The Federal Risk and Authorization Management Program (FedRAMP®) is the U.S. government’s standardized process for assessing the security of cloud products and services. If your system will store, process, or transmit federal government data, it must meet FedRAMP requirements. No agency can use your cloud service without it.

FedRAMP ensures that cloud providers meet consistent, rigorous government security standards. It’s not optional. If you’re a cloud-based startup looking to work with U.S. government customers, FedRAMP compliance is a prerequisite.

Rather than apply a one-size-fits-all model, FedRAMP defines three security baselines — Low, Moderate, and High — based on how sensitive the data is and how disruptive a breach would be. Most cloud-based products align with the Moderate baseline, but the right fit depends on your product’s role in your customer’s mission.

Whether you’re building something new or adapting an existing platform, understanding FedRAMP early can save time, reduce cost, and prevent strategic rework.

tl;dr - If you want your cloud product to serve the federal market, FedRAMP is the gate.

The Federal Risk and Authorization Management Program (FedRAMP®) defines three security baselines—Low, Moderate, and High—based on how sensitive a system’s data is and how disruptive it would be if the system were compromised.

Each baseline includes a specific set of security and privacy controls from the National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5. NIST 800-53 is the U.S. government’s authoritative source for evaluating the security posture of cloud systems.

Here’s how the FedRAMP baselines compare:

• FedRAMP Low: 156 controls

• FedRAMP Moderate: 323 controls

• FedRAMP High: 410 controls
  
  

FedRAMP uses the Federal Information Processing Standards (FIPS) Publication 199 to determine which baseline a system must meet. FIPS 199 assesses impact levels across three key areas: confidentiality, integrity, and availability.

If you don’t feel like reading FIPS 199, you can get a general sense of what security baseline most likely applies to your cloud service offering by answering three core questions:

1. What happens if your system goes down?

• Low: Minor inconvenience—users can wait or find workarounds

• Moderate: Significant disruption—operations are impaired, but the organization can still function

• High: Mission-critical failure—the organization cannot perform essential functions, or safety could be affected
  
  

2. What’s the impact if sensitive data is leaked?

• Low: Limited harm—some embarrassment, minor financial loss, or exposure of routine information

• Moderate: Serious consequences—financial loss, competitive harm, or privacy violations

• High: Severe damage—reputational fallout, legal exposure, or risk to public safety
  
  

3. What if someone maliciously alters your data?

• Low: Minor impact—issues are easily detected and corrected

• Moderate: Significant problems—business decisions are affected, or regulatory issues arise

• High: Severe consequences—mission failure, safety risks, or major financial loss

FIPS 199 uses the “high-water mark” method. That means your overall baseline is determined by the highest impact level across confidentiality, integrity, and availability. If even one area is rated High, your system must meet the FedRAMP High baseline.

Choosing the correct FedRAMP baseline early is critical. It helps you scope the right level of effort, estimate timelines more accurately, and avoid costly rework later.

If your company wants to sell cloud products or services to the U.S. government, achieving FedRAMP authorization is non-negotiable. But before you get there, you might want to consider an optional—but strategic—step: FedRAMP Ready.

FedRAMP Ready is not a full authorization. Instead, it’s a formal recognition that your system has the foundational elements in place to begin the FedRAMP authorization process. Think of it as a public signal that you're serious about compliance and prepared to move forward.

This designation gets your product listed in the FedRAMP Marketplace as “FedRAMP Ready,” increasing visibility to customers searching for compliant or near-compliant cloud solutions, and investors or opportunities in GovTech.

To earn the FedRAMP Ready designation, your system must undergo an evaluation by a Third Party Assessment Organization (3PAO). The 3PAO assesses your implementation against a specific subset of FedRAMP security controls, defined by the government in the Readiness Assessment Report (RAR).

• The RAR is only required for Moderate and High baselines — FedRAMP Low does not require it.

• The RAR covers core technical capabilities, such as data encryption, boundary protection, identity and access controls, and multi-tenancy risk management.

• The 3PAO submits an attestation to FedRAMP indicating whether your system is technically ready to proceed with a full security authorization package.

If approved, your product receives the FedRAMP Ready status and is listed on the FedRAMP Marketplace for 12 months. If you don’t progress to “FedRAMP In Process” or “FedRAMP Authorized” during that time, the designation will expire.

The cost of a FedRAMP Readiness Assessment from a 3PAO can easily exceed $30,000. And if your system isn’t prepared, you’ll likely spend more on technical rework or consulting to fill the gaps.

That’s why we recommend reviewing the RAR requirements internally before engaging a 3PAO. Identify gaps, address them proactively, and save time and money during the formal evaluation.

To help startups and small teams prepare, NYLE offers a completely free FedRAMP Moderate Readiness Assessment. Just answer 14 short questions and you’ll receive a personalized email report showing where you stand.

This isn’t a replacement for a 3PAO evaluation, but it’s a zero-cost first step to understanding what’s ahead and where to focus your efforts.

If you're aiming to sell your tech to the federal government, achieving FedRAMP In Process status is a critical milestone that shows your product or service is actively working through the complete FedRAMP authorization pipeline.

It means you've committed to submitting a complete authorization package, you're working with a Third Party Assessment Organization (3PAO), and you're partnered with a federal government agency that will "sponsor" you to get it done.

Some organizations first pursue FedRAMP Ready as a way to show intent and gain early visibility. Others move directly into the In Process phase once they've secured an agency sponsor that agrees to evaluate your system and, if successful, issue an Authority to Operate (ATO). Either way, this is where the hardest work begins.

Your system will be evaluated against the complete set of required FedRAMP security controls for your selected baseline—Low, Moderate, or High. Your team will need to fully implement and document:

• 156 controls for FedRAMP Low

• 323 controls for FedRAMP Moderate

• 410 controls for FedRAMP High

The 3PAO will assess your implementation and gather evidence to support your authorization package—including your System Security Plan (SSP), security scanning and penetration test results, and risk analysis documentation.

You'll also need to coordinate closely with your federal agency sponsor to address any findings, manage timelines, and finalize deliverables. This partnership is essential throughout the FedRAMP In Process phase.

To gain official FedRAMP In Process designation, your sponsoring agency submits an In Process Request (IPR) letter to the FedRAMP Board formally confirming their partnership with your organization for initial FedRAMP Authorization. They also submit a Work Breakdown Structure (WBS) outlining project timelines. Submission of the IPR and WBS is what triggers your listing as "FedRAMP In Process" on the FedRAMP Marketplace, and officially initiates the authorization process.

There's no fixed time limit for how long you can be in the FedRAMP In Process phase, but timelines must be agreed upon between you and your government sponsoring agency.

FedRAMP In Process demonstrates serious commitment to federal compliance and differentiates you from competitors still in FedRAMP Ready phase.

FedRAMP Authorized is the final designation in the FedRAMP process that means your cloud service has passed the complete security assessment, received an Authority to Operate (ATO) from a federal agency, and is now formally approved for use by the U.S. government.

Reaching this milestone requires implementing and documenting all required FedRAMP security controls for your baseline:

• 156 controls for FedRAMP Low

• 323 controls for FedRAMP Moderate

• 410 controls for FedRAMP High

You'll also complete extensive vulnerability scans, penetration testing, and evidence reviews while producing hundreds of pages of comprehensive documentation.

The ATO package you submit includes all required documents:

1. System Security Plan (SSP)

2. Information Security Policies and Procedures

3. System User Guide

4. Digital Identity Worksheet

5. Privacy Threshold Analysis (PTA)

6. Privacy Impact Assessment (PIA)

7. Rules of Behavior (RoB) for the System

8. Information System Contingency Plan (ISCP)

9. Configuration Management Plan (CMP)

10. Incident Response Plan (IRP)

11. Control Implementation Summary (CIS) Workbook

12. Federal Information Processing Standard (FIPS) 199

13. Separation of Duties Matrix

14. Laws and Regulations

15. Integrated Inventory Workbook

16. Plan of Action and Milestones (POA&M)

17. Continuous Monitoring Strategy

These documents demonstrate your security posture meets federal standards.

Your system and complete package undergo rigorous review, testing, and validation by a Third Party Assessment Organization (3PAO). The 3PAO produces a comprehensive security assessment report that determines whether you meet FedRAMP standards for your respective baseline. After review and acceptance, your federal agency sponsor issues an ATO Letter formally attesting that you've met all FedRAMP requirements and are hereby authorized for government use.

FedRAMP Authorization isn't a one-time achievement. You must maintain it through continuous monitoring, including monthly vulnerability scans, regular security assessments, and ongoing compliance reporting. If your system falls out of compliance or you stop meeting monitoring requirements, your authorization can be revoked and your listing removed from the FedRAMP Marketplace.

The significant benefit is that once you achieve and maintain your FedRAMP Authorized status, your authorization is reusable across all federal agencies. As long as you maintain your security posture, meet continuous monitoring requirements, and conduct regular system assessments, your authorization remains valid for government-wide use, opening doors to substantial federal contracting opportunities.

The Access Control (AC) family ensures that only authorized people can access your systems and data. It covers managing user accounts, enforcing the principle of least privilege, and monitoring who has access. These controls are your first line of defense against both external attackers and insider threats by making sure the right people have the right level of access at the right time.

Security controls are written in a way that's unnecessarily complex and difficult to understand. We took the time to simplify the FedRAMP Moderate security controls so you don't have to. Here's a straightforward list of everything you need to do to implement the AC family:

(Download checklist here)

Access Control Family Implementation Checklist

Policy and Documentation (AC-1)

•  Develop and document access control policy at organization, mission/business process, and/or system levels

•  Create procedures for implementing access control policy and controls

•  Designate an official to manage access control policy and procedures

•  Review and update policy at least every 3 years and after significant events

•  Review and update procedures at least annually and after significant changes

•  Disseminate policy and procedures to relevant personnel

Account Management (AC-2)

•  Define and document allowed and prohibited account types

•  Assign account managers for all systems

•  Establish prerequisites and criteria for group and role membership

•  Document authorized users, group/role memberships, and access privileges

•  Require approvals for account creation requests

•  Implement processes to create, enable, modify, disable, and remove accounts

•  Monitor account usage continuously

•  Notify account managers within 24 hours when accounts are no longer needed

•  Notify relevant personnel within 8 hours when users are terminated or transferred

•  Notify relevant personnel within 8 hours when user access needs change

•  Review accounts for compliance at least annually

•  Establish process for changing shared/group account authenticators when members are removed

•  Align account management with personnel termination/transfer processes

Account Management Enhancements

•  AC-2(1): Implement automated system account management tools

•  AC-2(2): Automatically disable temporary and emergency accounts after 30 days from last use

•  AC-2(3): Disable expired, unassociated, policy-violating accounts within 24 hours; inactive accounts within 90 days

•  AC-2(4): Automatically audit all account creation, modification, enabling, disabling, and removal actions

•  AC-2(5): Require users to log out after defined periods of inactivity

•  AC-2(7): Establish privileged accounts using role-based or attribute-based access schemes

•  AC-2(7): Monitor privileged role assignments and changes

•  AC-2(7): Revoke access when privileged assignments are no longer appropriate

•  AC-2(9): Only allow shared/group accounts with documented business justification

•  AC-2(12): Monitor accounts for atypical usage patterns

•  AC-2(12): Report atypical usage to ISSO and similar security roles

•  AC-2(13): Disable high-risk individual accounts within 1 hour of risk discovery

Access Control Enforcement (AC-3, AC-4, AC-5, AC-6)

•  AC-3: Enforce approved authorizations for logical access to information and system resources

•  AC-4: Control information flow within and between systems per organizational policies

•  AC-5: Identify duties requiring separation and define supporting access authorizations

•  AC-6: Implement least privilege principle for all users and processes

Least Privilege Enhancements

•  AC-6(1): Authorize specific individuals/roles for security function access

•  AC-6(2): Require users with security function access to use non-privileged accounts for non-security tasks

•  AC-6(5): Restrict privileged accounts to designated personnel/roles only

•  AC-6(7): Review all user privileges at least annually and adjust as needed

•  AC-6(9): Log execution of all privileged functions

• AC-6(10): Prevent non-privileged users from executing privileged functions

Session Controls (AC-7, AC-8, AC-11, AC-12)

•  AC-7: Limit invalid logon attempts to maximum 3 consecutive attempts within 15 minutes

•  AC-7: Lock accounts/nodes for minimum 30 minutes or until administrator unlocks after exceeded attempts

•  AC-8: Display system use notification banner before granting access

•  AC-8: Require user acknowledgment of usage conditions before system access

•  AC-8: Configure appropriate notifications for publicly accessible systems

•  AC-11: Initiate device lock after 15 minutes of inactivity

•  AC-11: Require users to initiate device lock when leaving system unattended

•  AC-11(1): Conceal information on locked displays with publicly viewable images

•  AC-12: Automatically terminate user sessions based on defined conditions/events

Remote and Wireless Access (AC-14, AC-17, AC-18)

•  AC-14: Identify and document actions allowed without authentication

•  AC-14: Provide rationale in security plan for unauthenticated actions

•  AC-17: Document usage restrictions and requirements for each remote access type

•  AC-17: Authorize each remote access type before allowing connections

•  AC-17(1): Use automated mechanisms to monitor and control remote access

•  AC-17(2): Implement cryptographic protection for remote access sessions

•  AC-17(3): Route remote access through authorized network access control points

•  AC-17(4): Restrict privileged remote access and document rationale in security plan

•  AC-18: Establish requirements and guidance for each wireless access type

•  AC-18: Authorize wireless access types before allowing connections

•  AC-18(1): Implement authentication and encryption for wireless access

•  AC-18(3): Disable unused wireless networking capabilities before deployment

Mobile Device Management (AC-19)

•  AC-19: Establish configuration and connection requirements for mobile devices

•  AC-19: Define implementation guidance for mobile devices outside controlled areas

• AC-19: Authorize mobile device connections to organizational systems

• AC-19(5): Implement full-device or container-based encryption on mobile devices

External System Controls (AC-20, AC-21, AC-22)

•  AC-20: Establish terms/conditions or identify required controls for external systems

•  AC-20: Allow authorized access from external systems per established trust relationships

•  AC-20: Prohibit use of unauthorized external system types

•  AC-20(1): Verify external system controls or maintain connection agreements

•  AC-20(2): Restrict use of organization-controlled portable storage on external systems

•  AC-21: Enable users to verify sharing partner access authorizations match information restrictions

•  AC-21: Implement mechanisms to assist with information sharing decisions

•  AC-22: Designate individuals authorized to make information publicly accessible

•  AC-22: Train authorized individuals on protecting nonpublic information

•  AC-22: Review content before posting to publicly accessible systems

•  AC-22: Review publicly accessible content at least quarterly and remove nonpublic information

The Awareness and Training (AT) family ensures that all personnel understand their security and privacy responsibilities through regular education and training programs. It covers general security awareness training for all users, specialized role-based training for personnel with security responsibilities, and maintaining records of all training activities. These controls are essential for creating a security-conscious culture and reducing human error, which is one of the leading causes of security incidents.

Security controls are written in a way that's unnecessarily complex and difficult to understand. We took the time to simplify the FedRAMP Moderate security controls so you don't have to. Here's a straightforward list of everything you need to do to implement the AT family:

(Download checklist here)

Awareness & Training Control Family Implementation Checklist

Policy and Documentation (AT-1)

•  Develop and document awareness and training policy at organization, mission/business process, and/or system levels

•  Create procedures for implementing awareness and training policy and controls

•  Designate an official to manage awareness and training policy and procedures

•  Review and update policy at least every 3 years and after organization-defined events

•  Review and update procedures at least annually and after significant changes

•  Disseminate policy and procedures to relevant personnel

Security and Privacy Literacy Training (AT-2)

•  Provide security and privacy literacy training to all system users (managers, senior executives, contractors)

•  Deliver initial training to all new users before granting system access

•  Conduct literacy training at least annually for all users

•  Provide training when required by system changes

•  Provide training following organization-defined significant events

•  Implement organization-defined awareness techniques to increase security and privacy awareness

•  Update literacy training and awareness content at least annually

•  Update training content following organization-defined events

•  Incorporate lessons learned from internal or external security incidents into training

•  Incorporate lessons learned from security breaches into awareness techniques

Literacy Training Enhancements

•  AT-2(2): Provide training on recognizing potential indicators of insider threats

•  AT-2(2): Provide training on reporting potential indicators of insider threats

•  AT-2(3): Provide training on recognizing social engineering attempts

•  AT-2(3): Provide training on recognizing social mining attempts

•  AT-2(3): Provide training on reporting social engineering and social mining incidents

Role-Based Security and Privacy Training (AT-3)

•  Identify all roles and responsibilities requiring specialized security training

•  Develop role-based training content for each identified role

•  Provide role-based training before authorizing access to systems or information

•  Provide role-based training before personnel perform assigned duties

•  Conduct role-based training at least annually for all personnel with defined roles

•  Provide additional training when required by system changes

•  Update role-based training content at least annually

•  Update role-based training following organization-defined events

•  Incorporate lessons learned from security incidents into role-based training

•  Incorporate lessons learned from security breaches into role-based training

Training Records (AT-4)

•  Document all information security training activities

•  Document all privacy training activities

•  Document security and privacy awareness training completion

•  Document role-based security and privacy training completion

•  Monitor training activities to ensure compliance

•  Retain individual training records for at least one (1) year after training completion

•  Establish system for tracking training completion and currency

•  Maintain records accessible for audit and compliance verification

Key Timeframes to Remember

• Policy reviews: Every 3 years minimum

• Procedure reviews: Annually minimum

• Literacy training: Annually for all users

• Role-based training: Annually for all personnel with security roles

• Content updates: Annually minimum

• Training record retention: At least 1 year after completion