FedRAMP Certification Requirements

What Will It Take to Become FedRAMP-Compliant?

Even with expert support, achieving a FedRAMP Authorization to Operate (ATO) is not a “checkbox exercise” that Cloud Service Providers can accomplish quickly and easily—it is among the most rigorous of compliance efforts.

Achieving ATO means that your organization has developed and is operating an information security management system (ISMS) that has been independently tested and validated by a third-party to conform to NIST/FISMA guidance in accordance with the risk level of the information you will be processing on behalf of a federal agency.

The top-level steps involved in becoming FedRAMP-compliant are:

1. 1. Review CIO.gov’s Guide to Understanding FedRAMP.
   2. To get a sense of the scope of your effort, download and review the FedRAMP templates (called System Security Plans). These templates are the foundation for authorization. The primary template within the SSP is 400 pages in length.
   3. Determine the risk classification for the data that you will be processing, usng the FIPS 199 categorization template.
   4. Document your information security controls per the FedRAMP templates in a manner that will demonstrate to the GSA that the design of your controls is consistent with the requirements specified. This documentation is likely to exceed 750 pages.
   5. Engage a registered third-party assessment organization (3PAO) to verify that your controls are in compliance with the ISMS you have documented, such that your FedRAMP scoped systems are secure.

   For additional information:

   View a list of FedRAMP authorized CSPs