Home  ›  Blog  ›  FedRAMP Vendor Assessment
Compliance · Public Sector

FedRAMP vendor assessment — reading the authorisation correctly.

FedRAMP authorisation is the most rigorous public cloud security certification in the US market, and it is widely misunderstood by enterprise buyers. The authorisation is precise but narrow — it certifies a specific system boundary against a specific control baseline at a specific point in time. The gap between FedRAMP scope and customer use case is where most assessment work actually lives.

Updated: June 2026 Reading time: 14 min Audience: CIO, Procurement, IT Asset Manager
FedRAMP Vendor Assessment
What FedRAMP actually certifies

The authorisation, read precisely.

FedRAMP authorisation is granted at one of three impact levels — Low, Moderate or High — against the NIST SP 800-53 control baseline at the corresponding level. The authorisation applies to a defined system boundary (the FedRAMP authorisation boundary) and includes the named services within that boundary. Anything outside the boundary — adjacent services, integrations, the vendor's corporate IT, third-party plug-ins — is not authorised.

Three reading errors recur in buyer assessments. The first is treating "FedRAMP authorised" as an enterprise-wide certification; it is not. The second is failing to read the System Security Plan (SSP) to identify which services in the vendor's product portfolio are inside the authorisation boundary; many vendors authorise their headline product but leave related products unauthorised. The third is missing the difference between FedRAMP Authorised and FedRAMP Ready or In Process — the latter two are not authorisations.

The boundary diagram

Every FedRAMP authorisation includes a boundary diagram in the SSP. Buyers should request this diagram and verify that the services they intend to consume are inside it. A vendor that markets FedRAMP authorisation but cannot produce the boundary diagram for their specific service is operating outside the authorisation scope — a contractually material misrepresentation. Catching that gap before signature is exactly what a buyer-side license compliance assessment is built to do.

Procuring FedRAMP-relevant software?

We run buyer-side FedRAMP gap assessments for regulated industries and public sector.

Contact Us →
Impact level selection

Low, Moderate or High — match the data.

Impact level selection is the buyer's responsibility, not the vendor's. FIPS 199 categorisation guides the choice: Low impact for data where compromise has limited adverse effect; Moderate for serious effect; High for severe or catastrophic effect. Defence and intelligence systems are typically High; most federal civilian and regulated commercial use cases are Moderate; Low is rare.

The cost and contractual implications of impact level are significant. A FedRAMP High service costs 30–60% more than the same service at FedRAMP Moderate and is operationally constrained — typically deployed in segregated infrastructure with US-citizen-only personnel. Buyers who over-categorise pay for capability they do not need; buyers who under-categorise fail audit. Independent technical review of the categorisation pays back several times over.

Inheritance and customer responsibility

FedRAMP authorisation covers the vendor-side controls; it does not cover the customer-side controls. The Customer Responsibility Matrix (CRM) in the SSP identifies which controls are vendor-implemented, which are customer-implemented, and which are shared. Most buyers underestimate the customer-implemented share — typically 15–25% of total controls. The gap between assumed and actual customer responsibility is the largest source of audit findings post-deployment.

Download the CIO Contract Governance Guide.

FedRAMP, ISO 27001, SOC 2 and sectoral compliance — mapped to renewal-time contractual remediation.

Get the guide →
Contractual gaps

What FedRAMP does not give you.

FedRAMP authorisation does not flow contractually into the customer's use of the service unless the contract says so. Standard vendor MSAs reference "applicable certifications" but do not commit the vendor to maintain FedRAMP authorisation, notify the customer of authorisation loss, or remediate boundary changes. Three contractual clauses are non-negotiable for FedRAMP-relevant procurement:

  1. Authorisation maintenance. Vendor commits to maintain FedRAMP authorisation at the named impact level for the contract term, with notice to the customer of any change in authorisation status within a defined window.
  2. Boundary scope. The contract specifies which services are inside the FedRAMP boundary and commits the vendor to provide service exclusively from within the boundary. Boundary changes require customer notice.
  3. Continuous monitoring access. Vendor commits to provide the customer with access to FedRAMP continuous monitoring deliverables — monthly POAM updates, annual SCA reports, significant change notifications.

Standard vendor MSAs include none of these. Negotiating them in is the work of FedRAMP-aware contract drafting, and it is the difference between a real FedRAMP procurement and a compliance fiction.

DoD IL4 and IL5 — when FedRAMP is not enough

DoD workloads require Impact Level 4 (Controlled Unclassified Information) or IL5 (mission-critical CUI) authorisation under the DoD Cloud Computing Security Requirements Guide, which sits on top of FedRAMP. IL4 and IL5 authorisation are vendor-specific and not coextensive with FedRAMP High; some FedRAMP High services lack IL4 authorisation, and vice versa. Buyers in DoD-adjacent industries (defence contractors, intelligence community contractors, federal systems integrators) should verify the DoD impact level explicitly, not assume parity with FedRAMP.

When independent advisory pays back

FAQ

Common questions on this topic.

Is FedRAMP authorisation required for federal procurement?
Yes for cloud services provided to US federal agencies, per OMB Memorandum M-22-09 and the Federal Acquisition Regulation. Non-cloud services and certain government-furnished infrastructure are out of scope.
Can a commercial buyer rely on a vendor's FedRAMP authorisation?
Yes for the technical control set, but the contractual flow-through is not automatic. The customer must contractually require maintenance of authorisation, notice of changes, and access to continuous monitoring artefacts.
What is the difference between FedRAMP Authorised, FedRAMP Ready and FedRAMP In Process?
Authorised means the system has completed assessment and received Authorisation to Operate (ATO) from a sponsoring agency or the Joint Authorisation Board. Ready means a 3PAO has confirmed assessment readiness. In Process means an authorisation effort is underway. Only Authorised systems are FedRAMP-compliant for federal procurement.
Does FedRAMP cover the vendor's corporate IT?
No. FedRAMP applies to the service inside the authorisation boundary, not to the vendor's corporate IT environment. Vendor corporate compromise is not, by itself, a FedRAMP scope event.
How often is FedRAMP authorisation re-assessed?
Continuous monitoring runs monthly with POAM reporting; full annual assessment is required; significant changes trigger interim assessment. Authorisation can lapse if continuous monitoring obligations are not met.
What is StateRAMP and how does it relate?
StateRAMP is the state and local equivalent, harmonised to FedRAMP controls. Many state procurements accept FedRAMP authorisation in lieu of StateRAMP, but some have additional state-specific requirements. Verify state-by-state.

FedRAMP-relevant procurement in flight?
We do the boundary, control and contractual review.

We represent enterprise buyers exclusively. No vendor relationships. Built around former licensing executives from Oracle, Microsoft, SAP and the major cloud vendors.

The Compliance Brief

Weekly compliance intelligence for IT leaders.