FedRamp For StartUps

What Is FedRamp?

The Federal Risk and Authorization Management Program is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Wikipedia

What this means in English :)

The FedRamp process is a certification process that validates your business and technology complies with government wide approach to cloud vendors delivering their product into Federal, State & Local Agencies.

The FedRAMP process is NOT difficult, it is about navigating and intelligent planning.

The majority of failures and issues or even reasons many companies do not approach the federal market is the perception or barriers the vendors have placed making it seem too difficult, too expensive and not worth it. The mystification of federal contracts is created by the vendors as a competitive play to maintain market dominance.

FedRAMP is not nuanced, the requirements are clear, and therefore, it becomes a process based exercise with clear milestones. The complexity as discussed below, may be around hosting, your application architecture or your availability of time.

How Should A StartUp Approach FedRAMP?

A couple of quick "knowledge moments":


  1. As a company, there are two ways to be "certified" to sell and operate under FedRAMP.

    • Agency: This is the process where a specific agency will sponsor you and your application to undergo FedRAMP. it is a much quicker, easier and cheaper method to FedRAMP certification. Two critical advantages of ATO are that you do not need to meet ALL the requirements of FedRAMP, the agency can choose to waive / accept non-compliance in certain areas and you can still meet your FedRAMP certification.

    • JAB: This is you as a company going for FedRAMP without an ATO so that you can be listed on the FedRAMP marketplace and sell to any agency across the USA without additional requirements. To complete JAB approval you need to meet all the criteria of certification (as there is no agency to waive or accept any risk)

  2. There are three types of FedRAMP certification:

    • Low, Moderate & High: Think of these as requirements, as is based on the data, types of data, processing and usage of such data. The lower the FedRAMP requirement, the lower the requirements for certification.


FedRAMP Questions You Have

  1. Do I have to use AWS Gov Cloud or similar?

    • No. The use of Gov Cloud specific (vs East/West Region) is dependent on your FedRAMP requirements and Low/Moderate can use East/West. You can see a list of AWS Services / Products that you can use that have FedRAMP ATO without moving your instance to Gov Cloud here.aws.amazon.com/compliance/services-in-scope/

  2. Do I have to fork my application / have two version (one for commercial, one for gov)

    • No. This is highly dependent on how you have built and your requirements re cost & speed to achieve FedRAMP ATO. If your application can turn off modules, implement rules or other controls in the runtime as part of deployment then your commercial application can likely become compliant. If in that runtime you can deploy the Government Instance into its own single tenant, and you can remove reliance on shared micro-services then you are way ahead of the game.

  3. What about the 3rd Party Services in my application?

    • Yes. Every service, system or anything that touches the data needs an ATO. So for example, you cannot use SendGrid as it does not maintain an ATO (i.e. you can inherit the controls from the services/vendors that already have ATO. (Although if you have Agency Auth, you may be able to get a waiver).

  4. Does the Application need to be fully built to start / achieve FedRAMP compliance.

    • No. In fact the less lines of code and less stuff built the better. As your SSP documentation will define how you intend to build and how you intend to perform functions, so you can build into compliance.