Skip to main content

Cloud.gov FedRAMP Moderate Authorization Process

Overview

Cloud.gov is already FedRAMP‑Authorized at the Moderate impact level Marketplace Package ID F1607067912.
Agencies can inherit or share ~60 % of the 323 Rev 5 controls instead of re‑implementing them from scratch. The result: a system‑level ATO in weeks, not months.

Customer Responsibility: You still need to document and provide evidence for any shared or customer‑owned controls.

Prerequisites

RequirementWhy it matters
Authorizing Official (AO) assignedAO signs the final ATO letter
FedRAMP package access requested with Package ID F1607067912Grants SSP, CIS, CRM, SAR, POA&M
Rev 5 templates downloaded (SSP, SAR, POA&M)Rev 4 artifacts are no longer accepted
Identity provider readyCloud.gov enforces phishing‑resistant MFA (PIV/CAC)

Steps

  1. Request the security package

    Submit the FedRAMP Package Access Request Form and enter Package ID F1607067912. Approval typically takes 3‑5 business days.

  2. Download key documents

    • Control Implementation Summary (CIS) – lists every Rev 5 control and who owns it.
    • Customer Responsibility Matrix (CRM) – details shared responsibilities.
    • Cloud.gov SSP / SAR / POA&M – platform evidence.

  3. Map control ownership in your SSP

    Control typeMark asAction
    InheritedINHReference Cloud.gov CIS
    SharedSHRDocument your portion
    Customer‑OwnedCUSTFully implement & evidence

  4. Implement and test shared / customer controls

    Engage a FedRAMP‑accredited 3PAO to produce your Security Assessment Report. Use Rev 5 test procedures.

  5. Package and submit for authorization

    Deliver SSP, SAR, POA&M, and control mapping to the AO. Most agencies issue the ATO within 6‑12 weeks when Cloud.gov inheritance is used.

  6. Continuous monitoring

    • Monthly vulnerability scans and annual assessments sent to FedRAMP.
    • Update POA&M promptly; inherited controls are monitored by Cloud.gov.

FAQs

Q: How many controls are fully inherited?
A: About 155 of the Rev 5 Moderate controls are platform‑owned; another 98 are shared.

Q: Does Cloud.gov support High‑impact data?
A: No. Cloud.gov is authorized only at the Moderate level. High systems require extra safeguards beyond this baseline.

Q: Do I retest inherited controls each year?
A: No. Cloud.gov’s continuous monitoring covers them; your agency only reassesses shared and customer controls.

Q: Where are the official Rev 5 templates?
A: On FedRAMP’s “Rev 5 Documents & Templates” page.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov