FedRAMP

FedRAMP is the U.S. government program that authorizes cloud services for use by federal agencies, with three impact levels (Low, Moderate, High) based on data sensitivity.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government's standardized approach to assessing and authorizing cloud services for federal use. A FedRAMP authorization means an independent third-party assessor (3PAO) has evaluated the cloud provider against NIST SP 800-53 controls and the authorization has been issued by either the Joint Authorization Board (JAB) or a sponsoring agency.

FedRAMP exists at three impact levels: Low (least sensitive data, ~125 controls), Moderate (sensitive but unclassified, ~325 controls), and High (high-impact data, ~425 controls). Most enterprise AI use cases for federal customers require Moderate. Defense and intelligence work typically requires High or higher (DoD IL4, IL5, IL6).

Why FedRAMP matters for AI vendors

Federal agencies cannot use cloud services that are not FedRAMP authorized at or above the impact level required for their data. This effectively disqualifies most AI vendors from federal sales until they complete the multi-year, multi-million-dollar FedRAMP process. It also creates a hard line in due diligence: if a vendor's marketing claims "federal-ready" without an active FedRAMP ATO, the procurement team should require evidence in the form of a Marketplace listing or active 3PAO engagement.

StateRAMP and the cousins

StateRAMP applies the FedRAMP model to U.S. state and local government, with similar impact levels. CJIS Security Policy applies to systems touching criminal-justice information. DoD IL4/IL5/IL6 cover defense data classifications above Moderate. Each requires its own assessment process. A vendor authorized at FedRAMP Moderate is a strong candidate for StateRAMP but is not automatically authorized; the assessment must be performed under StateRAMP's program.