What is FedRAMP?
The US government program that standardises how cloud services are assessed and authorised for use by federal agencies.
Definition
FedRAMP (Federal Risk and Authorization Management Program) is a US government-wide program that provides a standardised approach to security assessment, authorisation and continuous monitoring for cloud products and services. It’s built on NIST SP 800-53 controls.
A cloud service must obtain an Authorization to Operate (ATO) — via a sponsoring agency or the Joint Authorization Board — before federal agencies can use it. Impact levels (Low, Moderate, High) set the control baseline based on data sensitivity.
How FedRAMP works
NIST 800-53 baseline
Controls scaled to Low / Moderate / High impact.
Authorization path
Agency ATO or JAB Provisional ATO.
Third-party assessment
An accredited 3PAO tests the controls.
Continuous monitoring
Ongoing scanning and reporting after ATO.
FedRAMP Marketplace
Public listing of authorised cloud services.
Who needs to comply?
Cloud service providers that want to sell to US federal agencies — and the agencies and integrators that procure cloud services.
How ISpectra helps
ISpectra guides cloud providers through FedRAMP — gap assessment against the right baseline, control implementation, 3PAO coordination and continuous-monitoring setup — to reach and maintain an ATO.
Talk to an advisor