US federal government. GSA-administered authorisation program based on NIST 800-53.

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program)

Applies to

Cloud service providers selling into US federal agencies. Three levels: Low, Moderate, High; most federal SaaS sits at Moderate.

Creates urgency when

A federal agency commits to procurement contingent on FedRAMP authorisation, or when transitioning from agency ATO to FedRAMP marketplace listing.

Evidence burden

12-18 month authorisation timeline, $500K-$2M direct cost, continuous monitoring after authorisation. The most expensive compliance program in the cybersecurity market.

Buying-committee effect

Brings in the federal sales team, a dedicated 3PAO, government affairs, and engineering for control implementation. Often requires a separate federal product instance.

GTM angle

Sold as market access, not compliance. The buyer is paying to be allowed to sell to the federal government at all. The cost is acceptable only when federal TAM justifies the multi-year program.