FedRAMP compliance: How cloud providers earn federal trust

FedRAMP is both an obligation and an opportunity. It’ll first show up as time and energy spent on rigorous controls, third-party assessments, and ongoing reporting. All of these show up as requirements when you sign your first government agency contract.

Once authorized, you’ll see the opportunity: FedRAMP is standardized across agencies, and your certification unlocks entire high-trust public sector markets (as well as private buyers who recognize the standard).

In this article, we’ll help you navigate the standard. We begin by explaining what it is, then cover the roles of PMO, JAB, and Agencies, the moving parts (Rev 5 and 20x), the steps to authorization, and how you can maintain velocity while remaining continuously compliant.

You can’t just buy compliance after the fact. FedRAMP intentionally rewards those who plan for it in advance. In this article, we outline how to build it into your systems from the ground up.

What is FedRAMP compliance?

FedRAMP—the Federal Risk and Authorization Management Program—is the U.S. government’s standardized framework for assessing and approving the security of cloud services. Born from the Federal Information Security Management Act (FISMA), the standard is based on NIST 800-53. FISMA was introduced in 2002 as the first government-regulated security standard, and each federal agency interpreted it as they saw fit. FedRAMP was introduced in 2011 as a government-wide standard and is a consistent and efficient assessment process for cloud services.

Any cloud provider that hosts or processes U.S. government data must earn a FedRAMP Authority to Operate (ATO) through either the Joint Authorization Board (JAB) or a sponsoring agency (a federal agency that will sponsor with a cloud provider to help them pursue compliance). While you can prepare for the process in advance, you must have a government contract in order to earn an ATO.

As the highest standard accepted by federal agencies, FedRAMP is the de facto trust framework for cloud services sold to the U.S. public sector. Increasingly, even vendors outside the federal market are chasing the same bar, since it is often seen as stronger than private-sector standards.

Two current shifts raise the stakes. FedRAMP Rev 5 modernizes control mappings to align with the latest NIST guidance, and the Federal 20x Automation Initiative pushes agencies to move twenty times faster through automated evidence collection and continuous monitoring. Vendors that can’t adapt risk having their adoptions stall and losing their federal pipelines.

FedRAMP has moved from a background task to a core driver of growth; compliance now shapes your markets.

How does FedRAMP compliance work?

FedRAMP is a framework for proving and then continuously maintaining trust. You can’t treat it like a (re)certification, since the process is continuous. It’s a loop that doesn’t stop turning:

1. Define: Controls are regularly published and updated; the FedRAMP program management office (PMO) maps every requirement to NIST 800-53. You’re expected to promptly adapt your system(s) to comply with each change and update.

2. Assess: A third-party assessment organization (3PAO) tests your controls and documents evidence for them in standardized formats and packages.

3. Authorize: Either the JAB or a sponsoring agency then issues you an ATO, allowing your systems to be used in government environments.

4. Monitor: You’re expected to continuously perform vulnerability scanning, patching, and reporting at monthly and yearly checkpoints, as well as after every significant system update or change.

The framework doesn’t stand still, and ongoing revisions push modernization across all cloud providers. There are two in-progress update efforts: FedRAMP Rev 5 (announced in 2023 and mandatory by September 1, 2026) introduces new privacy and supply-chain controls, while FedRAMP 20x (introduced in 2024, implementation guidance expected in 2026) encourages agencies to adopt automated, machine-readable reporting.

Security baselines and control families

NIST 800-53 can be very detailed and specific, and its controls are grouped into thematic families, including Access Control, Incident Response, System and Communications Protection, and Configuration Management. To make this complexity a bit more usable and manageable, FedRAMP defines three security baselines:

• Low: minimal impact if data is compromised (e.g., public datasets)

• Moderate: typical for SaaS handling controlled but unclassified information.

• High: for systems with sensitive or mission-critical data (health, defense, law enforcement).

Each of these baselines bundles specific control families into a measurable set of requirements. At Moderate, for example, systems must meet around 325 controls across 17 families. These baselines are quantifiable and consistent across all federal agencies. Anyone who meets the Moderate bar has implemented all of the controls in a consistent and reliable way. Their controls are testable (and have been tested), and the results (and tests) are repeatable.

Authorization vs. continuous monitoring

The “Authorization” (short for Authorization to Operate or ATO) that a JAB grants a vendor is only a first step. It’s an initial confirmation that the vendor has met the control and risk level requirements, and nothing more.

The approval has to then be maintained through Continuous Monitoring (ConMon)—the monthly, yearly, and major system change audits we mentioned above, coupled with ongoing reporting. Vendors must continuously prove that their systems remain compliant as their code and infrastructure evolve. An authorization provides the initial “go-ahead” to sign federal contracts, and continuous monitoring keeps the contracts from lapsing.

Steps to become FedRAMP compliant

While your auditors will ask for loads of triplicate form signing and folders of paperwork, FedRAMP, that’s not the bulk of the work you’ll do for compliance. You can only earn it once you have consistent, repeatable, and auditable security measures in place.

While each organization’s path differs, depending on its sponsor, size, and product, they share some commonalities. Here are seven steps that everyone typically faces, each of which you can exhaust yourself executing manually or manage with automation.

1. Assess readiness: Compare your systems and controls to the baselines, do a gap analysis, and immediately close trivial gaps.

2. Draw boundaries: Not all your systems fall under the FedRAMP scope. It’s crucial to carefully choose what’s included. Otherwise, you’ll likely waste time on irrelevant compliance work or rework that’s caused by an audit.

3. Choose your impact level and path: JAB authorizations will be accepted by multiple agencies. Individual agencies can only authorize a vendor for their own systems. Select the impact level that aligns with your market, and choose the path that is easiest for your business to achieve.

4. Get audited: Bring in a certified 3PAO and validate that everything is set up properly.

5. Document everything: Produce your system security plan (SSP), security assessment reports (SAR), and plan of action and milestones (POA&M) using evidence generated from your environment. Ideally, without laboriously typing them up.

6. Submit and defend: Deliver the package to the body you chose in step #3, and iterate with reviewers and their findings until approved.

7. Operate continuously: Run continuous monitoring scans, patch vulnerabilities, and submit monthly updates and reports to maintain your good standing.

Success in the FedRAMP process hinges on repeatability and automation. Automated patch pipelines, provenance records, and daily rebuilt systems can all turn this into a continuous daily loop instead of a monthly and yearly scramble.

Common challenges in achieving FedRAMP compliance

Every organization is unique, but when it comes to FedRAMP compliance, certain challenges always come up. These challenges are a consistent part of maintaining control; they don’t go away once you’ve been authorized. We’ll cover some clean ways to handle them further down.

Upfront time and cost

A baseline initial authorization will often take longer than a year (typically between nine and eighteen months) and can cost you millions of dollars in engineering hours and consulting fees.

Managing software vulnerabilities and patch chains

Common vulnerability and exposure (CVE) management eats time faster than you can track it, and is difficult to cover completely, especially in operating systems and other dependencies that you’re not directly responsible for. Small mistakes can regularly creep into your patch chains, especially when you’re manually managing them. With monthly tests, this tedious process can lead to millions of dollars' worth of time and resources being spent on continuous remediation.

Documentation and audit preparation

Anything short of a complete, current, and evidence-based trail for software provenance will hinder the audit processes. Building in the kind of automation that’s needed to contain the time and effort here is itself time-consuming and costly. And as long as some of your SBOMs, signatures, and provenance are manually generated, you’ll often scramble to address procedural problems found during audits.

Meeting container-specific security requirements

FedRAMP incorporates controls derived from DISA STIGs (military-grade security requirements) and CIS Benchmarks (industry-standard security guidelines). These will increase the scope of your internal CI and build chain, potentially forcing you to run custom, sprawling rebuilds of the base images for your cloud deployments.

Continuously adapting to evolving standards

FedRAMP’s Rev 5 and 20x automation and acceleration efforts consistently move the goalposts. Staying on top of these changes is tricky, and the effort typically causes CI and build flows to balloon, resulting in unstable associated costs.

FedRAMP’s most challenging demands are for ongoing discipline—consistent builds, predictable repetition, continuous auditing, and constant alignment with the latest requirements.

How Chainguard helps companies achieve and maintain FedRAMP compliance

At its core, FedRAMP compliance is challenging only if security is treated as an add-on layer. Using Chainguard reverses that approach by building it into your foundations. Our images and processes are built for compliance from the get-go, and we’ll help make sure every artifact you deploy is provably secure, carrying the evidence and documentation that FedRAMP expects.

We do this by delivering:

• Hardened, FIPS-validated container images: Our images rely on a kernel-independent architecture to work across environments. They are FIPS-validated from the get-go (FIPS compliance is required for moderate or high FedRAMP), and will both accelerate your upfront adoption (often by 2x) and remove entire classes of work from your ongoing maintenance.

• Zero-known-CVE base images are rebuilt daily. These images reduce your CVE management and workload to just the product you own and build, automatically including all the necessary audit documentation. And they’re all attached to your own schedule and patch cycles.

• Built-in SBOMs, provenance, and image signing: Export all the evidence your assessor is looking for as needed, cutting down on time costs for audits or when addressing remediations.

• STIG-aligned, minimal images, mapped to NIST 800-53 Rev 5 control families: No need to scramble and navigate complex interdependent image chains. Your environments and images are immediately ready for JAB or agency review.

• Future-ready: Our base images are continuously updated and aligned with FedRAMP Rev 5 and 20x automation goals. They remove significant domains of work from your effort to stay on top of updates and changes to the standard.

• Proven result: Our work is trusted and used by many for their FedRAMP compliance; see, for example, the story of how Snowflake achieved a FedRAMP High rating with Chainguard Containers.

Stop chasing compliance through manual forms and gnarly patch tickets. Build on infrastructure that is aligned from the start. Talk to one of our experts.