🇺🇸 Live Defense & National Security

FedRAMP — Federal Risk and Authorization Management Program

Provides a standardised security authorisation framework for cloud products used by US federal agencies.

View official source document

Rules extracted

172

Obligations decomposed

12.3x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

About this regulation

FedRAMP was codified into law by the FedRAMP Authorization Act, enacted as part of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023. The program provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP leverages NIST SP 800-53 security controls and establishes three impact levels (Low, Moderate, High) with corresponding baseline security requirements. Cloud service providers (CSPs) must obtain either a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) or an Agency Authority to Operate (ATO) through independent assessment by accredited Third-Party Assessment Organizations (3PAOs).

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

172

Obligations

12.3x

Decomposition ratio

Each rule is decomposed into an average of 12.3 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 172 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in FedRAMP is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: FedRAMP — Federal Risk and Authorization Management Program
Regulatory body: General Services Administration
Jurisdiction: 🇺🇸 United States
Document type: statute
Effective date: December 23, 2022
Issuing authority: United States General Services Administration (GSA)
Industry: Defense & National Security
Official source: View source document ↗

Who this applies to

cloud service providersfederal agenciesthird-party assessment organizationssupply chain partners

Key requirements

FedRAMP authorization (JAB P-ATO or Agency ATO)
NIST 800-53 security controls
continuous monitoring
3PAO independent assessment
incident response
POA&M management
supply chain risk management

Frequently asked questions about FedRAMP

What is FedRAMP?

Who does FedRAMP apply to?

FedRAMP applies to cloud service providers, federal agencies, third-party assessment organizations, supply chain partners.

How many obligations does FedRAMP contain?

AuditDSS has decomposed FedRAMP into 172 atomic obligations from 14 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of FedRAMP?

The key requirements include: FedRAMP authorization (JAB P-ATO or Agency ATO), NIST 800-53 security controls, continuous monitoring, 3PAO independent assessment, incident response, POA&M management, supply chain risk management.

How can I assess my FedRAMP compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 172 FedRAMP obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces FedRAMP?

FedRAMP is enforced in United States by General Services Administration.

When did FedRAMP come into effect?

FedRAMP became effective on December 23, 2022.

What industry does FedRAMP apply to?

FedRAMP is primarily relevant to the Defense & National Security industry. AuditDSS covers 69 regulations in this industry sector.

Build a FedRAMP compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for FedRAMP — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering FedRAMP requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine FedRAMP with other regulations into a single unified compliance pack for your business.

Build FedRAMP compliance pack

Already have a policy? Assess it against FedRAMP

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 172 obligations

Your document is scored against every obligation in FedRAMP. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.