Safeguard
Compliance

The FedRAMP Authorization Guide: Paths, Baselines, and Continuous Monitoring

FedRAMP is how cloud products earn the right to sell to U.S. federal agencies. Here's how the authorization paths work, what the NIST 800-53 baselines require, and where your software supply chain gets scrutinized.

Priya Mehta
Compliance Analyst
6 min read

FedRAMP — the Federal Risk and Authorization Management Program — is the gate a cloud product must pass to be sold to U.S. federal agencies. It standardizes how cloud services are security-assessed, authorized, and continuously monitored, so that one rigorous assessment can be reused across agencies instead of each buyer running its own. For a SaaS company, achieving FedRAMP authorization is a major undertaking, and much of the work lands on engineering. This guide walks through the paths, the baselines, and the ongoing obligations.

What FedRAMP is

FedRAMP was established in 2011 by OMB policy and later codified in law through the FedRAMP Authorization Act, part of the FY2023 National Defense Authorization Act. It is built on NIST Special Publication 800-53, the federal catalog of security and privacy controls (currently Revision 5), and it uses FIPS 199 to classify a system's impact level.

Those impact levels determine how many controls apply:

  • Low impact — roughly 150-plus controls; there is also a tailored baseline (Li-SaaS) for low-risk software-as-a-service.
  • Moderate impact — the most common baseline, with a few hundred controls; the great majority of federal SaaS lands here.
  • High impact — for the most sensitive unclassified systems, with the largest control set.

Control counts shift with each NIST revision, so treat these figures as approximate and confirm against the current baselines.

Who is affected and the authorization paths

Any cloud service provider (CSP) that wants to host federal data needs an authorization. Historically there were two routes: an agency Authorization to Operate (ATO), sponsored by a specific agency that reviews the package and issues the authorization; and a provisional authorization issued by the Joint Authorization Board (JAB).

This landscape is actively changing. The FedRAMP Authorization Act replaced the JAB with a FedRAMP Board, and in 2025 GSA launched a modernization effort (branded "FedRAMP 20x") aimed at automating evidence collection and shortening the authorization timeline. Because these reforms are still rolling out, treat the exact process and governance structure as evolving and confirm the current model with GSA before planning your program.

Whichever path applies, an accredited Third Party Assessment Organization (3PAO) performs the independent security assessment. The typical sequence is: a readiness assessment (documented in a Readiness Assessment Report), then a full assessment producing a Security Assessment Plan, a System Security Plan, a Security Assessment Report, and a Plan of Action and Milestones (POA&M), followed by the authorization decision.

Software and supply-chain obligations

FedRAMP is where supply chain security stops being optional. NIST SP 800-53 Revision 5 added a dedicated Supply Chain Risk Management (SR) control family, and several other controls bear directly on software:

  • RA-5 (Vulnerability Monitoring and Scanning): scan for vulnerabilities on a defined cadence and when new ones are identified. FedRAMP requires monthly scanning of operating systems, web applications, and databases as part of continuous monitoring.
  • SI-2 (Flaw Remediation): correct identified flaws within defined timeframes. FedRAMP's standard remediation windows are 30 days for high-severity findings, 90 days for moderate, and 180 days for low.
  • SA-11 and SA-15 (Developer Testing and Development Process): require security testing and a documented, secure development process from the CSP.
  • SR family: provenance, component authenticity, and supplier risk management for the components you ship.

Executive Order 14028 pushed software bills of materials into this conversation, and federal buyers increasingly expect SBOMs as part of supply chain evidence. In practice, meeting RA-5 and SI-2 across a real dependency tree — every month, with tracked remediation — is impossible without an accurate component inventory.

Compliance checklist

StepWhat it involves
Categorize impactApply FIPS 199 to set Low, Moderate, or High
Select the baselineAdopt the matching NIST SP 800-53 control set
Document the SSPDescribe how each control is implemented
Engage a 3PAOComplete readiness then full assessment
Track the POA&MManage open findings to closure
Scan monthlyMeet RA-5 across OS, web, and database layers
Remediate on SLAClose findings within 30/90/180-day windows
Inventory componentsMaintain SBOMs for supply-chain evidence
Sustain ConMonDeliver monthly deliverables and an annual assessment

How Safeguard helps

Safeguard supports the software and supply-chain controls that dominate FedRAMP continuous monitoring. SBOM Studio maintains a live component inventory that feeds the SR-family evidence and SBOM expectations federal buyers now look for. Software composition analysis delivers the recurring vulnerability scanning behind RA-5 and produces the tracked findings and timestamps you need to demonstrate SI-2 remediation within the 30/90/180-day windows.

Griffin AI prioritizes those findings by reachability, so your POA&M reflects genuine exposure rather than an undifferentiated scan dump — which keeps monthly continuous-monitoring reporting honest and manageable. Our compliance pages map these capabilities to specific NIST SP 800-53 controls, so your assessors can trace each piece of evidence to the requirement it satisfies.

FedRAMP authorization is a marathon, and continuous monitoring never ends. Automating the component-inventory and vulnerability-management portions is how teams keep the monthly cadence sustainable long after the initial ATO.

Frequently Asked Questions

What is the difference between an agency ATO and the board path? An agency ATO is sponsored by a specific federal agency that reviews your package and authorizes it for its own use, after which other agencies can reuse the package. The board path (historically the JAB, now the FedRAMP Board) issues a broader provisional authorization. Because the governance model is being modernized, confirm the current options with GSA.

Which impact level do most SaaS products need? Moderate is the most common baseline, covering the majority of federal SaaS that handles controlled unclassified information. Low impact and the tailored Li-SaaS baseline apply to lower-risk services, while High is reserved for the most sensitive unclassified systems.

How often do we have to scan and remediate? FedRAMP continuous monitoring requires monthly vulnerability scanning of operating systems, web applications, and databases under RA-5. The standard SI-2 remediation windows are 30 days for high-severity findings, 90 days for moderate, and 180 days for low.

Do we need an SBOM for FedRAMP? NIST SP 800-53 Revision 5 added a Supply Chain Risk Management control family, and Executive Order 14028 drove federal expectations toward SBOMs. Even where not called out as a single line item, a current component inventory is the practical foundation for meeting the scanning, remediation, and supply-chain controls.

Ready to automate the supply-chain half of your FedRAMP program? Create a free account or read the Safeguard documentation to connect your first repository.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.