About FedRAMP Marketplace
The FedRAMP Marketplace provides a searchable and sortable database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation, a list of federal agencies using FedRAMP Authorized CSOs, and FedRAMP recognized auditors (3PAOs) that can perform a FedRAMP assessment. The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO).
Agencies and Cloud Service Providers (CSPs) are encouraged to use the Marketplace as a resource to:
- Research cloud services that have achieved a FedRAMP Marketplace designation
- Research agencies partnering with CSPs for a FedRAMP Authorization, or identify agencies that are using FedRAMP Authorized CSOs
- Review FedRAMP’s community of recognized 3PAOs
Private Cloud Deployments
The FedRAMP Marketplace is intended to enable the reuse of security package documentation, therefore private cloud deployments are not listed on the Marketplace.
Marketplace Designations
The FedRAMP PMO defines three official designations for CSOs:
FedRAMP Ready
A designation provided to CSPs that indicates that a FedRAMP-recognized Third Party Assessment Organization (3PAO) attests to a CSO’s security capabilities, and that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP PMO.
FedRAMP In Process
A designation provided to CSPs that are actively working toward a FedRAMP Authorization.
FedRAMP Authorized
A designation provided to CSPs that have successfully completed and maintain a FedRAMP Authorization.
FedRAMP Ready
FedRAMP Ready indicates that a 3PAO attests to a CSO’s security capabilities, and that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP PMO. The RAR documents the service offering’s system information, compliance with federal mandates, and ability to meet FedRAMP security requirements..
Highlights of FedRAMP Ready:
- Only available for CSOs at the Moderate and High impact levels*
- Valid for one calendar year from the date of designation by the FedRAMP PMO
- CSPs do not need an agency partner to submit a RAR to achieve a FedRAMP Ready designation
* Impact levels for federal information systems, including CSOs, are defined in NIST FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems.
Achieving FedRAMP Ready
FedRAMP Ready is required for CSPs pursuing a Provisional Authority to Operate (P-ATO) from the JAB, and is highly recommended for CSPs pursuing a FedRAMP Agency Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.
The FedRAMP PMO reviews each Readiness Assessment Report to ensure a CSO’s core security capabilities and operational processes are in place. Once the PMO deems the Readiness Assessment Report acceptable, the CSO is listed as FedRAMP Ready on the FedRAMP Marketplace.
The FedRAMP Ready designation is valid for one year, beginning on the date the CSO is listed as FedRAMP Ready on the Marketplace. If the CSP would like to remain listed on the Marketplace as FedRAMP Ready for longer than one year, the CSP may work with a 3PAO and the FedRAMP PMO to issue a new Readiness Assessment Report to maintain its FedRAMP Ready designation for an additional year.
Any CSO that holds a FedRAMP Agency Authorization that would like to transition to a JAB P-ATO must also achieve FedRAMP Ready.
Holding Multiple Designations
In the event a FedRAMP Ready CSO achieves FedRAMP In Process or FedRAMP Authorized, the Marketplace status will be updated accordingly. If a CSO that has achieved FedRAMP Ready loses its FedRAMP In Process or FedRAMP Authorized designation, and the service offering is still within the one-year period of its original FedRAMP Ready designation date, the CSO’s Marketplace status will be returned to FedRAMP Ready until the one year has expired.
FedRAMP In Process
FedRAMP In Process indicates a CSP is actively working towards FedRAMP Authorization through the JAB or Agency Authorization processes. All FedRAMP In Process CSOs are listed on the FedRAMP Marketplace.
JAB Authorization: FedRAMP Connect and FedRAMP In Process
The JAB prioritizes up to 12 CSOs each year to work towards FedRAMP Authorization. Each CSP must go through a process called “FedRAMP Connect” wherein they submit a business case that provides detailed product information and government-wide demand. The criteria for business cases and evaluation are described in detail within the JAB Prioritization Criteria and Guidance document.
Prior to being listed as FedRAMP In Process on the Marketplace for a JAB P-ATO, a CSP must:
- Achieve FedRAMP Ready within 60 days of being prioritized by the JAB
- Finalize the CSO’s System Security Plan (SSP)
- Engage a FedRAMP recognized 3PAO to develop a Security Assessment Plan (SAP), conduct a full security assessment, and produce a Security Assessment Report (SAR)
- Upload all required security package materials to MAX.gov (a federal document repository) for systems Authorized at the Moderate baseline, or to their own repository if the system is Authorized at the High baseline
- Participate in a formal Kickoff Meeting with the JAB, PMO, and partnering 3PAO
Completion of the Kickoff Meeting will result in a “go” / “no-go” decision point for JAB Authorization efforts. If a CSP achieves a “go” decision, the partnership with the JAB for a P-ATO may proceed, and the CSO will be listed as FedRAMP In Process (In JAB Review) on the FedRAMP Marketplace.
Agency Authorization: FedRAMP In Process Requirements
In order to be listed as FedRAMP In Process with a federal agency, a CSP must:
- Obtain written confirmation of the agency’s intent to authorize (In Process Request)
- Submit a completed Work Breakdown Structure (WBS) to the PMO that aligns with timeline requirements
- Confirm the system is fully operational (The FedRAMP PMO defines “fully operational” as being in a production environment and is assessment ready.)
- Fulfill at least one of four additional requirements listed below
In Process Request Email - Required Information
The In Process Request (IPR) serves as formal notice that an agency is partnering with a federal agency for initial FedRAMP Authorization. To initiate FedRAMP In Process, the FedRAMP PMO must be in receipt of an email or letter from (or including) an Agency Authorizing Official (AO) that states:
- The CSP name
- The CSO name
- The impact level (e.g., Low, Moderate, or High) at which the agency will authorize the service offering
- The agency and CSP points of contact who will work with FedRAMP during the authorization process
- Confirmation that the full 3PAO assessment is planned to begin no more than six (6) months from the date of the In Process Request (include the assessment start date if it has been scheduled)
- An attestation that the partnering agency is actively working with the CSP to grant an Authorization to Operate (ATO) within 12 months of the In Process designation
In addition to the In Process Request, a CSP and agency should submit a Work Breakdown Structure and fulfill one of the four additional requirements listed below.
Work Breakdown Structure
CSPs must work with their agency partner and 3PAO to complete a Work Breakdown Structure (WBS) and submit to the PMO prior to achieving FedRAMP In Process. The WBS is used to validate the assessment timeline requirement and the 12-month ATO requirement listed above. Submitting a WBS creates shared visibility into the anticipated timeline to completion for key project milestones.
The FedRAMP PMO will provide CSPs and agencies with a WBS template at the beginning of the CSP intake process, or when an In Process Request email is sent to the PMO.
Additional Requirements
One of the following additional requirements must be met for a CSP to be listed on the FedRAMP Marketplace as FedRAMP In Process:
- The agency provides proof of a contract award for the use of the CSO
- The agency and CSP demonstrate use of the service offering to the PMO Note: An email from the Agency AO stating the instance of the CSO undergoing Authorization is being used by the agency will meet this requirement
- The CSO is currently listed as FedRAMP Ready on the Marketplace
- Completion of a formal FedRAMP facilitated Kickoff Meeting that includes the agency, CSP, FedRAMP PMO, and, if applicable, 3PAO
Kickoff Meetings
The purpose of the Kickoff Meeting is to formally begin the agency authorization process by introducing key team members, reviewing the Cloud Service Offering, and ensuring all stakeholders are aligned on the overall process. Kickoffs are meant to be in service of the CSP and Agency partnership. While a CSP may achieve In Process through other means, the PMO strongly encourages CSPs and agencies to conduct a Kickoff Meeting as outlined in the Agency Authorization Playbook.
Change in Initial Agency Partner or Authorizing Official
If a CSP changes agency partners during the initial authorization, the requirements listed above must be followed by the new agency. Upon fulfillment of the requirements, the Marketplace listing will be updated to include the new agency and FedRAMP In Process date. If the Agency AO changes while a CSP is listed as In Process, the FedRAMP PMO must be notified within 30 days and must receive a new In Process Request notification from the new AO.
Questions Regarding In Process Timeline
The FedRAMP Marketplace displays the date a CSO was listed as In Process with the JAB or an agency. Questions regarding the status or progress toward FedRAMP Authorization for a FedRAMP In Process CSO should be directed to the CSP’s email address listed on their Marketplace page, or info@fedramp.gov.
Department of Defense Requirements
CSPs pursuing initial authorization with a Department of Defense (DoD) component agency at DoD IL-2 may work towards initial FedRAMP Authorization at the Moderate baseline. The service offering must be configured as a multi-tenant environment that is capable of hosting any federal agency customer. Service offerings that are built for DoD-only use may not achieve initial authorization via FedRAMP, and instead should work with the Defense Information Systems Agency (DISA) for initial authorization. Additionally, CSPs pursuing initial authorization with DoD component agencies at DoD IL-4 or higher must first authorize their CSO via DISA. More information can be found within the Cloud Computing Security Requirements Guide and the DoD Cloud Authorization Services (DCAS) website (CAC required). If you have questions, please reach out to DISA’s hotline mailbox: disa.meade.re.mbx.cloud-team@mail.mil.
CSPs pursuing DISA authorization may be listed on the FedRAMP Marketplace as In Process by fulfilling FedRAMP’s agency In Process requirements listed on the previous section.
Removal of a FedRAMP Marketplace Designation
The FedRAMP PMO actively manages CSO designations on the FedRAMP Marketplace. The removal of CSOs as FedRAMP Ready, FedRAMP In Process, or FedRAMP Authorized is at the discretion of the FedRAMP Director.
Scenarios that would lead to the removal of a FedRAMP Marketplace designation for a CSO include, but are not limited to:
FedRAMP Ready
- One year has elapsed since a CSO achieved FedRAMP Ready and a new Readiness Assessment Report is not completed.
- A CSO’s FedRAMP Ready designation lapses prior to achieving FedRAMP In Process or FedRAMP Authorized.
FedRAMP In Process
- The authorization timeline for a CSO has exceeded 12 months as In Process.
- An agency or CSP informs the FedRAMP PMO that they are no longer working with a CSP for FedRAMP Authorization.
- The JAB deprioritizes a CSP for a JAB P-ATO.
FedRAMP Authorized
- A CSO no longer has at least one ATO on file validating the use and continuous monitoring oversight of the service at a federal agency.
- The ongoing security posture of a CSO, as demonstrated through continuous monitoring, is insufficient for federal government use.
- JAB Authorized CSOs do not demonstrate sufficient federal government demand.
Notification of Marketplace Removal
If it is determined that removal is warranted for any of the FedRAMP Marketplace designations, the CSP and partnering agency (if applicable) will be notified by email. The designation on the Marketplace will be removed within 24 hours of the notification email.
Provision for Authorized Service Offerings that Lose Their Only ATO on File
FedRAMP Authorized CSOs that lose their only active agency ATO letter on file may remain listed on the FedRAMP Marketplace as FedRAMP Ready for a maximum of 12 months while the CSP works to obtain a new ATO from a federal agency. If a new ATO is obtained during this period, the CSO will regain its FedRAMP Authorized designation.
Agencies should follow the steps outlined in FedRAMP’s Reuse Quick Guide when reviewing the package. To inform an agency’s risk-based ATO decision, the PMO recommends CSPs:
- Submit Monthly ConMon Deliverables: CSPs should maintain an acceptable risk posture, and should continue to upload monthly continuous monitoring deliverables (updated POA&M and inventory, scan files, deviation requests) to their FedRAMP secure repository.
- Conduct Annual Assessment: If a service offering is due for an Annual Assessment during this period, the CSP should complete the Annual Assessment.
- Deliver Risk Briefing: The CSP should brief the agency on the current risk posture of the CSO, including any areas that require agency risk acceptance.
If the CSP does not acquire an ATO for their service offering within the 12-month timeframe, the CSO will be removed from the FedRAMP Marketplace. At that point, the CSP has two options to regain a FedRAMP Marketplace designation:
- Achieve FedRAMP Ready by undergoing a Readiness Assessment with a FedRAMP recognized 3PAO.
- Achieve FedRAMP In Process by fulfilling the requirements described in FedRAMP’s In Process Requirements.
Note: to distinguish these CSPs within the list of FedRAMP Ready service offerings, the FedRAMP PMO will include language within the “Service Description” field of the CSO’s Marketplace page that indicates the CSO has a full security package ready for agency review.