FedRAMP Authorized Vendor List (2026)

FedRAMP authorization means a cloud service offering (CSO) has been independently assessed by a Third Party Assessment Organization (3PAO) and granted an Authority to Operate (ATO) by a federal agency or the Joint Authorization Board (JAB). The authorization confirms the vendor meets a defined set of NIST 800-53 security controls appropriate to the data sensitivity level. There are three authorization paths: Agency Authorization (sponsored by a single agency), JAB Authorization (reviewed by DoD, DHS, and GSA), and FedRAMP Ready (a preliminary designation indicating the vendor has been assessed but not yet authorized). An authorized vendor appears on the FedRAMP Marketplace with their authorization status, impact level, and sponsoring agency.

FedRAMP authorization is granted at one of three impact levels defined by FIPS 199: Low (LI-SaaS), Moderate, and High. The impact level determines how many security controls the vendor must implement.

FedRAMP Moderate requires approximately 325 security controls and covers systems where the loss of confidentiality, integrity, or availability would have a serious adverse effect on organizational operations, assets, or individuals. Most SaaS products serving federal civilian agencies target Moderate authorization. Examples: Salesforce Government Cloud, Okta, GitHub Enterprise Cloud, Snowflake Government.

FedRAMP High requires approximately 421 security controls and covers systems processing data where loss would have a severe or catastrophic effect — including law enforcement data, emergency services, financial systems, and health data. Examples: AWS GovCloud, Microsoft Azure Government.

A vendor authorized at High can process Moderate and Low data. A vendor authorized at Moderate cannot process High-impact data.

FedRAMP Ready is a preliminary designation that means a 3PAO has confirmed the vendor's system meets FedRAMP security requirements in a readiness assessment — but no federal agency has granted an Authority to Operate (ATO). FedRAMP Ready vendors appear on the FedRAMP Marketplace but cannot process federal data until they complete the full authorization process with a sponsoring agency. The gap between Ready and Authorized can take 6-18 months. Organizations evaluating vendors for federal workloads should not treat FedRAMP Ready as equivalent to FedRAMP Authorized. If your compliance framework requires FedRAMP authorization, only vendors with an active ATO at the appropriate impact level satisfy the requirement.

The authoritative source for FedRAMP authorization status is the FedRAMP Marketplace at marketplace.fedramp.gov. Do not rely on vendor marketing pages — vendors sometimes claim FedRAMP authorization for their commercial product when only their government-specific offering is authorized. To verify: search for the vendor name on the Marketplace, confirm the specific Cloud Service Offering (CSO) matches what you plan to use, check the authorization status (Authorized vs. In Process vs. Ready), verify the impact level meets your data classification, and note the sponsoring agency and authorization date.

ThirdProof automates this verification as part of its certification registry checks during vendor investigations. The investigation queries the FedRAMP Marketplace API directly and includes the result in the vendor's compliance evidence section.

When a vendor you need is not FedRAMP authorized, you have several options depending on your compliance requirements:

1. Identify FedRAMP-authorized alternatives. For many software categories, authorized alternatives exist. For example, if Slack (not authorized) is required for messaging, GovSlack or Microsoft Teams (authorized at Moderate) are alternatives.

2. Request the vendor pursue authorization. Large vendors sometimes prioritize FedRAMP authorization when customers demonstrate demand. Ask your vendor contact about their FedRAMP roadmap.

3. Document compensating controls. If no authorized alternative exists and the vendor handles non-CUI data, document the gap with compensating controls: encryption requirements, access restrictions, data residency controls, and monitoring.

4. Obtain risk acceptance. For CMMC, FedRAMP, and agency-specific requirements, formal risk acceptance from your authorizing official may be required when using non-authorized vendors.

5. Isolate the workload. Deploy the non-authorized vendor in a separate environment that does not process federal data or CUI.