FedRAMP. Cloud authorization for federal workloads.
The Federal Risk and Authorization Management Program standardizes how cloud services are approved for federal use. For CMMC contractors, FedRAMP determines which cloud products you can use to store and process CUI.
Overview
FedRAMP is not CMMC. It is the cloud-side authorization program that tells you whether a given CSP (AWS, Azure, M365, Google Cloud, etc.) has been cleared for federal workloads at Low, Moderate, or High impact levels. FedRAMP Moderate Equivalent is the practical floor for CUI under DFARS 7012.
The intersection with CMMC is specific: if you use a commercial cloud to store or process CUI, that cloud must be FedRAMP Moderate (or Moderate Equivalent) at minimum. For GCC High tenants, Microsoft meets this by running on FedRAMP High infrastructure. Commercial M365 does not — which is why tenant selection is the single most consequential CMMC decision most contractors make.
Scope
Your cloud providers, not your organization directly. But your CMMC scope inherits the authorization posture of every cloud you use for CUI.
Low, Moderate, and High. CUI lives at Moderate or above. Classified data is not in FedRAMP scope at all.
Core Requirements
- 01FedRAMP Moderate or Moderate Equivalent baseline for CUI storage/processing
- 02A CSP that is authorized on the FedRAMP marketplace, or a vendor with a written Moderate Equivalency attestation
- 03Shared responsibility documentation showing which controls the CSP covers vs which you own
- 04Boundary diagrams identifying where CUI crosses the CSP boundary
Tolerance maps your cloud tenants to their FedRAMP status automatically and flags any CUI flow into a non-authorized tenant as a scope violation — before it becomes an assessment finding.
Have a contract requiring this framework?
Book a 30-minute call. We'll scope your obligation and give you a fixed-price proposal the same week.