Compliance & Governance · Public Sector · Updated 2026

FedRAMP in Cloud Contracts: Requirements Guide

FedRAMP authorisation has moved from a public-sector nicety to a contract gate: agencies increasingly require it as a condition of award, and the supply of authorised services is thin. Understanding the impact levels, control counts, and the FedRAMP 20x shift is now essential for any enterprise buying — or selling — cloud into the federal market.

📋 1,300 words ⏱ 7 min read 📅 Updated June 2026 🔗 Compliance & Governance Cluster
By Morten Andersen
In This Article
  1. What FedRAMP Requires
  2. Impact Levels: Low, Moderate, and High
  3. The FedRAMP 20x Shift
  4. Contracting Around FedRAMP
  5. Authorization Types and What They Mean for Buyers

What FedRAMP Requires

FedRAMP requirements in cloud contracts exist to standardise how cloud services are secured and authorised for US federal use. The Federal Risk and Authorization Management Program assesses a cloud service offering against a defined set of NIST-based security controls across three objectives — confidentiality, integrity, and availability — and grants an Authorization to Operate (ATO) at a given impact level. For an agency, FedRAMP authorisation is the evidence that a cloud service meets the required security baseline; increasingly, it is also a precondition of contract award, provided there are enough authorised vendors to preserve competition.

That gating effect is the practical reason FedRAMP matters to procurement. A cloud service without the right authorisation may simply be ineligible, regardless of price or fit — which makes authorisation status a first-order question in any federal cloud sourcing exercise, sitting alongside the residency and sovereignty questions in the compliance and governance guide and the data sovereignty analysis.

Impact Levels: Low, Moderate, and High

FedRAMP sorts cloud offerings into three impact levels, and the level drives both the control burden and the available supply. Moderate is the workhorse: it applies where loss of confidentiality, integrity, or availability would cause serious adverse effects, it accounts for roughly 80% of all ATOs, and it requires 325 security controls. High is reserved for systems where such a loss would be severe or catastrophic — law enforcement, emergency services, financial, and health systems — and demands 421 controls, nearly 30% more than Moderate, covering advanced encryption, physical access restrictions, personnel vetting, and enhanced continuous monitoring. Low covers limited-impact systems.

Supply at the top is genuinely scarce: only around 48 cloud service offerings hold full High authorisation, against roughly 80 listed as High on the FedRAMP Marketplace — meaning fewer than half are fully authorised. For a buyer, that scarcity is a procurement risk in itself, because a High-impact requirement can shrink the viable vendor pool to a handful, which in turn affects pricing leverage. The AWS vendor hub is a useful reference given how much federal workload concentrates on GovCloud and equivalent environments.

Only about 48 cloud services hold full FedRAMP High authorisation. A High-impact requirement can collapse your viable vendor pool to a handful — a competition and pricing risk, not just a security checkbox.

The FedRAMP 20x Shift

The most consequential change in the programme is FedRAMP 20x, a redesign of the assessment and authorisation process led by the FedRAMP PMO with industry and agency input. The legacy path is slow — typically 18 months or more to authorisation — which constrains supply and entrenches incumbents. FedRAMP 20x aims to compress that dramatically: some participating providers achieved authorisation in roughly three months during the initial phase.

The timing matters for procurement planning. The public 20x path is not expected to open broadly until around the fourth quarter of FY26, with wide-scale adoption for Low and Moderate providers projected across the third and fourth quarters of 2026. For a buyer, that means the authorised-vendor pool should widen over the next contracting cycles, but the relief is not yet here — near-term sourcing still has to work within today's scarce supply, while longer-horizon strategies can anticipate a broader market. Building that timing into the renewal calendar is part of disciplined contract compliance monitoring.

Contracting Around FedRAMP

When FedRAMP authorisation is a requirement, several terms deserve explicit treatment. Specify the required impact level precisely, because over-specifying High where Moderate suffices needlessly shrinks competition. Require the vendor to maintain authorisation throughout the term, with notification if its authorisation status changes, since an ATO is not permanent. Address continuous-monitoring obligations and the agency's access to the vendor's security documentation. And treat authorisation status as part of broader third-party risk management, alongside the SOC and security evidence you would collect for any critical vendor. The Cloud Contract Framework white paper sets out the full clause set; to scope a FedRAMP-gated procurement before it narrows your options, request a confidential briefing.

Authorization Types and What They Mean for Buyers

Not all FedRAMP authorisations are equivalent, and the distinction matters when a buyer relies on one. Historically, a cloud service could be authorised through an individual agency, which sponsored and accepted the risk, or through the centralised programme route that produced a more broadly reusable authorisation. The practical question for a buyer is reusability: an authorisation that other agencies can readily leverage reduces friction and time-to-deploy, whereas one tied narrowly to a single agency's acceptance may require additional work for a different agency to rely on it.

This is why authorisation status deserves the same scrutiny as any other eligibility criterion. A vendor's marketing may state that it is "FedRAMP authorised" without making clear at which impact level, through which route, and whether the authorisation is current — and an authorisation is not permanent, requiring continuous monitoring to maintain. Confirming the specifics, rather than accepting the headline claim, is the diligence that prevents a procurement from stalling late when the authorisation turns out not to cover the intended use.

For buyers planning across multiple contracting cycles, the trajectory also matters. The scarce supply at the High level and the slow legacy authorisation timeline have entrenched a handful of incumbents, but the FedRAMP 20x redesign is expected to widen the field for Low and Moderate services through 2026. A buyer can use that trajectory deliberately: meeting near-term needs within today's authorised pool while structuring longer commitments to benefit from the broader competition expected as faster authorisation reaches the market. Treating FedRAMP status as a dynamic market condition, rather than a fixed checkbox, is what turns a compliance requirement into a sourcing strategy.

Common Questions

FedRAMP in Cloud Contracts: FAQ

Is FedRAMP authorisation required to win a federal cloud contract?
Increasingly, yes. Agencies may require FedRAMP authorisation as a condition of award, provided there are enough authorised vendors to preserve competition or a legal exception applies. In practice this makes authorisation status a first-order eligibility question: a cloud service without the right impact-level authorisation can be excluded regardless of price or fit, so buyers should confirm it early in any federal sourcing exercise.
What is the difference between FedRAMP Moderate and High?
Moderate applies where a security loss would cause serious adverse effects and requires 325 controls; it covers roughly 80% of all authorisations. High applies where the loss would be severe or catastrophic — law enforcement, financial, and health systems — and requires 421 controls, nearly 30% more, adding advanced encryption, physical access restrictions, personnel vetting, and enhanced monitoring. Only about 48 services hold full High authorisation, so a High requirement sharply limits the vendor pool.
What is FedRAMP 20x?
FedRAMP 20x is a redesign of the assessment and authorisation process intended to replace the slow legacy path — typically 18 months or more — with a much faster one; some early participants achieved authorisation in roughly three months. The public path is expected to open broadly around the fourth quarter of FY26, with wide adoption for Low and Moderate providers across the second half of 2026, which should gradually widen the authorised-vendor pool.
How does FedRAMP affect cloud pricing and competition?
By constraining supply. Because only around 48 services hold full High authorisation, a High-impact requirement can reduce the viable vendor pool to a handful, weakening the buyer's pricing leverage. Specifying the correct — not the highest — impact level preserves competition, and planning longer-horizon procurements against the widening supply expected under FedRAMP 20x can improve future leverage. Authorisation scarcity is a commercial risk, not only a security control.

Don't Let FedRAMP Narrow Your Options Unnecessarily

The right impact level preserves competition; the wrong one collapses it. We scope FedRAMP-gated cloud procurement so security requirements don't quietly hand the vendor your leverage.

Request a Confidential Briefing See Our AWS Case Study

Compliance & Governance Intelligence

Monthly briefings on public-sector cloud, security authorisation, and contract governance — from advisors who negotiate these terms for enterprise buyers.