FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the US government's standard security assessment for cloud services. It has three impact levels: Low, Moderate, and High. FedRAMP Moderate is the baseline for most civilian agencies. FedRAMP High is required for critical agencies (DoD, IRS, etc.). AI providers pursuing federal contracts need FedRAMP authorization, which typically takes 12-24 months.

FedRAMP is governed jointly by GSA, DoD, and DHS. Authorization is granted either by a Joint Authorization Board (JAB) or an individual agency. The assessment draws from NIST SP 800-53 controls, with 125+ controls at Moderate and 425+ at High. Cloud providers (AWS GovCloud, Azure Government, Google Cloud for Government) host FedRAMP-authorized AI endpoints. OpenAI offers FedRAMP Moderate through Azure OpenAI Government. Anthropic runs Claude through AWS GovCloud for federal contracts. FedRAMP authorization is a multi-year project · providers without one cannot legally process federal data.

FedRAMP authorization requires a 3PAO (Third Party Assessment Organization) audit against NIST SP 800-53 Rev 5 baselines. The process yields an Authorization to Operate (ATO) package: System Security Plan, Security Assessment Report, POA&M, and Continuous Monitoring. Provisional ATO via JAB is most efficient; individual agency ATOs are faster but less portable. Impact Levels map to FIPS 199 categorization. Data residency constraint: FedRAMP data must stay within US borders and be handled by US persons for most controls.