Is FedRAMP-Ready good enough to buy?

FedRAMP-Ready means an independent assessor has reviewed the vendor's readiness to pursue authorization. It is not authorization. A FedRAMP-Ready system has not completed the JAB or Agency authorization process and does not carry an Authority to Operate. Whether Ready is acceptable depends on your agency's policy and the workload's sensitivity. For most federal workloads with controlled unclassified information or higher, Ready is not sufficient on its own.

Does FedRAMP apply to state and local government?

Not directly. FedRAMP is a federal program. State and local agencies often reference FedRAMP authorization as a procurement preference because it signals a mature security posture, but the formal program is StateRAMP (or state-specific frameworks like TX-RAMP, AZ-RAMP). A vendor that holds FedRAMP Moderate authorization is typically eligible for StateRAMP reciprocity, but you should verify rather than assume.

What is the difference between a JAB P-ATO and an Agency ATO?

A JAB Provisional Authority to Operate (P-ATO) is issued by the FedRAMP Joint Authorization Board (DoD CIO, GSA CIO, DHS CIO) and is recognized as a high-trust baseline across the federal government. An Agency ATO is issued by a single sponsoring agency after that agency reviews the FedRAMP package and accepts the residual risk. Both are valid FedRAMP authorizations. Other agencies can reuse either by issuing their own ATO that leverages the existing package.

How do I verify a vendor's FedRAMP claim?

Search the FedRAMP Marketplace at marketplace.fedramp.gov by vendor name. The Marketplace lists current status (In Process, Ready, Authorized), impact level, authorization type (JAB or Agency), authorization date, and the cloud service offering name. If a vendor claims authorization that does not appear in the Marketplace, the claim is not verifiable and the contracting officer should require documentation before relying on it.

What does 'FedRAMP-equivalent' actually mean?

FedRAMP-equivalent is a term that has tightened considerably. Under DoD's CMMC-related guidance and recent OMB direction, FedRAMP-equivalent typically requires a third-party assessment against the FedRAMP Moderate baseline and a Body of Evidence package roughly equivalent to a full FedRAMP submission. The casual use of the term by vendors to mean 'we follow similar practices' is not sufficient and should not be accepted at face value in a solicitation response.

Does FedRAMP cover IL4, IL5, IL6?

Not directly. Impact Levels (IL2, IL4, IL5, IL6) are part of the DoD Cloud Computing Security Requirements Guide (CC SRG), not FedRAMP itself. IL2 maps loosely to FedRAMP Moderate. IL4 and IL5 are DoD-specific and require additional controls beyond FedRAMP High, including controlled physical access and DoD network connectivity. IL6 is classified and outside the FedRAMP boundary entirely. A vendor authorized at FedRAMP High is not automatically IL5-authorized and the two should not be conflated in solicitation language.

Insight / Government / Procurement / May 2026

FedRAMP Basics for Procurement Teams

This is a working procurement-side guide. It is the explainer we hand to contracting officers, program managers, and procurement teams who need to evaluate FedRAMP claims in solicitation responses but who don't run FedRAMP packages for a living. It is not an authoritative legal interpretation. The authoritative source is the FedRAMP Program Management Office (fedramp.gov) and the underlying NIST SP 800-53 control set.

The goal of this piece is narrow: by the time you finish reading it, you should be able to read a vendor's FedRAMP claim, look it up in the Marketplace, tell whether it actually covers the workload you intend to put on it, write language into your next solicitation that prevents the most common bait-and-switch, and know when to bring in security or legal rather than rely on the vendor's word.

What FedRAMP actually authorizes (and what it doesn't)

FedRAMP - the Federal Risk and Authorization Management Program - is a standardized way for the federal government to authorize cloud service offerings to handle federal data. It is grounded in NIST SP 800-53 controls, run by the FedRAMP PMO inside GSA, and overseen at the JAB level by the DoD CIO, GSA CIO, and DHS CIO. The program produces authorizations against a defined baseline of controls, validated by an independent Third Party Assessment Organization (3PAO), and accepted either by the JAB (a Provisional ATO) or by a specific agency (an Agency ATO).

What a FedRAMP authorization tells you:

The named cloud service offering has been assessed against a defined NIST 800-53 control baseline at a specific impact level.
A 3PAO has reviewed the system and produced a Security Assessment Report.
Either the JAB or a sponsoring agency has accepted the residual risk and issued an ATO.
The vendor maintains continuous monitoring and submits monthly evidence to the FedRAMP PMO and the authorizing body.

What a FedRAMP authorization does not tell you:

That every product the vendor sells is in scope. FedRAMP authorizes specific cloud service offerings by name, not the vendor as a whole. A vendor with a FedRAMP-authorized core platform may have ancillary services that are not in the boundary.
That the offering is appropriate for classified data, DoD impact levels above FedRAMP High, or controlled-unclassified data with handling restrictions (CUI//SP-NOFORN, for instance) without separate review.
That your agency's specific data type is acceptable. FIPS 199 categorization of your workload still applies.
That the offering meets state-specific requirements (CJIS for criminal justice data, IRS Pub 1075 for federal tax information). FedRAMP and these frameworks overlap but are not interchangeable.

The impact levels

FedRAMP has three primary impact levels, aligned to the FIPS 199 categorization of the data and system. There is also a recent FedRAMP Low SaaS pathway (formerly Tailored Low) for low-risk SaaS use cases.

FedRAMP Low. Loss of confidentiality, integrity, or availability would have a limited adverse effect. Roughly 125 controls. Appropriate for public-facing systems where the data is not sensitive and downtime would be inconvenient rather than damaging.
FedRAMP Moderate. Loss would have a serious adverse effect. Roughly 325 controls. The most common authorization level in the federal market and the standard for most workloads involving CUI. Most enterprise SaaS that federal agencies adopt is at Moderate.
FedRAMP High. Loss would have a severe or catastrophic adverse effect. Roughly 425 controls. Required for the most sensitive unclassified workloads, including law enforcement, emergency services, financial systems, and health systems where loss could result in loss of life or significant national security impact.

And, importantly, what is not FedRAMP:

DoD Impact Levels (IL2, IL4, IL5, IL6). These come from the DoD Cloud Computing Security Requirements Guide. IL2 maps roughly to FedRAMP Moderate. IL4 and IL5 add DoD-specific requirements (controlled physical access, US person verification, DoD network connectivity through NIPRNet) beyond FedRAMP High. IL6 is classified. A vendor authorized at FedRAMP High is not automatically IL5-authorized and the two terms should never be substituted for each other in solicitation language.
FedRAMP High and Top Secret. FedRAMP does not authorize systems for classified data. Classified workloads run on different infrastructure (NSA-accredited, IL6+, JWICS, etc.) outside the FedRAMP boundary.

How to read a FedRAMP package

A complete FedRAMP authorization package is hundreds to thousands of pages. You do not need to read it cover to cover, and you would not get value from doing so. What you need is the ability to confirm the package exists, covers what the vendor claims, and is current.

The five artifacts to ask for and check:

System Security Plan (SSP). The vendor's description of the cloud service offering, the boundary, the inherited controls (from the underlying IaaS provider, if applicable), and the implementation of each NIST 800-53 control at the chosen impact level. The SSP is the closest thing to a single-source-of-truth document for the authorization.
Security Assessment Report (SAR). The 3PAO's findings. Identifies which controls are fully satisfied, partially satisfied, or not satisfied. The SAR is where you learn whether the package has known gaps.
Plan of Action and Milestones (POA&M). The vendor's documented plan to remediate any control deficiencies identified in the SAR. A clean POA&M is rare; what matters is whether the items are tracked, owned, and aging within acceptable thresholds.
Authorization letter (ATO or P-ATO). The actual letter from the JAB or the sponsoring agency authorizing the system. Names the cloud service offering, the impact level, the effective date, and the authorizing official. This is the document that proves the authorization exists.
Continuous Monitoring evidence. The vendor's monthly submissions to the FedRAMP PMO. If a vendor cannot produce recent continuous monitoring evidence, the authorization may be lapsing or has lapsed.

What you usually do not get directly: the full SSP and SAR are typically not shareable in their entirety due to sensitivity. The vendor should be able to provide the authorization letter, an executive summary of the SAR, the current POA&M status, and continuous monitoring summary. Full package access typically goes through OMB MAX or the FedRAMP Secure Repository under agreement.

Common procurement traps

The patterns below appear with surprising frequency in solicitation responses. Each one is a place where loose language in the response (or in the solicitation) lets a vendor claim more than they hold.

1. FedRAMP-Ready presented as authorization

FedRAMP-Ready means a 3PAO has reviewed the vendor's readiness to pursue authorization. It does not mean authorized. Vendors marketing materials often blur this. Procurement language should require "FedRAMP Authorized" (JAB P-ATO or Agency ATO) by name, with the Marketplace listing date, not "FedRAMP-Ready" or "in process."

2. Authorization at the wrong impact level

A vendor authorized at FedRAMP Low is not appropriate for workloads requiring FedRAMP Moderate. The Marketplace lists impact level explicitly. Verify that the impact level matches the FIPS 199 categorization of the data you intend to put on the system, and require that match in the response.

3. Authorization scope drift

FedRAMP authorizations cover specific cloud service offerings by name. A vendor's "platform" may include several distinct offerings, only some of which are authorized. If the response says "Our platform is FedRAMP Authorized," the right follow-up is "Which specific Cloud Service Offering(s), as listed in the FedRAMP Marketplace, are authorized, and is the module being procured in this contract one of them?"

4. "FedRAMP-equivalent" claims

The phrase FedRAMP-equivalent has historically been used loosely by vendors to mean anything from "we follow similar practices" to "we have a third-party-assessed Body of Evidence against the FedRAMP Moderate baseline." Recent guidance (OMB and DoD CMMC-adjacent) has tightened the term considerably. For most use cases involving CUI, FedRAMP-equivalent now requires a 3PAO-assessed package against FedRAMP Moderate. Do not accept the casual use of the term at face value; require the underlying evidence.

5. Confusing DoD Impact Levels with FedRAMP

"FedRAMP IL5" is not a thing. A response that mixes the two should be flagged. The right structure is "FedRAMP High plus DoD Impact Level 5" if both apply, with the IL5 status sourced from DISA's authorization list, not FedRAMP.

6. Reciprocity assumptions for state and local

A FedRAMP Moderate authorization typically supports StateRAMP reciprocity, but the StateRAMP Authorized status is granted separately by the StateRAMP PMO. Some states (Texas, Arizona, others) run their own state-specific equivalents (TX-RAMP, AZ-RAMP) with reciprocity rules that vary. Verify the state's specific reciprocity policy rather than assume FedRAMP carries automatically.

Writing FedRAMP into a solicitation

The pattern below is the structure we use when helping agencies write FedRAMP language that is specific enough to prevent the traps above without being so prescriptive that it cuts out otherwise viable vendors.

State the minimum impact level required, with reasoning. "The Cloud Service Offering provided under this contract shall hold a current FedRAMP Moderate (or higher) authorization." The reasoning ties to the FIPS 199 categorization of the data, which should be documented separately.
Require the Marketplace listing. "The Offeror shall identify, by name, the specific Cloud Service Offering(s) listed in the FedRAMP Marketplace (marketplace.fedramp.gov) that are authorized at the required level, along with authorization type (JAB P-ATO or Agency ATO), authorizing official, and current authorization date."
Distinguish authorization from readiness. "FedRAMP-Ready or In Process status shall not satisfy this requirement."
Require the offering being procured to be in scope. "The Offeror shall confirm that the functionality being procured under this contract is delivered through a Cloud Service Offering that is within the FedRAMP authorization boundary, and shall identify any in-scope functionality that is provided outside the authorized boundary."
Require continuous monitoring evidence. "The Offeror shall maintain the FedRAMP authorization for the duration of the contract, including monthly continuous monitoring submissions to the FedRAMP PMO, and shall notify the Contracting Officer within 5 business days of any authorization status change."
Address DoD impact levels explicitly, if applicable. If the workload requires IL4 or IL5, state that separately and reference DISA's authorization list, not FedRAMP, as the source of truth.

How to verify a vendor's claim in five minutes

Go to marketplace.fedramp.gov/products. Search by vendor name. The Marketplace lists current status (In Process, Ready, Authorized), impact level (Low, Moderate, High), authorization type (JAB or Agency), the authorizing body, and the authorization date. If the vendor's claim does not appear in the Marketplace, or appears at a different impact level than the claim, the contracting officer should require documentation before relying on the claim.

For DoD impact levels, the DISA Cloud Service Catalog and the relevant DoD CIO authorization list are the corresponding source of truth. For StateRAMP, the StateRAMP Authorized Product List. State-specific frameworks (TX-RAMP, AZ-RAMP) maintain their own lists.

When to bring in security or legal

The thresholds where the answer stops being "read the Marketplace" and starts being "engage information security or general counsel":

The workload involves classified or controlled-unclassified information with handling restrictions (NOFORN, FED-only, etc.).
The workload involves law enforcement data subject to CJIS, federal tax information subject to IRS Pub 1075, or health data subject to HIPAA on top of FedRAMP requirements.
The vendor's response uses language that does not clearly map to a Marketplace listing.
The contract is multi-year and the authorization expiration falls inside the period of performance.
The contract involves data flows that cross the FedRAMP boundary into non-authorized services (analytics, backup, support tooling).

None of these are reasons to disqualify a vendor on their own. They are reasons to slow down, ask the additional questions, and document the answers in the file before award.

What this guide is not

This is an orientation. It is not a substitute for the FedRAMP PMO's authoritative guidance, your agency's security policies, or the judgment of the Authorizing Official accepting risk on behalf of your organization. It is the procurement-side mental model that helps you read a response, ask the right follow-up question, and know when the answer is good enough versus when to escalate.

If you'd like the worked solicitation language above as a printable reference, request our capability statement and we'll include a one-page solicitation-language template plus the FedRAMP impact-level mapping sheet. Use the contact form and we'll respond within one business day. Related reading: Government Digital Transformation Checklist, our Government IT practice, and our capability statement.