The Federal Risk and Authorization Management Program (FedRAMP) is meant to assure the security of cloud services used by the U.S. government. It standardizes the security assessments, authorizations, and continuous monitoring of Cloud Service Offerings (CSOs) used by federal government agencies.

With the help of FedRAMP’s guidelines and standards, federal agencies can assess whether a CSO can handle and protect sensitive government data and then decide whether the CSO’s Cloud Service Provider (CSP) is trustworthy.

All CSPs and CSOs that achieve FedRAMP certification are added to the FedRAMP marketplace, the official online repository of all FedRAMP-authorized CSPs and CSOs. Federal agencies seeking a CSO authorized for government use can find them on this marketplace.

The marketplace is also a goldmine of information about FedRAMP-certified CSPs, FedRAMP templates, and the authorization process. This guide unpacks the critical features of the FedRAMP marketplace and shows how federal agencies can use it to choose the CSO they need for their mission-critical requirements.

What Is FedRAMP?

The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and many other agencies collaborated to develop the FedRAMP and its policies, controls, and procedures.

All federal agencies that use (or want to use) CSOs must use the FedRAMP’s assessment and authorization process. In addition, all CSPs that want to sell their offerings to federal agencies must achieve FedRAMP authorization. In short, FedRAMP is mandatory for both parties.

[Click here to read more about AWS and FedRAMP].

FedRAMP provides a “do once, use many times” Security Assessment Framework (SAF). Federal agencies can use the SAF to standardize the Federal Information Security Management Act (FISMA) application to CSOs.

What Is the FedRAMP Marketplace?

The FedRAMP marketplace is similar to an e-commerce website where a potential buyer can search for the products the buyer needs. It is the U.S. government’s online repository of all FedRAMP-authorized CSOs and their security packages.

Instead of conducting duplicative security assessments and creating multiple process monitoring reports, agencies can reuse security packages to assess CSOs and CSPs to accelerate their adoption of secure cloud solutions.

The marketplace is a convenient, one-stop-shop of cloud products and services that any federal agency can use to find the CSOs it needs. These CSOs have already gone through and completed the FedRAMP authorization process. Agencies looking to buy secure CSOs can do so from the FedRAMP marketplace, knowing that every product listed there already meets the government’s stringent requirements to protect sensitive government data in cloud environments.

FedRAMP marketplace home page

The FedRAMP marketplace home page provides lots of helpful information to guide agencies looking for FedRAMP-authorized CSOs, including:

  • CSP name
  • CSP service model: IaaS, SaaS, PaaS
  • FedRAMP impact level: Low, Medium, High, or LI-SaaS
  • Status: FedRAMP authorized, FedRAMP ready, FedRAMP in process

Similar to e-commerce sites like Amazon, a user can filter the results on the FedRAMP marketplace using multiple criteria:

  • FedRAMP status: Authorized, Ready, and In process.
  • Authorization type: JAB, Agency
  • Service models: IaaS, SaaS, PaaS
  • Deployment models: Government Community Cloud, Hybrid Cloud, Public Cloud
  • Impact level: Low, Medium, High, LI-SaaS

A federal agency user can filter the results based on provider or agency name. With the latter, it’s easy to see which agency has implemented which CSO and from which CSP.

By the end of June 2022, more than 260 FedRAMP-authorized CSPs were listed on the FedRAMP marketplace. Dozens more were amid FedRAMP certification, and another 29 had expressed an interest in becoming a federal provider but still needed to go through the authorization process.

FedRAMP marketplace resources page

The FedRAMP marketplace also provides several valuable resources, including documents, templates, training materials, and information about FedRAMP security baselines. Templates are essential to the FedRAMP program and its security assessment framework.

The FedRAMP marketplace provides templates for:

  • Plan of Action and Milestones (POAM)
  • Readiness Assessment Reports (RAR)
  • FedRAMP System Security Plan (SSP) Baseline Templates
  • FedRAMP Control Implementation Summary (CIS) Workbooks

The marketplace also provides numerous checklists, toolkits, and playbooks to guide agencies and CSPs along the security assessment and authorization process.

Listing designations on the FedRAMP Marketplace

All CSPs fall under one of three listing designations on the FedRAMP marketplace:

FedRAMP Ready

This status indicates that an independent Third Party Assessment Organization (3PAO) has attested to the CSP’s readiness for the authorization process. The FedRAMP Program Management Office (PMO) also approves the Readiness Assessment Report (RAR), indicating the CSP’s ability to satisfy FedRAMP security requirements.

FedRAMP Ready does not mean that the CSP has achieved FedRAMP authorization. It only means the CSP has expressed an interest in becoming a federal provider and has shared information indicating that the vendor can meet baseline FedRAMP criteria.

In Process

This designation is given to CSPs working towards FedRAMP authorization either with the Joint Authorization Board (JAB) or a federal agency.


This designation means that the CSP has completed the FedRAMP authorization process, and its security package is available for agency review and reuse.

How Do I Find FedRAMP-authorized Cloud Service Providers in the FedRAMP Marketplace?

To find FedRAMP-authorized cloud computing services and CSP in the FedRAMP marketplace, information systems and federal agencies should follow these steps:

  1. Go to the FedRAMP Marketplace website at 
  2. Use the search and filters to narrow options:
    1. Filter by moderate impact level
    2. Filter by deployment models like software-as-a-service
    3. Filter by cybersecurity posture and FedRAMP High standards
    4. Filter by Department of Homeland Security binds and FIPS alignment
    5. Search by cloud provider name
  3. Click providers to view details on their FedRAMP authorizations and cloud offerings aligned to federal government security requirements from DHS and OMB.
  4. Download authorization packages to review before granting an agency ATO allowing usage.

What Is the FedRAMP Certification Process to Get Listed On the FedRAMP Marketplace?

CSPs must complete the FedRAMP authorization and certification process to be listed on the FedRAMP marketplace. To achieve the authorization, the CSP can pursue one of two paths:

  • A Provisional Authorization to Operate (P-ATO) through the FedRAMP Joint Authorization Board (JAB).


  • An Authorization to Operate (ATO) through a federal agency.

What Is FedRAMP ATO?

In the ATO path, agencies work directly with the CSP throughout the FedRAMP authorization process. The ATO is a formal declaration by an agency authorizing the use of a CSO.

When applying for the ATO, the CSP will provide a security authorization package to the agency, which will perform a risk review of the package following FedRAMP requirements.

Agencies can use a FedRAMP-accredited 3PAO or a non-accredited Independent Assessor (IA) to perform the CSO’s independent assessment before granting the ATO. FedRAMP recommends that agencies use a 3PAO from the FedRAMP 3PAO accreditation program.

The FedRAMP marketplace lists all FedRAMP-accredited 3PAOs, and each one includes:

  • Number of assessments completed
  • Types of CSOs assessed
  • Names of CSPs assessed
  • Federal agencies collaborated during the authorization process

After authorizing a package, the agency informs the FedRAMP PMO via email. The CSP then submits the package for PMO review. After confirming that the package meets FedRAMP requirements, the PMO will publish it on the FedRAMP marketplace. Other agencies can reuse the same package to grant their ATO to the CSP.

What is FedRAMP P-ATO?

A CSP can also get a P-ATO by providing its security authorization package to the JAB. The JAB does a risk review of all the documents in the CSP’s authorization package. After this review, an accredited 3PAO (mandatory to get P-ATO) will independently test, verify, and validate the package before the JAB grants the P-ATO.

After granting the P-ATO, the JAB will inform agencies whether a CSO has a recommended acceptable risk posture for agency use at the designated impact level. Agencies can then decide if they want to grant ATOs to that CSP and CSO.

The JAB also performs continuous monitoring to ensure the CSO maintains an acceptable risk posture per FedRAMP and government requirements. The “provisional” in P-ATO only indicates that the JAB has completed the risk review, not that it accepts the risk on behalf of a federal agency.

How do agencies use FedRAMP?

The standards and baselines established under FedRAMP allow federal agencies to standardize the authorization and certification process for CSOs and confirm that a CSO has implemented the FedRAMP baseline security controls.

All agencies must enforce the FedRAMP requirements through their contracts with CSPs. When granting security authorization to a CSP, agencies use existing authorizations as a starting point.

After granting the authorization, they submit that security authorization package to the FedRAMP PMO. They also prepare and file an ATO letter with the PMO.

All security packages that have completed PMO review are available on the FedRAMP marketplace for other agencies to reuse. Agencies must sponsor the CSP under the entire authorization process to use a CSO that still needs to be FedRAMP authorized.

The CSP will work with the agency for the security assessment and authorization process. When this process is complete, and the PMO approves the authorization package, the agency can deploy the CSO for their use.

FAQs for FedRAMP Compliance

Is Workday FedRAMP certified?

Yes, Workday holds a FedRAMP Moderate Authority to Operate (ATO) for Workday Finance, Workday Human Capital Management, Workday Procurement, and Workday Expenses cloud services. Workday achieved the FedRAMP certification in April 2021.

Is Google FedRAMP certified?

Yes, Google has achieved FedRAMP certification and authorization for several Google Cloud services, including Google Kubernetes Engine, BigQuery, Cloud Security Command Center, and more. You can find the list of Google’s FedRAMP-compliant services on the GSA marketplace.

Is Microsoft Office 365 FedRAMP certified?

Microsoft Office 365 is FedRAMP compliant through an agency Authority to Operate (ATO). Microsoft Office 365 received its FedRAMP ATO certification from the U.S. Department of Health and Human Services (HHS).

Simplify and Manage FedRAMP Compliance with RiskOptics ROAR

Whether you are preparing for a FedRAMP audit or aiming to maintain FedRAMP compliance, manual processes, and spreadsheets are not the best way to achieve your goals. What you need is automation coupled with pre-built content and continual compliance monitoring. You need ROAR.

ROAR is an all-in-one compliance, audit, governance, and risk management platform. See how ROAR can help you drive greater compliance efficiencies with minimal effort. Schedule a demo to get started.