FedRAMP — the Federal Risk and Authorization Management Program — is the gate a cloud product must pass to be sold to U.S. federal agencies. It standardizes how cloud services are security-assessed, authorized, and continuously monitored, so that one rigorous assessment can be reused across agencies instead of each buyer running its own. For a SaaS company, achieving FedRAMP authorization is a major undertaking, and much of the work lands on engineering. This guide walks through the paths, the baselines, and the ongoing obligations.
What FedRAMP is
FedRAMP was established in 2011 by OMB policy and later codified in law through the FedRAMP Authorization Act, part of the FY2023 National Defense Authorization Act. It is built on NIST Special Publication 800-53, the federal catalog of security and privacy controls (currently Revision 5), and it uses FIPS 199 to classify a system's impact level.
Those impact levels determine how many controls apply:
- Low impact — roughly 150-plus controls; there is also a tailored baseline (Li-SaaS) for low-risk software-as-a-service.
- Moderate impact — the most common baseline, with a few hundred controls; the great majority of federal SaaS lands here.
- High impact — for the most sensitive unclassified systems, with the largest control set.
Control counts shift with each NIST revision, so treat these figures as approximate and confirm against the current baselines.
Who is affected and the authorization paths
Any cloud service provider (CSP) that wants to host federal data needs an authorization. Historically there were two routes: an agency Authorization to Operate (ATO), sponsored by a specific agency that reviews the package and issues the authorization; and a provisional authorization issued by the Joint Authorization Board (JAB).
This landscape is actively changing. The FedRAMP Authorization Act replaced the JAB with a FedRAMP Board, and in 2025 GSA launched a modernization effort (branded "FedRAMP 20x") aimed at automating evidence collection and shortening the authorization timeline. Because these reforms are still rolling out, treat the exact process and governance structure as evolving and confirm the current model with GSA before planning your program.
Whichever path applies, an accredited Third Party Assessment Organization (3PAO) performs the independent security assessment. The typical sequence is: a readiness assessment (documented in a Readiness Assessment Report), then a full assessment producing a Security Assessment Plan, a System Security Plan, a Security Assessment Report, and a Plan of Action and Milestones (POA&M), followed by the authorization decision.
Software and supply-chain obligations
FedRAMP is where supply chain security stops being optional. NIST SP 800-53 Revision 5 added a dedicated Supply Chain Risk Management (SR) control family, and several other controls bear directly on software:
- RA-5 (Vulnerability Monitoring and Scanning): scan for vulnerabilities on a defined cadence and when new ones are identified. FedRAMP requires monthly scanning of operating systems, web applications, and databases as part of continuous monitoring.
- SI-2 (Flaw Remediation): correct identified flaws within defined timeframes. FedRAMP's standard remediation windows are 30 days for high-severity findings, 90 days for moderate, and 180 days for low.
- SA-11 and SA-15 (Developer Testing and Development Process): require security testing and a documented, secure development process from the CSP.
- SR family: provenance, component authenticity, and supplier risk management for the components you ship.
Executive Order 14028 pushed software bills of materials into this conversation, and federal buyers increasingly expect SBOMs as part of supply chain evidence. In practice, meeting RA-5 and SI-2 across a real dependency tree — every month, with tracked remediation — is impossible without an accurate component inventory.
Compliance checklist
| Step | What it involves |
|---|---|
| Categorize impact | Apply FIPS 199 to set Low, Moderate, or High |
| Select the baseline | Adopt the matching NIST SP 800-53 control set |
| Document the SSP | Describe how each control is implemented |
| Engage a 3PAO | Complete readiness then full assessment |
| Track the POA&M | Manage open findings to closure |
| Scan monthly | Meet RA-5 across OS, web, and database layers |
| Remediate on SLA | Close findings within 30/90/180-day windows |
| Inventory components | Maintain SBOMs for supply-chain evidence |
| Sustain ConMon | Deliver monthly deliverables and an annual assessment |
How Safeguard helps
Safeguard supports the software and supply-chain controls that dominate FedRAMP continuous monitoring. SBOM Studio maintains a live component inventory that feeds the SR-family evidence and SBOM expectations federal buyers now look for. Software composition analysis delivers the recurring vulnerability scanning behind RA-5 and produces the tracked findings and timestamps you need to demonstrate SI-2 remediation within the 30/90/180-day windows.
Griffin AI prioritizes those findings by reachability, so your POA&M reflects genuine exposure rather than an undifferentiated scan dump — which keeps monthly continuous-monitoring reporting honest and manageable. Our compliance pages map these capabilities to specific NIST SP 800-53 controls, so your assessors can trace each piece of evidence to the requirement it satisfies.
FedRAMP authorization is a marathon, and continuous monitoring never ends. Automating the component-inventory and vulnerability-management portions is how teams keep the monthly cadence sustainable long after the initial ATO.
Frequently Asked Questions
What is the difference between an agency ATO and the board path? An agency ATO is sponsored by a specific federal agency that reviews your package and authorizes it for its own use, after which other agencies can reuse the package. The board path (historically the JAB, now the FedRAMP Board) issues a broader provisional authorization. Because the governance model is being modernized, confirm the current options with GSA.
Which impact level do most SaaS products need? Moderate is the most common baseline, covering the majority of federal SaaS that handles controlled unclassified information. Low impact and the tailored Li-SaaS baseline apply to lower-risk services, while High is reserved for the most sensitive unclassified systems.
How often do we have to scan and remediate? FedRAMP continuous monitoring requires monthly vulnerability scanning of operating systems, web applications, and databases under RA-5. The standard SI-2 remediation windows are 30 days for high-severity findings, 90 days for moderate, and 180 days for low.
Do we need an SBOM for FedRAMP? NIST SP 800-53 Revision 5 added a Supply Chain Risk Management control family, and Executive Order 14028 drove federal expectations toward SBOMs. Even where not called out as a single line item, a current component inventory is the practical foundation for meeting the scanning, remediation, and supply-chain controls.
Ready to automate the supply-chain half of your FedRAMP program? Create a free account or read the Safeguard documentation to connect your first repository.