FedRAMP by the numbers

Conversations about FedRAMP in security seem to have accelerated recently, irrespective of the political climate. It seems like everyone is getting FedRAMP, and tech execs are wondering, should we get FedRAMP? Will that help us increase sales?

I have never worked on a product while it underwent FedRAMP authorization. I am underinformed about the whole process — so naturally, I am curious about how it works. There seem to be more conversations about FedRAMP.

So, I set out to understand if the rate of FedRAMP authorizations increased recently, and if getting a FedRAMP authorization helps accelerate sales to the US government.

Luckily for us, since FedRAMP is a marketplace — and the data is public (well, at least for now) — I decided to dig in.

Don’t need more context? Skip to the analyses

Context and terminology

Let’s get some facts straight about the Federal Risk and Authorization Management Program (FedRAMP), so that we can focus on the data.

FedRAMP was introduced in 2011 as more and more technology companies were beginning to offer cloud-based services. The Federal Information Security Modernization Act (FISMA) introduced minimum security requirements for federal agencies in 2002 — although the US federal government had an existing procurement process for on-premises software, they wanted to adopt more cloud-based services, and so needed to adapt. FedRAMP essentially extends those requirements to provide a standardized way to authorize cloud-based services.

FedRAMP is an authorization: you obtain an Authorization to Operate (ATO) a product for the US government. A cloud-service provider’s (CSP) cloud-service offering (CSO) is FedRAMP authorized, not FedRAMP certified or FedRAMP compliant. By that, the US government is saying, we will accept the risk of the service you’re offering. Although a third party auditor assesses your controls, they’re not making a decision or recommendation, just an assessment. Whereas a certification might verify you meet a strict set of requirements, in theory, an authorization could still apply to a product with a concerning but still acceptable risk. I am not aware of whether this actually happens in practice, but the choice of vocabulary here is to be noted.

The only time you need FedRAMP is to sell a cloud-based service to a US federal agency in the executive branch. FedRAMP recognizes and includes CSOs with IaaS, PaaS and SaaS services. You do not need FedRAMP to sell an on-prem service, you do not need FedRAMP to sell to the legislative (e.g., Library of Congress) or judicial (e.g., Supreme Court) branches, and you do not need FedRAMP to sell to other US government agencies, such as state schools or city governments. Although having FedRAMP authorization may make it easier to sell to these organizations, it is not required — at least not by law, though it may still come up in your sales conversation. Having FedRAMP authorization is not necessarily sufficient for federal agencies either — kind of how having SOC2 certification doesn’t make you secure, if you’re selling to say, the military, they will have higher requirements (look into DoD Impact Levels).

You can still build a product that helps an organization meet NIST 800-53 requirements — that is, help your customer meet FedRAMP requirements — without yourself being FedRAMP authorized. You only need FedRAMP authorization if you are directly processing certain kinds of data.

FedRAMP has four impact levels: High, Medium, Low, and Low-Impact SaaS, which is related to the risk of the service and the data being put in the service. It’s what it sounds like: High is harder and has more requirements than Medium, which is harder than Low. High impact data is “the government’s most sensitive, unclassified data”, which is “usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems”. These were the three original levels; then, Low-Impact SaaS (LI-SaaS) was introduced in August 2017, for “SaaS applications that do not store personal identifiable information (PII) beyond that generally required for login capability (i.e. username, password, and email address)”.

To obtain FedRAMP authorization, you need to show that you meet a specified list of controls — for FedRAMP Low, there are 125 controls. Of these, the most onerous requirements are those to use FIPS-validated cryptography and to patch vulnerabilities within specified timeframes. There are lots of other requirements: employee account lifecycle management, restrictions on remote access, centralizing logging, documenting and justifying enabled ports and protocols, etc. — but these are generally good security recommendations that many organizations already meet. Like other compliance frameworks, FedRAMP doesn’t necessarily have that many strict technical requirements, and rather the real challenges are organizational, to adopt and automate processes.

FedRAMP authorization process

There were historically two ways to obtain FedRAMP authorization for your CSO: from the Joint Authorization Board (JAB) for use with multiple agencies, or from an individual agency.

If you went the multi-agency route, you’d submit your CSO to the JAB for review. The JAB was made up of CIOs from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA), and made sure you met the general requirements before granting provisional authorization (P-ATO). Then, you’d get full authorization when a specific agency used your service. FedRAMP says that “a JAB P-ATO would be better suited for cloud services that are Moderate and High Impact”; I’m assuming this is because of how difficult and detailed the higher impact reviews are.

Or, you could have asked a specific agency. They’d stick their neck out to use a particular CSO, and and drag you through the process as your sponsor. FedRAMP allows ATO re-use, so that if one agency cleared you and you were already on the FedRAMP Marketplace, there would be much less work to get approved at another agency. This encouragement was formally written into law in December 2022, with a requirement to “provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better re-use of such packages across agencies” — so an agency buying the same CSO could just go pull the docs that were already submitted, review them themselves, and issue an authorization.

FedRAMP continues to evolve. As of June 2024, FedRAMP’s governance has changed again, with the FedRAMP Board replacing the JAB for FedRAMP governance. All authorizations are now conducted by individual agencies — and all of these authorizations are treated exactly the same. Continuous monitoring (ConMon) of the CSO’s controls is a multi-agency responsibility, with a lead agency for each primarily responsible.

Suppose you want to get FedRAMP. What do you go through? You as a CSP first prepare your systems by implementing required security controls, then you undergo rigorous assessment by an auditor, and finally you submit comprehensive documentation for review. Mostly, it’s a lot of paperwork.

There are three designations in the FedRAMP authorization process:

• FedRAMP Ready, which is when an independent Third Party Assessment Organization (3PAO) has attested to your security controls, and completed a FedRAMP Readiness Assessment Report,
• FedRAMP In Process, which is when your application is actively being reviewed, and
• FedRAMP Authorized, which is the authorization has been provided, it’s on the Marketplace, and now available for re-use by other agencies.

Hypotheses

I have a few hypotheses about FedRAMP authorizations, which I wouldn’t say are out of the norm with others in the industry. These hypotheses (biases?) aren’t based in data, though.

Given I’m analyzing the data in more detail, I thought I’d write these down, and check how I did at the end. (If you want, take the chance to note down your own assumptions before reading ahead.)

1. Hypothesis: There has been an increase in FedRAMP authorizations in the past 3-5 years, but that’s been mostly re-uses, not authorizations of new CSOs. That is, it’s new agencies authorizing and buying products that are already FedRAMP authorized, not new products getting FedRAMP authorized. The introduction of a LI-SaaS impact level may also have helped contribute to the increase.

2. Hypothesis: Microsoft and Amazon sell the most to the federal government. Microsoft is so good at government sales they’re getting anti-trusted.

3. Hypothesis: The main agencies buying cloud software are… I don’t know? I don’t have a good understanding of how typical government agencies buy, and how open — or eager — they are to using newer technology. So maybe I’ll go with the Department of Defense at the top of the list.

4. Hypothesis: There are probably <10 assessors who do the vast majority of the authorizations. I’m guessing these are small boutique firms — there’s probably not enough volume or specialized expertise for someone like an Accenture.

5. Hypothesis: FedRAMP reflects existing federal spending moving from on-prem to cloud services within a vendor, not the adoption of new vendors. That is, I don’t think that obtaining FedRAMP authorization leads to net new business for most companies. I also don’t think I’ll have the data to prove this either way.

With that, let’s dig in! Data time 😎

Getting the data

So you know how I said that you could “just look at the data”. Well, kind of.

I hadn’t been on the FedRAMP Marketplace in a long time. I knew there was a table of information on authorizations, but was pleasantly surprised to find a nice “Export CSV Data” button. Yes!!!

Good news: this gives you a dump of FedRAMP data, at that moment in time.

Bad news: it doesn’t have absolutely all of the information that’s available on the site, including a bunch of nice things I was hoping to analyze:

• Impact level: whether a CSO has been authorized at High, Medium, or Low isn’t included in the data set. What? But it’s right there on the marketplace landing page. That page is kind of annoying though because it isn’t searchable because the company names are logo images, not text — though there is a little search bar for the table itself.
• Deployment model: whether a CSO is deployed on a public cloud, government cloud or hybrid. This is available in the marketplace table (and on the CSO detail page).
• Authorization status / Authorization details: when the CSO completed the FedRAMP authorization process, including when it was FedRAMP Ready, In Process, and Authorized. This is available on the CSO detail page.
• Independent assessor: which 3PAO completed the Readiness Assessment. This is also available on the CSO detail page.
• Dependent products: which CSO’s FedRAMP-ness is a dependency for other CSOs. This is also available on the CSO detail page.

I wish I could say I used one of the newfangled web scrapers to get the data I was missing. I tried two of them and despite a permissive robots.txt for the FedRAMP site, couldn’t get anything usable. After calling in some reinforcements, it seems that after you go to a specific CSO page, you’ll need to refresh it to get the data, which trips up these scrapers. My original dataset, including impact levels, authorization status, deployment model, independent assessors, and dependencies, is from January 25 2025. I collected further data on authorization timeline on March 17 2025. In that timeframe, there were 31 newly added CSOs and a total of 158 new ATOs, which are missed in this analysis. There were 24 newly authorized CSOs, whose authorization data is used in measuring timelines but not used for reporting on status.

The analyses below disregard data from 2025 when looking at years, and also disregards data that was clearly incorrect — like authorizations that happened before FedRAMP was established, and in the future. I kept all incorrect data in as long as it wasn’t relevant to the question being asked.

Which is all to say, my dataset and analysis is not perfect. If you want to run an analysis yourself, grab the latest csv from FedRAMP. For what’s missing, here’s the code to scrape the FedRAMP site, or get the JSON from 18F (which I only found later 😅).

Analyses

How have FedRAMP authorizations changed over time?

The use of FedRAMP over time has that nice hockey stick appearance that is the envy of all startups.

But as we know, growth is what matters. Let’s answer the question that started all of this first: has the rate of FedRAMP authorizations increased?

So… not really? The rate of authorizations notably increased from 2018 to 2019, but since then has been relatively flat.

This is just initial authorizations, though. Let’s take into account authorization re-uses.

Aha! Our work here is done. There has been a significant increase in re-uses in the past several years — which contributes to my perception that FedRAMP is just so hot right now. Also of note: some agencies have new uses for the same CSO, sometimes multiple times in the same year.

Another part of the hypothesis had been that maybe there are more FedRAMP authorizations for lower impact levels — is that also a contributing factor?

Partly — the introduction of LI-SaaS in August 2017 led to a small increase, but the real difference here was that increase in re-uses. This is likely due to a simpler, less bottlenecked process for re-uses, as well as increased demand for CSOs from federally agencies generally: due to the pandemic and how widespread and popular SaaS tools have become.

Here’s a fun little animation of the uses of CSOs, with their aggregate authorizations and re-uses over time.

Will FedRAMP authorizations keep going up?

Although a lot of CSOs are already authorized, how many are waiting for authorization?

Wow, we’re waiting on a lot more CSOs coming down the pipe.

Although I stated earlier that there were three main phases to authorization: Ready, In Process, and Authorized — from FedRAMP’s own docs — the marketplace listings for newer products split “In Process” into “In Process: Review” and “In Process: Finalization”.

How long does a CSO typically take to go through the FedRAMP process, then?

This is some of the messiest data: a lot of dates are missing, and there are inconsistent states that you think shouldn’t be possible — like CSOs that are authorized before starting the process. However, looking at news coverage, these mistakes are seemingly accurate. There were so many CSOs that were In Process before being Ready that this must be a valid state.

To go from Ready to In Process (Review) takes a median of 213 days, about seven months.

To go from In Process (Review) to Authorized takes a median of 334 days — eleven months, or almost a year.

Longer times aren’t associated with higher Impact Levels, either — even though LI-SaaS applications go quickly, they take longer to get started.

The process has gotten slightly longer in recent years — likely due to high demand — but not significantly worse.

We can do some nice little predicting and extrapolate where we currently are for all the CSOs currently in review — some of these should have been authorized by now, but there are a huge number waiting to be authorized.

So maybe part of the conversation around FedRAMP is because of this: so many CSOs have submitted products for review, and are now waiting. We might be at the beginning of a big upswing. There’s no reason to think that trend will slow down.

Who’s selling?

Which CSPs are benefitting the most from selling to government agencies? It’s what we expected: Microsoft and Amazon have the most uses across their CSOs, with ServiceNow, Zscaler, and Salesforce rounding out the top 5.

Note that GitHub is listed separately. GitHub Enterprise Cloud was In Process when it was acquired by Microsoft, and now has 19 uses.

In fact, Microsoft and Amazon are so popular with FedRAMP that they each have their own special authorization codes AGENCYAMAZONNEW and MSO365MT. They’re not the only ones — these seem to have been primarily used for some of the first FedRAMP authorized products: AINS (AGENCYHUDSAAS) and Tyler (SOCRATA), as well as other agencies: USDA (AGENCYNITCIAAS) and Workplace.gov (AGENCYWC2) — yes, an agency can use another agency’s services, which also need to be authorized. 18F also offered its services to other agencies with Cloud.gov.

There are also several CSPs I didn’t recognize:

• AINS dba OPEXUS sells you a way to deal with FOIA requests (makes sense)
• Granicus is the government’s marketing automation platform (i.e. Hubspot), which is much less creepy than the “citizen experience platform” they brand themselves as
• Tyler is the government’s case management and business process management solution, with a “near-monopoly” on “glitchy” software products that “aren’t perfect” and — among other things — have ended up “causing longer jail stays”

… and many more excellent software companies.

Seven CSPs make up the top 25% of all FedRAMP uses.

Adobe and Oracle each have 8(!) CSOs. That’s a lot of paperwork.

It’s important not to forget the long tail here — 85 CSPs, or 29% of all providers that have a FedRAMP authorization, only have a single use.

In 2017, FedRAMP said that “Moderate Impact systems accounts for nearly 80% of CSP applications that receive FedRAMP authorization” — indeed, it’s 70-80% now, and that’s also true for applications which are In Process or Ready.

Who’s buying?

The top agencies purchasing CSOs are the Department of Health, the Department of Energy, and the Department of Commerce.

These top departments are buying a lot of CSOs — with the top three agencies making up a quarter of all FedRAMP use, and the top eight altogether being over half of all FedRAMP use.

The vast majority of agencies, however, still barely use FedRAMP, with most using far fewer CSOs.

Although some uses are at the agency level — e.g., NASA is an agency which purchases 22 CSOs, including all three major cloud providers, Slack, Salesforce, and Zoom — for some agencies, uses can be both at the agency- and at the sub-agency level, so we can dig a bit deeper.

Looking at the fifteen federal executive departments, most usage is still at the department level, but there are some sub-agencies that are unexpectedly high in their FedRAMP usage, such as Argonne National Laboratory.

The top sub-agencies overall by number of FedRAMP uses are:

• Defense Information Systems Agency, in the Department of Defense, with 62 uses
• Internal Revenue Service, in the Department of the Treasury, with 50 uses
• Federal Emergency Management Agency, in the Department of Homeland Security, with 47 uses

FedRAMP usage can be very varied. It’s weirdly used in some places of the government, but not necessarily where I expected. This is probably far more based on local culture, risk tolerance, and workflow needs; although data classification prevents cloud services from widespread use in some agencies, such as the Department of Defense.

Who is actually using CSOs with High impact? In 2017, about half of FedRAMP High use was the Department of Defense and the Department of Veterans Affairs.

It’s changed significantly since then: although overall, the top agencies by FedRAMP use are the Department of Health, Energy, and Commerce; the Departments of the Treasury, Homeland Security, and Defense are much more heavily represented in FedRAMP High uses. Veterans Affairs is mostly using FedRAMP Medium, and doesn’t break into the top agencies using High.

If you’re looking at getting FedRAMP authorization, you now know which agencies you’re the most likely to be selling to.

Are these the same agencies, however, that are also the most likely to help get go through the initial authorization? Unsurprisingly, generally, yes, with the Department of Health, Veterans Affairs, and Energy being the most common for initial authorizations (excluding the legacy JAB authorizations).

However, if you’re selling your product to one agency — and only one agency — the most common is the Department of Veterans Affairs. The Department of Veterans Affairs has 23 CSOs with no re-use by any other agency. This shouldn’t be surprising since the VA is largely a medical provider — these are mostly healthcare related, and include classic hits like Abbott’s LibreView for US Government, and CirrusMD Virtual Health Chat for Government.

Who (else) is profiting?

Microsoft and Amazon are clearly the winners when it comes to selling to federal government agencies. But like with any market, there is another set of organizations profiting here: the auditors.

There are only 45 of them. Well actually, there are 45 recognized 3PAOs, but only 30 of them have ever completed an assessment for a CSO that’s now authorized. The top auditors all have a significant list of products under their belt: Coalfire does Amazon, IBM, Google, and Oracle; Schellman covers the next tier of tech companies like Figma, MongoDB, Qualtrics, and Scale AI; Microsoft uses Kratos.

Schellman and Coalfire each do more than 20% of FedRAMP readiness assessments. Together, the top three of Schellman, Coalfire, and A-LIGN complete 57% of all FedRAMP readiness assessments.

If you’re evaluating the top auditors, you should also take into account how quickly those assessments have turned into authorizations in the past.

But, there is also someone else profiting, or maybe, double dipping: the other CSPs who are providing CSOs are also making money from new CSOs, since if you’re not hosting your own infrastructure for your CSO, then it’s built on another CSO. “When your software sits on a FedRAMP Authorized infrastructure, it will inherit controls from that authorized system”, in turn making it easier for you to obtain FedRAMP authorization.

Here, Amazon really wins again — but it’s also where we see how a common tech stack in tech companies developing CSOs leads to a common tech stack in the government. If you’re selling to a federal agency, they probably want to sign in with Okta.

Here’s a graph if you want to explore dependencies. (I couldn’t find a way to make it more digestible, sorry.) There also seems to be a strategy to architect and obtain authorization for a Medium impact CSO, and then build your High impact CSO to depend on the Medium impact one, presumably to only have to do the diff of the paperwork?

The median government tech stack

Say you’re a median government agency: you use 10 CSOs (ignoring those agencies who use zero). You’re probably using:

• AWS US East/West, AWS GovCloud, Azure Commercial Cloud or Azure Government for compute
• ServiceNow Government Community Cloud for IT helpdesk
• Office 365 or Box for word processing, spreadsheets, and slides
• Salesforce Government Cloud Plus for CRM
• Zoom for Government or Webex for Government for video conferencing
• AINS for FOIA requests
• Okta IDaaS Regulated Cloud for SSO

… and everything else is hosted on-prem!

Although you can see total CSO use and total agency use in the tables on the FedRAMP marketplace, what I really wanted was a table I could easily search to see who uses what. Here’s that table for you 👍 (Are you finding the same agency using the same CSO multiple times? Yes.)

Conclusion

Let’s review our original hypotheses and recap.

1. Hypothesis: There has been an increase in FedRAMP authorizations in the past 3-5 years, but that’s been mostly re-uses, not authorizations of new CSOs.

Yes. But we’re also at peak authorizations in process. There are more re-uses, some more CSOs entering the market with LI-SaaS, and also a lot of new CSOs coming up soon.

2. Hypothesis: Microsoft and Amazon sell the most to the federal government.

Yes — and that’s even true when GitHub is counted separately.

3. Hypothesis: The main agencies buying cloud software are… I don’t know?

The answer is the Department of Health and Human Services. The agency with the most unique purchases is the Department of Veterans Affairs.

4. Hypothesis: There are probably <10 assessors who do the vast majority of the authorizations.

Way more concentrated than expected. The top three auditors complete 57% of all authorized CSOs.

5. Hypothesis: FedRAMP reflects existing federal spending moving from on-prem to cloud services within a vendor, not the adoption of new vendors.

I didn’t think I’d get the data to show this either way, and I don’t! The top CSOs in government are generally some of the top tech companies. Although Microsoft might be seeing its buyers move from on-prem to O365, given that Salesforce is the original SaaS, I’m guessing it’s supplanting whatever on-prem CRM the government had. So, there is opportunity for SaaS vendors in government, but it’s still predominantly the well established SaaS vendors — or specialized vendors targeting only government requirements and sales.

If you’re considering getting FedRAMP authorization for your product, I’d focus first on understanding and executing on government sales, generally. Once you understand what you’re getting into, I’d take the time to think through and understand:

• Which agency will work with you to get FedRAMP authorization?
• Which other agencies are realistically going to buy your product?
• Which 3PAO is right for you, and how long do they expect to take?

I’d also do a sneaky look at the public dataset to see if my main competitor is pursuing FedRAMP authorization, and at what step they are.

I’m not a data scientist, and this whole project was a great excuse for me to play around with government data and use the tools made accessible to visualize that data, like Datawrapper and Flourish.

Back to why I spent countless hours in pivot tables, is FedRAMP more of a thing lately? Why are FedRAMP authorizations and uses on the rise? There are a few possible reasons:

• There is a drive from the government to move towards more modern technology, and vendors are responding by getting FedRAMP.
• SaaS providers see a big opportunity in government that’s worth the upfront price tag.
• The process to get FedRAMP authorization — and re-use products already that are already authorized — has gotten easier.

It’s probably a little bit of all of the above.

Now that I’m much more familiar with FedRAMP, it’s also clear that the government and the FedRAMP team have made a concerted effort to modernize FedRAMP. FedRAMP has documentation, a roadmap, and a changelog — we’re treating it like you might a tech product. The FedRAMP team is doing a really good job.

The FedRAMP “strategy for 2024 centered on tackling some of the root causes that have held FedRAMP back from being able to make the bigger changes needed to reduce the time and cost of the process and center FedRAMP around risk management.” They’re planning on publishing metrics on the program, and further developing machine-readable “digital authorization packages”.

I’d still love to see some of this data made easier to analyze, with what I had to collate above available in a single csv. It’s not like this data isn’t available, it’s just a bit of a pain to process — it could be even easier to explore.

FedRAMP is a complex and time-consuming process, but becoming increasingly more common — so if you’re planning to pursue it, at least now you know what you’re signing up for. Tell your VP Sales you have the data.