logo
Sign UpSign InTry for free
FEDRAMP COMPLIANCE CHECKLIST

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive. Reflects the post-2024 single-pathway model after the JAB/P-ATO route was retired.

Official source:

Read the official FedRAMP programme site
Download the checklist (PDF)Download DOCX
Who must comply with FedRAMP

Who FedRAMP applies to

Cloud service providers (CSPs) offering services to US federal agencies. FedRAMP authorization is required for any cloud product agencies acquire under FISMA.

Jurisdiction: Cloud service providers serving US federal agencies. Full name: Federal Risk and Authorization Management Program.

FedRAMP Checklist

The FedRAMP compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDFDownload DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

  1. STEP 1

    Determine FedRAMP impact level (Low, Moderate, High) based on the highest-impact agency data - note the FedRAMP 20x initiative is moving toward updated authorization classes.

  2. STEP 2

    Secure an agency sponsor (Agency Authorization is now the single pathway - the JAB Provisional ATO route was discontinued by FedRAMP in August 2024).

  3. STEP 3

    Engage an accredited Third-Party Assessment Organization (3PAO).

  4. STEP 4

    Build the FedRAMP package: System Security Plan (SSP), policies, procedures.

  5. STEP 5

    Run the 3PAO assessment and address findings.

  6. STEP 6

    Submit the Security Assessment Plan (SAP), Security Assessment Report (SAR), and POA&M.

  7. STEP 7

    PMO and authorizing official review; address review comments.

  8. STEP 8

    Receive the agency Authority to Operate (ATO).

  9. STEP 9

    Maintain continuous monitoring (ConMon): monthly scans, annual assessments, ongoing POA&M.

  10. STEP 10

    Re-authorize on the standard cadence or upon significant change.

FILLABLE PDF PREVIEW

FedRAMP compliance checklist

Federal Risk and Authorization Management Program

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Determine FedRAMP impact level (Low, Moderate, High) based on the highest-impact agency data - note the FedRAMP 20x initiative is moving toward updated authorization classes.

Secure an agency sponsor (Agency Authorization is now the single pathway - the JAB Provisional ATO route was discontinued by FedRAMP in August 2024).

Engage an accredited Third-Party Assessment Organization (3PAO).

Build the FedRAMP package: System Security Plan (SSP), policies, procedures.

Run the 3PAO assessment and address findings.

+ 5 more checkboxes in the downloaded PDF
FedRAMP Process Map

FedRAMP as a process map

The FedRAMP authorization flow under the post-August-2024 single Agency Authorization model - from readiness through ATO and into ConMon. The 3PAO assessment is the gate; ConMon is the long tail that turns ATO maintenance into a continuous process.

Open in editor

FedRAMP authorization process

A FedRAMP authorization process rendered as a BPMN 2.0 process map. Determine impact level, secure an agency sponsor, engage a 3PAO, submit the Security Assessment Package (SAP / SAR / POA&M), and reach the Authorization to Operate (ATO). Reflects the post-August-2024 single Agency Authorization model after the JAB Provisional ATO path was discontinued.

  1. Determine the FedRAMP impact level: Low, Moderate, or High.
  2. Secure a sponsoring federal agency (Agency Authorization is the single pathway since the JAB / P-ATO route was discontinued in August 2024).
  3. Engage an accredited Third-Party Assessment Organization (3PAO).
  4. Develop and submit the Security Assessment Plan (SAP), Security Assessment Report (SAR), and POA&M.
  5. PMO and authorizing official review; remediate any findings.
  6. Receive the Authority to Operate (ATO) and run continuous monitoring against FedRAMP ConMon requirements.
FedRAMP FAQ

Frequently asked questions

Is there still a JAB / Provisional ATO path?

No. GSA announced the dissolution of the Joint Authorization Board in May 2024 (replaced by the FedRAMP Board), and FedRAMP discontinued the JAB Provisional ATO authorization path in August 2024. There is now a single Agency Authorization pathway - a sponsoring federal agency reviews the assessment package and grants the ATO. CSPs that previously held a JAB P-ATO retain those authorizations until they expire or transition. The program is also moving toward FedRAMP 20x, which updates the authorization model further.

What is FedRAMP Ready vs Authorized?

FedRAMP Ready is a designation a CSP earns by completing a Readiness Assessment Report (RAR) with a 3PAO; it indicates the CSP is likely ready to pursue an authorization. Authorized means a sponsoring federal agency has granted the ATO and the CSP appears in the FedRAMP Marketplace.

How much does FedRAMP cost?

Costs are highly variable: 3PAO assessment fees, internal control implementation, ongoing ConMon. Typical first-time FedRAMP Moderate authorizations are quoted at $250K–$2M total, with annual ConMon adding $100K–$500K depending on system complexity. High baseline is significantly more.

Is StateRAMP related to FedRAMP?

StateRAMP is a separate non-profit programme modelled on FedRAMP for US state and local governments. A FedRAMP authorization usually satisfies StateRAMP requirements via reciprocity, but each state retains the right to add requirements.

More Compliance Checklists

Other compliance checklists

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation.

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

PCI DSS 4.0.1 compliance checklist

A practical PCI DSS 4.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Cosmic background pattern
Decorative rectangle pattern

Turn the FedRAMP checklist into a working process

Open the FedRAMP process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.