FedRAMP
FedRAMP (Federal Risk and Authorization Management Program)
Cloud service providers selling into US federal agencies. Three levels: Low, Moderate, High; most federal SaaS sits at Moderate.
A federal agency commits to procurement contingent on FedRAMP authorisation, or when transitioning from agency ATO to FedRAMP marketplace listing.
12-18 month authorisation timeline, $500K-$2M direct cost, continuous monitoring after authorisation. The most expensive compliance program in the cybersecurity market.
Brings in the federal sales team, a dedicated 3PAO, government affairs, and engineering for control implementation. Often requires a separate federal product instance.
Sold as market access, not compliance. The buyer is paying to be allowed to sell to the federal government at all. The cost is acceptable only when federal TAM justifies the multi-year program.