and a 3PAO assessment
Continuous monitoring (ConMon)	Ongoing scanning, monthly POA&M updates, annual security control assessment, and real-time defect reporting via FedRAMP’s Dashboard

It’s important to note that these requirements are regularly updated to address evolving security threats and technologies. CSPs must stay current with the latest FedRAMP requirements and continuously monitor and maintain their systems to ensure ongoing compliance.

How do I determine my organization’s impact level?

To determine your organization’s FedRAMP impact level, first understand that the vast majority of cloud service providers end up in the Moderate category—about 80 percent of all FedRAMP Authorizations to Operate (ATOs). Impact levels are assigned according to the risk posed by the federal data your service processes or stores.

If you believe your system could qualify for a lower or higher tier, first walk through the NIST FIPS 199 rating process, which FedRAMP inherits for impact categorization. Under FIPS 199, the highest confidentiality-integrity-availability (CIA) rating observed anywhere in your environment sets the bar for the entire system. In practice, handling Controlled Unclassified Information (CUI) or other sensitive personally identifiable information (PII) typically elevates you to at least Moderate.

Ultimately, the sponsoring agency’s AO (Authorizing Official) has final say, so validate your proposed impact level with them early to avoid rework.

What are the steps to getting FedRAMP certified?

The process of obtaining FedRAMP certification involves several key steps. Here’s a high-level overview of the typical path to FedRAMP authorization:

Learn how to navigate FedRAMP authorization while avoiding all of the most common pitfalls.

Download Now

Unlocking Federal Markets: The Enterprise Guide to FedRAMP White Paper Rnd Rect

Step 0: Project Scoping and Business Analysis

Before formally beginning the FedRAMP authorization process, organizations should engage and prepare all of the initiative stakeholders. FedRAMP is a massive undertaking in the best of circumstances and requires effort from almost every department of an enterprise. Without full alignment there is a non-trivial risk of the initiative failing. Alignment is formed by conducting thorough project scoping and business analysis.

Tasks

Determine the Cloud Service Offering(s) (CSO) in scope
Determine categorization of the agency data that will be stored and processed by CSO
Determine the impact level you’re targeting (LI-SaaS, Low, Moderate, High)
Conduct a gap analysis between your current security posture and FedRAMP requirements
Identify a specific agency to sponsor your organization

Note: The previous JAB Authorization path (aka P-ATO) has been discontinued.

Step 1: Readiness Assessment (Optional but Recommended)

While it is optional, the Readiness Assessment step is a powerful preparatory exercise. If your organization is uncertain about their own gap analysis assessment, engaging with an experienced 3PAO is a shortcut to creating confidence that later steps and stages will go smoothly.

Note: This stage is only available to organizations targeting Moderate and High impact levels.

Tasks

CSP develops a System Security Plan (SSP)
CSP selects an accredited 3PAO from FedRAMP Marketplace to perform assessment
CSP performs security review and Readiness Assessment Report with 3PAO
CSP develops a plan to address any identified security gaps

FedRAMP Marketplace Status: FedRAMP-Ready

Watch Now

Advertisement for webinar, "How to Meet the 6 FedRAMP Vulnerability Scanning Requirements for Containers" by Anchore

Step 2: Pre-Authorization

The pre-authorization step is either the first or second official step of the FedRAMP process depending on if your organization opted-out or were disqualified from the Readiness Assessment step. This step is primarily documentation and initial engagement with the FedRAMP PMO and sponsoring agency.

Tasks

(If you skipped Step 1) CSP develops a System Security Plan (SSP)
CSP submits a CSP Information Form
CSP completes In Process Request (IPR) and Work Breakdown Structure (WBS) with sponsoring agency
CSP conducts formal FedRAMP Kickoff Meeting with the sponsoring agency, the FedRAMP PMO and the 3PAO (if applicable)

FedRAMP Marketplace Status: FedRAMP-In Process

Step 3: Full Security Assessment

The Authorization stage begins the formal FedRAMP security and compliance process. This step requires a formal security assessment performed by a 3PAO and a formal remediation plan that will be presented to your sponsoring agency in the next step.

Tasks

3PAO performs an independent security assessment of the CSO system
3PAO delivers a Security Assessment Report (SAR) to CSP
CSP develops a Plan of Action and Milestones (POA&M) for remediation

Step 4: Agency Authorization Process

The Agency Authorization Process is the final step for a CSP to achieve their initial authority to operate (ATO). This step focuses on making sure that your sponsoring agency is satisfied with your organization’s performance during Step 3 and that the audit evidence collected during the preceding steps meets the FedRAMP PMO’s requirements.

Tasks

Sponsoring agency reviews CSP’s Security Assessment Plan (SAP)
Agency issues Authority to Operate (ATO) to CSP
CSP submits FedRAMP Authorization Package to FedRAMP PMO

FedRAMP Marketplace Status: FedRAMP-Authorized

Step 5: Post Authorization (Continuous Monitoring)

Achieving FedRAMP ATO is not the end of your compliance journey—it’s merely the starting line. While organizations typically approach FedRAMP authorization as a marathon with a photo finish, the reality is that the DevSecOps movement has transformed US government compliance. Under the name of continuous monitoring (ConMon), the one-time marathon that was FedRAMP compliance has morphed into a never-ending treadmill of security and compliance activities.

Tasks

CSP uploads monthly security documentation
Annual 3PAO administered security assessment

Remember, FedRAMP authorization is a complex and time-consuming process that typically takes 12-18 months or more. Each step may involve multiple sub-steps and iterations. It is a marathon not a sprint—plan accordingly.

What tools or solutions can help me achieve FedRAMP compliance?

Several tools and solutions can assist in achieving and maintaining FedRAMP compliance. Here’s an overview of key categories and some examples:

Compliance Management Platforms

Automated tools to track controls, manage documentation, and monitor compliance
Examples: Coalfire FedRAMP Assurance, A-LIGN’s A-SCEND, Schellman Comply

Security Information and Event Management (SIEM)

Centralized logging and security event monitoring
Examples: Splunk, Panther, LogRhythm

Software Supply Chain Vulnerability Scanning and Management

Identify and track vulnerabilities in your systems
Examples: Anchore Enterprise

Watch Now

Advertisement for FedRAMP Requirements Checklist: Container Vulnerability Scanning by Anchore

Configuration Management

Ensure systems are configured according to FedRAMP requirements
Examples: Chef, Puppet, Ansible

Identity and Access Management (IAM)

Manage user access and implement multi-factor authentication
Examples: Okta, Microsoft Azure Active Directory, AWS IAM

Encryption Tools

Protect data at rest and in transit
Examples: Hashicorp Vault, AWS Key Management Service

Continuous Monitoring (ConMon)

Automate ongoing security assessments
Examples: Anchore Enterprise

Document Management Systems

Organize and maintain required documentation
Examples: Drata, AuditBoard, Archer Insight

Incident Response and Management

Tools to help detect, respond to, and manage security incidents
Examples: PagerDuty, ServiceNow Security Operations

Cloud Access Security Brokers (CASBs)

Visibility and control over cloud service usage
Examples: Microsoft Defender for Cloud Apps, Cloudflare CASB

Network Security Tools

Firewalls, intrusion detection/prevention systems
Examples: Cloudflare, Palo Alto Networks, F5

Data Loss Prevention (DLP)

Prevent unauthorized data exfiltration
Examples: Zscaler, Cloudflare DLP

When selecting tools:

Ensure they meet FedRAMP requirements for their respective functions
Consider solutions that integrate well with your existing infrastructure
Look for tools that can generate reports in FedRAMP-required formats
Prioritize solutions that can help automate compliance processes

Remember, while these tools can significantly aid in achieving and maintaining FedRAMP compliance, they’re not a substitute for a comprehensive security program and expert guidance. Many organizations use a combination of these tools along with consulting services to navigate the FedRAMP process effectively.

Other FedRAMP FAQs

What’s the difference between ATO and P-ATO?

A P-ATO (Provisional Authority to Operate) is a legacy designation for the JAB Authorization path that was discontinued in 2024.

Have there been any changes to FedRAMP?

Yes, FedRAMP has undergone several changes and updates since its inception in 2011. Here are the most significant changes and ongoing initiatives:

Theme	Details
Baseline Alignment & Modernization	FedRAMP adopted each new revision of NIST SP 800-53 (Rev 3 → Rev 4 → Rev 5) and folded in newer privacy, crypto (FIPS 140-3), and zero-trust logging requirements as they appeared, keeping the control set current with technology and threats.
Speed & Scalability	What began as year-long, paperwork-heavy authorizations gained time-cutting programs—FedRAMP Accelerated (2016), the light-weight Tailored LI-SaaS path (2017), and now the automation-centric FedRAMP 20x initiative (2025)—all aimed at shrinking cost and cycle time.
Automation & Machine-Readable Packages	Starting with OSCAL templates in 2020, FedRAMP has pushed for machine-readable SSPs, scans, and POA&Ms. The FedRAMP 20x roadmap makes “automation-first” processing the default, enabling continuous assurance rather than annual re-assessment.
Risk-Based, Threat-Informed Focus	Guidance shifted from compliance-checkbox reviews to threat-based prioritization (2021 white paper, 2022 update), letting agencies weight controls by real-world adversary tactics and system mission criticality.
Institutionalization & Legal Authority	An OMB memo program in 2011 became permanent law via the FedRAMP Authorization Act (Dec 2022), creating an advisory committee and a “presumption of adequacy” for reused authorizations—cementing FedRAMP’s role in federal cloud procurement.

FedRAMP has continuously tightened technical baselines, codified itself in law, and layered in automation and risk-driven methods—all to authorize secure cloud services faster while staying aligned with an evolving threat landscape. As FedRAMP continues to evolve, cloud service providers and federal agencies should stay informed about the latest updates and requirements.

Next Steps

FedRAMP is an exhaustive topic as evidenced by the length of this article. The important thing to remember when beginning this journey to achieving FedRAMP compliance is that it is a journey. This is a process that takes time. If you’re looking for shortcuts to get to the punchline as quick as possible, be sure to read our case study on how Cisco Umbrella utilized Anchore Enterprise to achieve FedRAMP compliance in weeks versus months or reach out to our team directly and we can walk you through how we can help your organization achieve similar results.