In the past 24 months, we've seen three federal agencies sign multi-year SaaS contracts with vendors claiming FedRAMP compliance — only to discover during their own security reviews that the vendor was "FedRAMP Ready" (meaning they'd started the process) rather than "FedRAMP Authorized" (meaning they'd completed it and been approved). The consequences ranged from contract termination to security incidents.

FedRAMP Ready vs. FedRAMP Authorized: The Critical Difference

FedRAMP Ready means a vendor has completed a Readiness Assessment Report (RAR) and been deemed likely to achieve authorization. It is not authorization. FedRAMP Authorized means the vendor has completed the full authorization process, been reviewed by a Third Party Assessment Organization (3PAO), and been approved by the FedRAMP Program Management Office.

  • FedRAMP Ready: Assessment complete, authorization not yet granted
  • FedRAMP In Process: Authorization in progress (can take 12-24 months)
  • FedRAMP Authorized: Full authorization granted — the only status that allows federal use
  • FedRAMP Authorized (Agency): Authorized by a specific agency, may not cover your agency

The Due Diligence Checklist

  1. 1Verify authorization status directly on marketplace.fedramp.gov — not on the vendor's website
  2. 2Confirm the authorization level (Low, Moderate, High) matches your data sensitivity requirements
  3. 3Check the authorization date — authorizations older than 3 years may have significant gaps
  4. 4Verify the authorizing agency — agency authorizations may not cover your specific use case
  5. 5Request the vendor's most recent 3PAO assessment report
  6. 6Confirm continuous monitoring compliance — are they submitting monthly reports?
  7. 7Ask for their Plan of Action & Milestones (POA&M) — what known vulnerabilities exist?

"We require vendors to provide their FedRAMP authorization package number and we verify it ourselves on marketplace.fedramp.gov before any contract discussion. Non-negotiable." — Federal CISO

What to Do If a Vendor Claims FedRAMP Ready

If a vendor claims FedRAMP Ready status, you have two options: wait for full authorization (which can take 12-24 months and may never happen), or require them to operate under an Authority to Operate (ATO) issued by your agency's own security team. The latter is possible but requires significant internal resources.