Federal Risk and Authorization Management Program
(FedRAMP)
Overview
The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data.
FAQs
Open allThe Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program intended to standardize the security assessment, certification, and continuous monitoring for cloud products and services used by federal agencies. The governing bodies of FedRAMP include the FedRAMP Board, the FedRAMP Program Management Office (PMO), the FedRAMP Technical Advisory Group (TAG), and Federal Secure Cloud Advisory Committee (FSCAC).
Cloud Service Providers (CSPs) that want to offer their Cloud Service Offerings (CSOs) to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to complete an independent security assessment conducted by a FedRAMP Recognized Independent Assessment Service (formerly 3PAO) to ensure that certifications are compliant with the Federal Information Security Management Act of 2002 (FISMA 2002). For more information, see the FedRAMP website.
- Consistency and confidence in the security of cloud solutions using National Institutes of Standards & Technology (NIST) and FISMA defined standards
- Transparency between US government and cloud providers
- Automation and near real time continuous monitoring
- Adoption of secure cloud solutions through reuse of assessments and certifications
In response to the federal government’s Cloud First Policy (now Cloud Smart Strategy), the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo established FedRAMP to provide a standard path for agencies to comply with their obligations under FISMA 2002. FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:
- The cloud service provider (CSP) has achieved FedRAMP Certification.
- The CSP meets the FedRAMP security control requirements as described in the National Institutes of Standards & Technology (NIST) 800-53, Rev. 5 security control baseline for moderate or high impact levels.
- The CSP must be assessed by a FedRAMP Recognized Independent Assessment Service (formerly 3PAO).
- The CSP must submit a complete FedRAMP Certification Package to the FedRAMP PMO.
All federal agencies are required to use the FedRAMP process to conduct security assessments, certifications, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:
Agency Authorization: To receive a FedRAMP Agency Authority to Operate (ATO), a CSP is reviewed by a customer Agency CIO or Delegated Authorizing Official(s). An agency ATO issued by a customer agency is verified by the FedRAMP Program Management Office (PMO).
- Streamlining Continuous Monitoring: Revisiting the approach to continuous monitoring, emphasizing ongoing, automated assessments to ensure compliance is maintained effectively over time.
- Automating Assessments: Developing mechanisms to automate security requirement validations, reducing the time and resources required for manual reviews.
- Leveraging Existing Frameworks: Allowing CSPs to use existing commercial security frameworks, minimizing duplicative efforts and enhancing compatibility with federal requirements.
- Enabling Continuous Reporting: Enhancing communication between CSPs and federal agencies by providing real-time reporting and monitoring capabilities.
As a part of the recently announced FedRAMP 20x initiative, the FedRAMP Program Management Office (PMO), industry stakeholders, and agency experts are working to redesign the FedRAMP assessment process. According to the FedRAMP PMO, the goal of FedRAMP 20x is to streamline and enhance the compliance process by:
To facilitate these improvements, working groups have been established to discuss these topics and gather input from stakeholders. These groups will help shape the future of FedRAMP.
For more information about FedRAMP 20x, please visit the FedRAMP 20x and FedRAMP 20x Working Groups pages.
The FedRAMP Consolidated Rules for 2026 (CR26) are published regulations that modernize how cloud service providers communicate changes and maintain ongoing compliance with FedRAMP. CR26 introduces standardized processes including Significant Change Notifications (SCN) for how providers communicate reportable changes to agency customers, and Collaborative Continuous Monitoring (CCM) for ongoing compliance reporting. Under CR26, "FedRAMP Authorized" is updated to "FedRAMP Certified," reflecting compliance validated on an ongoing basis. For more information, visit the FedRAMP Consolidated Rules for 2026 page.
Under the FedRAMP Consolidated Rules for 2026 (CR26), when a cloud service provider makes a reportable change to a FedRAMP-certified Cloud Service Offering, the provider issues a Significant Change Notification (SCN) to agency customers. SCNs provide agencies with details about the nature of the change and its potential security impact, enabling agencies to make informed risk-based decisions.
For full details on SCN requirements and change classifications, visit the FedRAMP Consolidated Rules for 2026 page.
Agency customers can request access to AWS SCN documentation by completing a Package Access Request Form and submitting it to package-access@fedramp.gov.
Under CR 2026, the FedRAMP PMO defines core security requirements, grants FedRAMP Certifications consistent with FedRAMP Board direction, and performs continuous monitoring oversight including review of Ongoing Certification Reports. The PMO also establishes standards and provides guidance, serving as the central point of contact between agencies and the commercial cloud sector.
Agencies must still issue their own Authority to Operate (ATO) through the Risk Management Framework for systems that incorporate FedRAMP Certified services — the agency ATO is the agency’s responsibility, while FedRAMP Certification is the CSP’s. Agencies are required to review Ongoing Certification Reports, notify FedRAMP upon authorization, and must not impose additional security requirements on Certified CSPs unless a demonstrable need exists and FedRAMP is notified.
CSPs achieve and maintain FedRAMP Certification (replacing the former “Authorization”) by meeting NIST 800-53 Rev 5 controls, undergoing annual independent assessment by a FedRAMP Recognized Independent Assessment Service (formerly 3PAO), performing continuous monitoring and vulnerability management, publishing quarterly Ongoing Certification Reports, and issuing Significant Change Notifications to agencies for material changes to any AWS cloud service offerings the agency uses.
FedRAMP is the process that Cloud Service Providers (CSPs) follow to get their Cloud Service Offerings (CSOs) approved for Federal civilian agencies or the DoD to use a building blocks for systems hosted in the cloud. The Risk Management Framework (RMF) is the process that Federal civilian agencies and the DoD follow to get their IT system authorized to operate. Only CSPs use the FedRAMP process and CSPs do not follow the RMF process. Federal civilian agencies and the DoD would only follow the FedRAMP process if they were creating cloud services (for example MilCloud).
- AWS GovCloud (US) is FedRAMP Certified Class D (formerly High baseline). The services in scope of the AWS GovCloud (US) FedRAMP Certification boundary at Class D (formerly High baseline) can be found within AWS Services in Scope by Compliance Program.
- AWS US East-West (Northern Virginia, Ohio, Oregon, Northern California) is FedRAMP Certified Class C (formerly Moderate baseline). The services in scope of the AWS US East-West FedRAMP Certification boundary at Class C (formerly Moderate baseline) can be found within AWS Services in Scope by Compliance Program.
Yes, AWS has achieved FedRAMP Certification for the following environments, having addressed the FedRAMP security controls (based on NIST SP 800-53), been assessed by a FedRAMP Recognized Independent Assessment Service (formerly 3PAO), and maintaining continuous monitoring requirements of FedRAMP:
No, there is no increase in service costs for any region as a result of AWS’ FedRAMP compliance.
Two separate FedRAMP Certifications cover AWS environments: AWS GovCloud (US) as Class D (formerly High baseline), and AWS US East-West as Class C (formerly Moderate baseline).
Yes, there are government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today. You can review case studies about US government entities using AWS through the AWS Customer Success webpage. For more information about how AWS meets the high security requirements of governments, see the AWS for Government webpage.
The covered AWS services that are already in scope of the FedRAMP and DoD SRG boundary can be found within AWS Services in Scope by Compliance Program. Upon clicking on either the FedRAMP or DoD CSP SRG tab, services with a “✓” indicates that the service has been certified as meeting FedRAMP Class C (formerly Moderate baseline) requirements (subsequently DoD SRG IL2) for AWS US East-West and/or FedRAMP Class D (formerly High baseline) requirements (subsequently DoD SRG IL2, IL4, and IL5) for AWS GovCloud (US). These services are posted under the service description for AWS on the AWS Services in Scope page. If you would like to learn more about using these services and/or have interest in other services please contact AWS Sales and Business Development.
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, customers can place their high-impact workloads on AWS GovCloud (US), which has been authorized for high impact level.
U.S. Government employees and contractors can request access to the AWS FedRAMP Certification Package, including Ongoing Certification Reports, Significant Change Notification details, and related compliance artifacts, from the FedRAMP PMO by completing a Package Access Request Form and submitting it to package-access@fedramp.gov.
Commercial customers and partners may request access to the AWS FedRAMP Partner Package for guidance related to building on top of AWS offerings and assistance in architecting FedRAMP compliant services on AWS. The Partner Package may be found in your AWS account via AWS Artifact or by request through your AWS account manager.
For AWS US East-West Regions, the FedRAMP ID is AGENCYAMAZONEW. For AWS GovCloud (US) Region, the FedRAMP ID is F1603047866.
AWS maintains the same rigorous continuous monitoring standards it has always upheld for FedRAMP Certified environments.
Under the FedRAMP Consolidated Rules for 2026 (CR26), continuous monitoring follows the Collaborative Continuous Monitoring (CCM) framework. AWS publishes a quarterly Ongoing Certification Report (OCR) and hosts Quarterly Review briefings to keep agency customers informed on security posture and certification status.
Agency customers can request access to OCR reports and Quarterly Review briefings by completing a Package Access Request Form and submitting it to package-access@fedramp.gov. For more information, visit the FedRAMP Consolidated Rules for 2026 page.
The AWS FedRAMP Security Artifacts are available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
If you have specific questions regarding FedRAMP or DoD compliance, please contact your AWS account manager or submit the AWS Compliance Contact Us Form.
Federal government agencies are assessed by their Office of Inspector General (OIG) and internally based on metrics provided by the Department of Homeland Security (DHS). Criteria for FISMA OIG and CIO metrics are NIST SP 800 special publications, with emphasis on NIST SP 800-53. For these agencies to rely upon the security of the CSP, FedRAMP is a compliance program that is built on a baseline of NIST SP 800-53 controls to comply with FISMA requirements within the cloud.
The FedRAMP compliance program is leveraged by the DoD to meet Department of Defense Cloud Service Provider Security Requirements Guide (DoD CSP SRG) Impact Levels, both of which require compliance with FIPS 140-3 for certain encryption controls. The Defense Federal Acquisition Regulation Supplement (DFARS) requires DoD contractors that process, store or transmit Controlled Unclassified Information (CUI), to meet a certain set of security standards, which includes NIST SP 800-171 requirements. NIST SP 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).
- Service-specific configuration guides
- Direct consultation with your AWS Sales Account Manager or the ATO on AWS team.
You can inherit various security controls when using FedRAMP-authorized infrastructure, platforms, and services. Your initial analysis of control versus inheritance will determine your compliance responsibilities.
AWS supports your FedRAMP implementation through: