ISpectra Technologies
Government · Cloud

What is FedRAMP?

The US government program that standardises how cloud services are assessed and authorised for use by federal agencies.

Definition

FedRAMP (Federal Risk and Authorization Management Program) is a US government-wide program that provides a standardised approach to security assessment, authorisation and continuous monitoring for cloud products and services. It’s built on NIST SP 800-53 controls.

A cloud service must obtain an Authorization to Operate (ATO) — via a sponsoring agency or the Joint Authorization Board — before federal agencies can use it. Impact levels (Low, Moderate, High) set the control baseline based on data sensitivity.

How FedRAMP works

1

NIST 800-53 baseline

Controls scaled to Low / Moderate / High impact.

2

Authorization path

Agency ATO or JAB Provisional ATO.

3

Third-party assessment

An accredited 3PAO tests the controls.

4

Continuous monitoring

Ongoing scanning and reporting after ATO.

5

FedRAMP Marketplace

Public listing of authorised cloud services.

Who needs to comply?

Cloud service providers that want to sell to US federal agencies — and the agencies and integrators that procure cloud services.

How ISpectra helps

ISpectra guides cloud providers through FedRAMP — gap assessment against the right baseline, control implementation, 3PAO coordination and continuous-monitoring setup — to reach and maintain an ATO.

Talk to an advisor