Frameworks Index
United Statesstandard

Federal Risk and Authorization Management Program

Without FedRAMP authorisation alignment, your organisation is excluded from the US federal cloud market—revocation of ATO terminates all federal contracts.

Mapped to Microsoft controls
Effective Date2011 (established by OMB memorandum)
Enforcement BodyFedRAMP Program Management Office (PMO) / General Services Administration (GSA)
Penalty FrameworkNon-compliance results in denial of Authority to Operate (ATO) and exclusion from federal cloud contracts. Existing ATOs can be revoked following significant incidents or failure to maintain continuous monitoring. Cloud service providers lose their FedRAMP marketplace listing, effectively barring them from the federal market.

The Federal Risk and Authorization Management Program (FedRAMP) is the US government's standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services. Codified into law in 2022, FedRAMP provides a consistent security framework based on NIST SP 800-53 controls.

FedRAMP defines three impact levels (Low, Moderate, High) with increasing control requirements. Microsoft 365 GCC and GCC High hold FedRAMP Moderate and High authorisations respectively. However, tenant-level configuration remains the customer's responsibility under the shared responsibility model.

For organisations leveraging M365 GCC/GCC High for federal workloads, FedRAMP compliance requires Conditional Access enforcing strict authentication policies, continuous monitoring through Defender XDR and Sentinel, comprehensive audit logging, and documented security configurations. StremarControl engineers and operates the Microsoft-native controls required for FedRAMP mandates, translating obligations into enforceable tenant-level controls, structured evidence, and ongoing assurance discipline.

Why This Matters Now

FedRAMP is the mandatory security assessment and authorisation framework for cloud service providers serving US federal agencies. Microsoft 365 GCC and GCC High hold FedRAMP authorisations, but tenant-level configuration must demonstrate that the organisation leverages these controls correctly. For M365 environments, FedRAMP alignment requires Conditional Access enforcing strict authentication, continuous monitoring through Defender and Sentinel, and documented Plans of Action and Milestones (POA&Ms). FedRAMP compliance unlocks access to the vast US federal cloud market.

Scope & Applicability

Applies to all cloud service offerings (CSOs) used by US federal agencies. Three impact levels: Low, Moderate, and High. The FedRAMP Authorization Act (2022) codified the programme into law. Organisations using M365 GCC/GCC High for federal workloads inherit Microsoft's FedRAMP authorisation but must maintain their own security responsibilities under the shared responsibility model.

Core Obligations

01
AC Control Family

Access Control

Implement account management, access enforcement, separation of duties, least privilege, and session controls as defined by the applicable FedRAMP baseline.

02
CA-7

Continuous Monitoring

Implement a continuous monitoring strategy that includes ongoing assessment of security controls, vulnerability scanning, and security status reporting.

03
IR Control Family

Incident Response

Establish and maintain incident response capabilities including training, testing, handling, monitoring, and reporting to US-CERT.

04
AU Control Family

Audit and Accountability

Create, protect, and retain audit records. Analyse and report on audit events. Ensure individual accountability through non-repudiation.

Microsoft 365 Control Mapping

How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.

Obligation

Access Control (AC)

M365 Control

Conditional Access with phishing-resistant MFA. PIM for privileged access. Entra ID Access Reviews. Named locations and device compliance requirements.

Evidence

Conditional Access policy documentation, PIM reports, access review logs, authentication logs.

Obligation

Continuous Monitoring (CA-7)

M365 Control

Defender XDR with unified incident queue. Sentinel SIEM for continuous threat monitoring. Microsoft Secure Score tracking. Vulnerability management via Defender for Endpoint.

Evidence

Monthly Secure Score reports, Sentinel analytics summaries, Defender vulnerability assessments.

Obligation

Audit and Accountability (AU)

M365 Control

Unified Audit Log configured for extended retention (where applicable licenses and policies are deployed). Sentinel workspace with immutable log storage. Log integrity verification procedures.

Evidence

Audit log retention configuration, Sentinel retention policies, log integrity verification reports.

Implementation Timeline

December 2011
FedRAMP established by OMB memorandum
June 2012
FedRAMP Joint Authorization Board (JAB) begins issuing provisional ATOs
December 2022
FedRAMP Authorization Act signed into law
March 2024
FedRAMP Rev 5 baselines published (aligned with NIST SP 800-53 Rev 5)
Ongoing
Continuous monitoring and annual assessment requirements

Related Frameworks

United States
NIST 800-171

Non-compliance with NIST 800-171 triggers loss of DoD contracts and False Claims Act liability—making CUI protection a direct fiduciary obligation for management.

International
ISO 27001

ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.

International (US origin)
SOC 2

A qualified SOC 2 opinion—or the absence of one—directly determines whether enterprise clients will onboard or renew your contract.

Ready to get FedRAMP-ready?

Start with a fixed-scope sprint. We assess your Microsoft 365 controls against FedRAMP requirements, close gaps, and produce audit-ready evidence.

Start a readiness sprint Book a readiness call