Skip to content

Cloud Service Providers

FedRAMP is a security framework for businesses to set security goals for themselves, continuously validate the effectiveness of the capabilities used to meet those goals, measure their performance against those goals, and ensure security and engineering teams have the resources necessary to meet those goals. It should not be treated like a traditional compliance framework.

To be listed in the FedRAMP Marketplace and qualify for FedRAMP Certification, cloud services must have one of the following government-wide use cases:

  1. Direct Government-Wide Use: The service will be used directly by multiple federal agency customers for integration into federal information systems that fall within the scope of 44 USC § 3506.

  2. Indirect Government-Wide Use: The service will be used as a third-party information resource in other cloud services that have direct government-wide use.

FedRAMP does not support or provide 'equivalency.'

The Department of War established the Cybersecurity Maturity Model Certification (CMMC) to enhance cybersecurity protections for sensitive unclassified information within the Defense Industrial Base (DIB). CMMC requirements apply to private companies that do business with the Department of War and establishes requirements that are only relevant to the Department of War.

All questions about "FedRAMP Equivalency" or the application of FedRAMP Certification requirements for CMMC should be directed to the Department of War. FedRAMP is only able to support Certification for cloud services with direct or indirect government-wide use.

  • First time?

    Learn where to start, how to find an advisor, choose a certification profile, and start your journey.

    Getting Started

  • Previously "authorized?"

    Things are changing and you'll need to do things differently from here on out.

    Updating to 2026 Rules

  • FedRAMP 20x Rules!

    Dig into the approach and expectations for FedRAMP 20x, a new cloud-native approach that encourages cloud services to demonstrate the outcomes of their security decisions using automation.

    FedRAMP 20x Certification Rules

  • FedRAMP Rev5

    Learn more about the newly balanced and modernized FedRAMP Rev5 approach for cloud services that run their own infrastructure or will be used for the most mission-critical government services where the risk of catastrophic harm must be mitigated.

    FedRAMP Rev5 Certification Rules

Comments