/ resume
Practitioner's Guide

Using the FedRAMP Marketplace

A government IT leader's guide to finding and vetting cloud services.

The Marketplace is the front door to compliant cloud for federal agencies — but the listing page is only the start of the decision. Here's how to read it, vet what sits behind it, and account for the changes reshaping the program in 2026.

Contents·Jump to a section

Why this matters

If you lead IT for a federal agency, the FedRAMP Marketplace is where most of your cloud decisions begin. Federal law (FISMA) requires every system to carry an Authority to Operate (ATO) assessed against NIST 800-53 controls. For cloud services, FedRAMP replaces the old agency-by-agency assessment with a single reusable authorization — and the Marketplace is the registry that tells you which services have one.

Used well, it saves you a year of assessment work. Read carelessly, it leads you to cite a vendor as "authorized" when they aren't, or to pick a service that doesn't fit your data's risk level. Both are avoidable.

This guide covers what the Marketplace is, how to read a listing, how to vet what sits behind it, and the program changes you need to plan around right now.

What the Marketplace actually is

The FedRAMP Marketplace, maintained by the FedRAMP Program Management Office (PMO), is a searchable directory of three things: cloud service offerings (CSOs) that have earned a FedRAMP designation, the federal agencies that have authorized or are sponsoring them, and the third-party assessment organizations (3PAOs) accredited to assess them.

Before FedRAMP, a cloud provider built a separate authorization package for every agency it wanted to serve — duplicate work for the provider and duplicate review for every government buyer. The Marketplace exists to end that redundancy. The model is "assess once, use many": one authorization, reused across agencies.

As of early 2026, roughly 500 services carry full authorization, out of close to 600 total listings. That's a small slice of the commercial cloud market, which is exactly why knowing how to read the Marketplace — and how to push a vendor through it when you need one that isn't listed — is part of the job.

Reading a listing

Each Marketplace entry shows a handful of fields worth understanding:

  • Provider and Service Offering — the vendor and the specific product. Large vendors carry multiple listings; Microsoft, Google, and AWS each have separate entries for separate services, and authorization applies to the named offering, not the whole brand.
  • Status — the FedRAMP designation (covered below). This is the field that determines whether you can act on the listing.
  • Impact level — Low, Moderate, or High, matching the sensitivity of the data the service is cleared to handle.
  • Authorizations — how many agencies have issued an ATO for the service. A high number signals a mature, widely trusted offering.
  • Reuse — how many times the security package has been reused for additional authorizations. AWS GovCloud, for scale, has been reused hundreds of times; Microsoft 365 carries dozens of authorizations and hundreds of reuses. High reuse means a well-worn path you can follow.

Read those last two together. A service with many authorizations and high reuse is a low-friction choice — other agencies have already done the diligence and accepted the risk.

The three statuses and what they mean for you

This is where agency leaders most often get burned, usually because a vendor's sales team blurs the line. There are three designations, and only one lets you issue an ATO:

  • FedRAMP Ready — a 3PAO has completed a Readiness Assessment Report (RAR) and the PMO has accepted it. It signals the service is likely to pass full authorization. It does not authorize anything. You cannot issue an ATO on a Ready listing. It's a credibility marker, valid one year, available only at Moderate and High.
  • FedRAMP In Process — the vendor is actively working toward authorization with a sponsoring agency, having filed an In Process Request and a work breakdown structure with the PMO. Still not authorized. No ATO can rest on this status either.
  • FedRAMP Authorized — the service finished the full process, a sponsoring agency's Authorizing Official signed an ATO letter, and the package is published for government-wide reuse. This is the only status that supports your ATO and the reuse model.

If a solicitation requires FedRAMP authorization and a teaming partner shows as Ready or In Process, they don't meet the bar yet — and evaluators will check.

Matching impact level to your data

Before you shortlist anything, categorize your system under FIPS 199 — Low, Moderate, or High based on the impact of losing confidentiality, integrity, or availability. There's also Li-SaaS, a tailored low-impact baseline for software-as-a-service with limited data exposure. Then filter the Marketplace to that level. A High-impact system can't run on a Moderate authorization, and stretching to fit is how agencies create findings for themselves.

Vetting what's behind the listing

Here's the part the public page won't give you: the listing is the front door, not the decision. The documents that actually drive your authorization — the System Security Plan (SSP), describing the boundary and data flows, and the Plan of Action and Milestones (POA&M), listing open risks — sit behind a controlled request process.

Before you issue your own ATO, request and review the package. Look at where the authorization boundary is drawn, how data moves, what's still open on the POA&M, and whether the vendor's continuous monitoring is real and current. A FedRAMP authorization is not a blanket guarantee that a service fits your mission — it's evidence you assess against your own risk tolerance. The Marketplace points you to the package; your judgment closes the decision.

Reuse: the part that saves you a year

The single biggest payoff of the Marketplace is reuse. When a service is Authorized, you don't repeat the full assessment. You review the existing package, judge whether the residual risk is acceptable for your environment, and issue your ATO on that basis — FedRAMP publishes a quick guide for exactly this. A clean reuse can compress months of work into weeks. Build your selection habit around services with strong reuse histories and you'll move faster with less risk.

Watch the marketing language

Vendors know "FedRAMP" sells, and not all of them stay honest about status. A few terms to treat with care:

  • "FedRAMP Equivalent" is not a Marketplace authorization. A Department of Defense memo tightened the rules around equivalency and closed a loophole agencies had used to skip full authorization. Treat equivalency claims with scrutiny.
  • "FedRAMP Compliant" is not an official designation at all.
  • "FedRAMP Certified" historically was not a recognized status either — though, as covered next, that word is about to take on official meaning.

When status matters, the Marketplace is the source of truth. A vendor's slide deck is not.

The 2026 changes you need to plan around

FedRAMP is in the middle of its biggest structural change since it began, under the Consolidated Rules for 2026 (CR26) and the broader FedRAMP 20x modernization push. A few shifts directly affect how you'll read the Marketplace going forward:

  • "Authorized" is being renamed "Certified." Program-wide, "FedRAMP Authorized" becomes "FedRAMP Certified," and the Marketplace has already begun describing its listings as certified cloud services. Existing authorizations stay valid through the transition.
  • FedRAMP Ready is retiring. It's being renamed "Legacy FedRAMP Ready," new Ready submissions are ending, and existing ones will age off the Marketplace on a set schedule.
  • The Joint Authorization Board (JAB) is dissolved. A time-limited, sponsorless certification path is being introduced for providers already well along on Rev 5, which loosens the long-standing requirement for an agency sponsor.
  • Impact levels are becoming classes. Low and Li-SaaS map to Class B, Moderate to Class C, and High to Class D, with the High tier restricted to the agency path.
  • Continuous monitoring stays mandatory, and new listing rules require providers to keep accurate, machine-readable information current.

CR26 is set to finalize around mid-2026, with enforcement starting in January 2027. The practical takeaway: expect the terms on the Marketplace to shift under you over the next year, and verify current status directly rather than trusting last year's language.

A working checklist

When you're sourcing a cloud service through the Marketplace:

  1. Categorize your system under FIPS 199 first, then filter to the matching impact level.
  2. Confirm the status is Authorized (soon Certified) — not Ready, In Process, Equivalent, or Compliant.
  3. Read the authorizations and reuse counts as a signal of maturity and a low-friction path.
  4. Request the SSP and POA&M, and review the boundary, data flows, and open risks against your own tolerance.
  5. Confirm continuous monitoring is active and current.
  6. If the service you need isn't listed, line up an agency sponsor early or look at a pre-authorized boundary to shorten the path.

Key takeaways

  • The Marketplace is the authoritative registry of FedRAMP cloud services, built on an "assess once, use many" model.
  • Only "Authorized" (becoming "Certified") supports an ATO and reuse — Ready and In Process do not.
  • The listing is the front door; the SSP and POA&M behind it are where the real vetting happens.
  • Reuse is the payoff — a clean package can turn a year of assessment into weeks.
  • FedRAMP is mid-transition under CR26 and 20x; verify status directly and plan for the rename and the retirement of legacy designations.

About the author

Jose D Soto is an information security leader with hands-on experience across federal and government IT, GRC, and security modernization, including evaluating and authorizing cloud services against FedRAMP and NIST 800-53. This guide reflects real implementation work, not theory.

← Back to home