Skip to main content
Knox has achieved our 16th federal sponsor, FEMA for Fed High authorization.

FedRAMP Requirements: What Engineering and Security Teams Actually Need to Do

Written by: 
Team Knox
Published on: 
April 23, 2026

For companies interested in selling to federal agencies, the path to Federal Risk and Authorization Management Program (FedRAMP) authorization remains opaque. The requirements are substantial, and the documentation is scattered across multiple FedRAMP playbooks and National Institute of Standards and Technology (NIST) publications.

There is also a tendency to underestimate the scope. Teams treat FedRAMP as a single compliance project with a finish line, rather than recognizing that it creates two distinct sets of obligations: the requirements to obtain authorization and the ongoing requirements to remain authorized.

This guide breaks down both sets of requirements. It also explains how the choice of authorization approach determines how much of that work falls to the company's internal security and engineering team.

Key Takeaways

  • FedRAMP creates two distinct sets of obligations: the requirements to obtain authorization and the ongoing requirements to remain authorized.
  • Certain controls, such as access management, audit logging, and encryption, always belong to the company's engineering team.
  • Ongoing compliance is a permanent engineering workflow. Monthly scan submissions, POA&M updates, system inventory maintenance, and remediation within enforced SLA windows are not periodic projects.
  • Deploying on a pre-authorized infrastructure boundary allows teams to inherit infrastructure-layer controls and narrow the scope of both pre-authorization and ongoing compliance.

FedRAMP Requirements Before Authorization

Before pursuing any FedRAMP requirements, engineering teams need to scope the authorization level: Low, Moderate, or High.

Each baseline, as defined by NIST SP 800-53 Rev. 5, determines the number of security controls the team must implement and document. Low requires ~149–150 controls, Moderate requires ~287–304, and High requires ~370–392. FedRAMP Moderate accounts for about 80% of all FedRAMP-authorized cloud service offerings.

One nuance that trips teams up early: impact level is determined by a Federal Information Processing Standards (FIPS) 199 high-water mark. If a SaaS product primarily handles low-sensitivity data but processes even a single category of Moderate-impact information, the entire system is subject to the Moderate baseline.

For SaaS products specifically, Moderate also means demonstrating multi-tenant isolation with evidence strong enough for third-party validation and implementing application-layer controls within the product itself, not just at the infrastructure tier.

1. Infrastructure Requirements

Three conditions will stop an authorization before it begins:

  • Production infrastructure must run on a FedRAMP-authorized cloud environment. Commercial cloud is not sufficient, and each managed service consumed must also be individually authorized in the FedRAMP Marketplace.
  • Infrastructure must be managed through version-controlled Infrastructure as Code (IaC). FedRAMP RFC-0006 requires changes to be executed through the redeployment of version-controlled, immutable resources, not through manual configuration.
  • All third-party SaaS dependencies handling federal data must hold FedRAMP authorization at the required impact level. This applies to monitoring tools, logging platforms, ticketing systems, email delivery services, and any developer tooling that touches federal data or system metadata.

Any one of these is a hard stop. Companies must enumerate the full SaaS dependency stack before spending a dollar on documentation.

2. Application-Layer Controls That Must Be Implemented

Certain controls fall entirely within the responsibility of the SaaS vendor's internal engineering team. The list includes:

  • Access Controls (AC): Role-Based Access Control (RBAC), multi-factor authentication (MFA), user provisioning and deprovisioning, session locking and termination, and lockout for unsuccessful logins. All must be enforced within the application.
  • Audit Logging (AU): Application-level event logging with retention, protection from modification, and Security Information and Event Management (SIEM) correlation. Infrastructure-level logging does not cover the application.
  • Encryption (SC): Transport Layer Security (TLS) enforcement for all application-layer communications, FIPS 140-2/3 validated cryptographic modules, and encryption key lifecycle management for data at rest.
  • Incident Response (IR): IR-1 through IR-8 (policy, training, testing, handling, monitoring, and reporting) must be independently developed. The FedRAMP role descriptions do not explicitly state that SaaS vendors must develop their own incident response plans, but FedRAMP documentation requires CSPs (including SaaS providers) to have them.
  • Personnel Security (PS): PS-3 and PS-7 require personnel screening, authorization before access, and monitoring of external provider compliance for any personnel with access to federal system components.

These controls sit in the application and operating model. They do not transfer simply because the infrastructure provider is already authorized.

3. System Security Plan Requirements

The System Security Plan (SSP) is the core authorization document. It describes the system boundary, the security controls in place, and how each control is implemented and maintained.

Every FedRAMP authorization — Low, Moderate, or High — requires a completed SSP before assessment can begin. For Moderate systems, the SSP includes 17 appendices covering everything from system architecture to cryptographic module inventories to configuration management procedures.

The SSP documentation requires each control statement to describe what is implemented, how it is implemented, and who is responsible. In practice, this means engineering teams must author the technical narratives directly; compliance staff cannot accurately describe system behavior without direct engineering input. Engineering-authored sections include system architecture and boundary documentation, all technical control narratives, the Cryptographic Modules Table (Appendix Q), the Integrated Inventory Workbook (Appendix M), and the Configuration Management Plan (Appendix H).

Three things commonly cause SSP submissions to run into FedRAMP PMO review issues:

  • Modifying the official template.
  • Rephrasing the control requirement instead of describing the actual implementation.
  • Relying on references to other controls rather than providing a clear narrative for each.

The SSP is also a living document, and new services, architecture changes, and new data flows trigger a compliance process under the change framework.

4. 3PAO Assessment Readiness

FedRAMP authorization requires a third-party assessment conducted by an accredited Third Party Assessment Organization (3PAO). The 3PAO independently evaluates the system against the applicable NIST 800-53 baseline, tests the controls described in the SSP, and produces a Security Assessment Report (SAR) documenting its findings. No system receives a FedRAMP Authorized designation without passing this assessment.

The 3PAO RAR Guide instructs assessors to validate what is actually implemented, not what has been written in documentation. Incomplete paperwork with working controls can pass a Readiness Assessment. Complete documentation with unimplemented controls cannot. For multi-tenant SaaS architectures, tenant isolation must be demonstrated through strong evidence, not application-logic assertions.

Engineers should expect each SSP narrative to be tested against observed system behavior. Common evidence requests include:

  • Actual log samples, not a policy statement that logging is enabled
  • Observed MFA enforcement, not a narrative that MFA exists
  • Implemented tenant isolation evidence, not design intent alone
  • Current configurations that match the SSP narrative

Discrepancies discovered during examination become formal findings in the SAR. They are not informal corrections handled off the record.

Ongoing FedRAMP Requirements After Authorization

Continuous Monitoring (ConMon) is a permanent DevSecOps obligation with enforceable SLAs and escalation consequences. This is where most FedRAMP guides go quiet, and where most engineering teams are underprepared.

1. Vulnerability Scanning

Vulnerability scanning runs on a set cadence: monthly at minimum for all assets and weekly internal scans of Moderate systems. All scans must be authenticated; unauthenticated results comprising 10% or more of the submission trigger a Detailed Finding Review (DFR). Container scanning is required for images and containers against NIST SP 800-70 benchmarks.

2. Remediation SLAs

When vulnerability scans surface findings, FedRAMP does not leave the timeline for fixes to the engineering team's discretion. Each finding is classified by severity using the Common Vulnerability Scoring System (CVSS), and FedRAMP enforces maximum remediation windows for each tier:

Severity Maximum Days from Discovery
High (CVSS ≥ 7.0) 30 days
Medium (CVSS 4.0 to 6.9) 90 days
Low (CVSS < 4.0) 180 days

Missing these deadlines can trigger escalation actions that may affect authorization status. For Moderate systems, 10 or more unique vulnerabilities that have aged beyond 90 days trigger a DFR. This escalates to a Corrective Action Plan when 10 or more unique vulnerabilities have aged beyond 120 days, or when the DFR threshold is reached multiple times within a six-month window.

3. Monthly Deliverables

Beyond scanning and remediation, FedRAMP requires a set of compliance artifacts to be uploaded to a secure repository every month. These deliverables serve as the primary evidence that a system remains in good standing. Miss a submission, and the authorization status itself is at risk. Monthly deliverables include:

  • an updated Plan of Action and Milestones (POA&M)
  • an updated system inventory
  • raw vulnerability scan files when required by agreements with agency customers

For providers with more than one agency Authority to Operate (ATO), CA-7 requires a collaborative continuous monitoring approach that includes monthly ConMon meetings open to all agency customers and FedRAMP.

4. Annual Reassessment

Annual reassessment covers annual controls, plus a penetration test and, under Rev 5, an additional assessment exercise for Moderate and High systems. Official FedRAMP guidance on ConMon does not state a requirement for an annual reassessment by a 3PAO.

How an Inherited Authorization Boundary Reduces Both Requirement Sets

Both requirement sets described above, pre-authorization controls and ongoing ConMon obligations, are non-negotiable for federal market access.

Deploying within a pre-authorized infrastructure boundary changes that scope. In this model, the SaaS vendor operates inside a boundary that has already been assessed and authorized. The inherited boundary narrows what engineering teams must build and document before authorization and the ongoing compliance operations they must sustain after authorization.

What Changes in the Pre-Authorization Requirements

The three infrastructure requirements outlined earlier — authorized cloud environment, version-controlled IaC, and FedRAMP-authorized third-party dependencies — are already satisfied by the boundary operator. Engineering teams do not need to stand up a government cloud environment, build IaC pipelines for infrastructure provisioning, or audit every third-party service for FedRAMP authorization at the infrastructure layer.

However, the application-layer controls described in this guide — access management (AC), audit logging (AU), encryption (SC), incident response (IR), and personnel security (PS) — remain entirely within the SaaS provider's control.

The SSP is still required, but it documents a narrower boundary with fewer controls to describe. 3PAO assessment still occurs, but the scope of what assessors must validate has been reduced to the application layer and to the controls that the team directly implements.

What Changes in the Ongoing Compliance Obligations

The pre-authorized infrastructure boundary also covers the ongoing requirements. Infrastructure-layer vulnerability scanning, including host and container scans for the underlying environment, is handled by the boundary operator.

Remediation SLAs still apply, but only to application-layer findings; the infrastructure operator has its own remediation obligations. Monthly deliverables still include a POA&M and a system inventory, but both cover a smaller scope. Annual reassessment covers a reduced control set, limited to the controls the SaaS provider owns.

The monthly cadence does not change. The enforcement mechanisms do not change. What changes is the volume of work at each checkpoint.

Knox: A Pre-Authorized Boundary for SaaS Teams

Knox is a FedRAMP-as-a-Service platform that operates a pre-authorized Knox FedRAMP boundary.

Vendors deploy within that boundary and inherit 60% to 80% of the required controls on day one. Knox publishes its own CRM, enabling additional infrastructure-layer inheritance beyond the hyperscaler. Deploying within the Knox platform allows an engineering team to focus on application-layer controls while inheriting the infrastructure layer through the Knox FedRAMP boundary, for both initial authorization and ongoing compliance.

Tovuti, an AI-powered Learning Management System, illustrates the difference this model makes. Tovuti had spent over a year and a significant budget attempting FedRAMP authorization independently before the process stalled. Finding a sponsor proved nearly impossible, audit costs were high, and the resources required to maintain a full FedRAMP operation were beyond what the team could staff internally.

Knox eliminated the sponsor requirement, filled the staffing and operational gaps, and provided a predictable cost structure in place of open-ended audit cycles. Tovuti achieved FedRAMP Moderate authorization and now serves federal agencies, including training the SEC on cryptocurrency compliance.

The Authorization Approach Determines the Requirement Burden

The authorization approach a SaaS company chooses shapes the scope of requirements it carries, both to get authorized and to stay authorized.

Building an independent boundary means owning every control, every scan, every monthly submission across every layer. Deploying on a pre-authorized boundary means focusing engineering resources on the application-layer controls where the team already has expertise.

The authorization approach is not a decision to be deferred, as it determines the infrastructure architecture, staffing model, documentation scope, and ongoing operational burden.

For SaaS companies evaluating federal market entry, the clearest path forward is to assess the full weight of both the pre-authorization and ongoing requirement sets against current engineering capacity. Knox compresses what historically takes years and costs upwards of $3.5 million into roughly 90 days, at 90% of the cost per application.

Schedule a meeting with the Knox team to assess how the pre-authorized boundary model can reduce the burden of FedRAMP requirements.

Book a Meeting