FedRAMP authorisation is the most rigorous public cloud security certification in the US market, and it is widely misunderstood by enterprise buyers. The authorisation is precise but narrow — it certifies a specific system boundary against a specific control baseline at a specific point in time. The gap between FedRAMP scope and customer use case is where most assessment work actually lives.
FedRAMP authorisation is granted at one of three impact levels — Low, Moderate or High — against the NIST SP 800-53 control baseline at the corresponding level. The authorisation applies to a defined system boundary (the FedRAMP authorisation boundary) and includes the named services within that boundary. Anything outside the boundary — adjacent services, integrations, the vendor's corporate IT, third-party plug-ins — is not authorised.
Three reading errors recur in buyer assessments. The first is treating "FedRAMP authorised" as an enterprise-wide certification; it is not. The second is failing to read the System Security Plan (SSP) to identify which services in the vendor's product portfolio are inside the authorisation boundary; many vendors authorise their headline product but leave related products unauthorised. The third is missing the difference between FedRAMP Authorised and FedRAMP Ready or In Process — the latter two are not authorisations.
Every FedRAMP authorisation includes a boundary diagram in the SSP. Buyers should request this diagram and verify that the services they intend to consume are inside it. A vendor that markets FedRAMP authorisation but cannot produce the boundary diagram for their specific service is operating outside the authorisation scope — a contractually material misrepresentation. Catching that gap before signature is exactly what a buyer-side license compliance assessment is built to do.
We run buyer-side FedRAMP gap assessments for regulated industries and public sector.
Impact level selection is the buyer's responsibility, not the vendor's. FIPS 199 categorisation guides the choice: Low impact for data where compromise has limited adverse effect; Moderate for serious effect; High for severe or catastrophic effect. Defence and intelligence systems are typically High; most federal civilian and regulated commercial use cases are Moderate; Low is rare.
The cost and contractual implications of impact level are significant. A FedRAMP High service costs 30–60% more than the same service at FedRAMP Moderate and is operationally constrained — typically deployed in segregated infrastructure with US-citizen-only personnel. Buyers who over-categorise pay for capability they do not need; buyers who under-categorise fail audit. Independent technical review of the categorisation pays back several times over.
FedRAMP authorisation covers the vendor-side controls; it does not cover the customer-side controls. The Customer Responsibility Matrix (CRM) in the SSP identifies which controls are vendor-implemented, which are customer-implemented, and which are shared. Most buyers underestimate the customer-implemented share — typically 15–25% of total controls. The gap between assumed and actual customer responsibility is the largest source of audit findings post-deployment.
FedRAMP, ISO 27001, SOC 2 and sectoral compliance — mapped to renewal-time contractual remediation.
FedRAMP authorisation does not flow contractually into the customer's use of the service unless the contract says so. Standard vendor MSAs reference "applicable certifications" but do not commit the vendor to maintain FedRAMP authorisation, notify the customer of authorisation loss, or remediate boundary changes. Three contractual clauses are non-negotiable for FedRAMP-relevant procurement:
Standard vendor MSAs include none of these. Negotiating them in is the work of FedRAMP-aware contract drafting, and it is the difference between a real FedRAMP procurement and a compliance fiction.
DoD workloads require Impact Level 4 (Controlled Unclassified Information) or IL5 (mission-critical CUI) authorisation under the DoD Cloud Computing Security Requirements Guide, which sits on top of FedRAMP. IL4 and IL5 authorisation are vendor-specific and not coextensive with FedRAMP High; some FedRAMP High services lack IL4 authorisation, and vice versa. Buyers in DoD-adjacent industries (defence contractors, intelligence community contractors, federal systems integrators) should verify the DoD impact level explicitly, not assume parity with FedRAMP.
We represent enterprise buyers exclusively. No vendor relationships. Built around former licensing executives from Oracle, Microsoft, SAP and the major cloud vendors.
Weekly compliance intelligence for IT leaders.