Impact levels
| Level | Data sensitivity | Customer examples |
|---|---|---|
| FedRAMP Tailored (LI-SaaS) | Public, low-impact | Public-facing form apps, simple data collection |
| FedRAMP Low | Public business data | Marketing analytics, public-portal CMS |
| FedRAMP Moderate | Sensitive but unclassified data | Most B2B SaaS — CRM, project management, HR, financial systems |
| FedRAMP High | Mission-critical, life-safety | DoD, intelligence community, IRS-data-handling systems |
Costs and timeline
| Path | Timeline | Total cost (3PAO + remediation + internal) |
|---|---|---|
| FedRAMP Tailored | 6-9 months | $50K-150K |
| FedRAMP Low | 9-12 months | $150K-300K |
| FedRAMP Moderate | 12-18 months | $300K-700K |
| FedRAMP High | 18-24 months | $500K-1M+ |
Authorization paths
Agency ATO — sponsored by a specific federal agency. The agency reviews your package, issues an ATO, and you’re authorized for that agency. JAB P-ATO — Joint Authorization Board provisional ATO. Reviewed centrally by FedRAMP PMO, accepted across all federal agencies. Higher bar; longer timeline. JAB has limited slots per year. Most companies start with Agency ATO — find a sponsoring agency (often via a contractor relationship), get authorized, then optionally pursue JAB later for broader market access.Required infrastructure decisions
Before pursuing FedRAMP, two infrastructure choices have to be made — both expensive to reverse:1. Cloud service provider
You can only run on a FedRAMP-authorized CSP. The big options:- AWS GovCloud — Moderate and High authorized; widely used for FedRAMP workloads
- Azure Government — Moderate and High authorized; Microsoft’s federal offering
- GCP Assured Workloads (FedRAMP) — Moderate authorized; smaller federal footprint
- Oracle Cloud for Government — Moderate; less common for SaaS
2. Data residency
FedRAMP requires data stay in US territory, processed by US persons. This means:- No offshore engineering for FedRAMP customers — your federal deployment can’t be touched by non-US engineers
- No SaaS dependencies that aren’t FedRAMP-authorized themselves — every CSP, every analytics tool, every monitoring service must be FedRAMP-authorized too
How Codex maps the FedRAMP Moderate baseline
FedRAMP Moderate is essentially NIST 800-53 Moderate baseline + ~25 FedRAMP-specific control parameters + continuous monitoring. The control catalog is the same as the NIST 800-53 guide. FedRAMP-specific additions:Continuous monitoring (ConMon)
Federal customers expect monthly evidence of ongoing security. Codex generates the monthly ConMon report:- Vulnerability scan results — monthly + remediation SLA tracking (Critical: 30d, High: 30d, Moderate: 90d, Low: 180d)
- Plan of Action and Milestones (POAM) updates — open issues + target close dates
- System inventory changes — hardware/software added or removed
- User access changes — provisioned, modified, terminated since last report
- Configuration changes — CM-3 compliant baseline drift report
FedRAMP-specific control enhancements
A few controls have FedRAMP-mandated parameters tighter than 800-53 baseline:| Control | FedRAMP requirement |
|---|---|
| AC-2(7) Account Management | Privileged accounts reviewed monthly (vs annually in baseline) |
| AU-6 Audit Review | Logs reviewed weekly (vs as-needed in baseline) |
| CM-3 Configuration Change Control | Major changes require formal CCB approval |
| IR-3 Incident Response Testing | Annual tabletop exercise with documented results |
| RA-5 Vulnerability Scanning | Monthly authenticated + unauthenticated scans by an ASV |
FIPS-validated cryptography
Every encryption operation in scope must use FIPS 140-2 (or 140-3) validated cryptographic modules. Most cloud-native crypto (AWS KMS, Azure Key Vault, GCP Cloud KMS) is FIPS-validated, but you must explicitly enable FIPS mode on operating systems and verify your application code calls FIPS-mode crypto libraries. Codex tracks FIPS-mode status per system.The 3PAO and assessment
You hire a Third-Party Assessment Organization (3PAO) — a FedRAMP-accredited audit firm — to conduct the formal assessment. They review your System Security Plan (SSP), test controls in your environment, and produce a Security Assessment Report (SAR). 3PAO fees alone: $150K-400K depending on scope and complexity. Codex evidence packages reduce 3PAO time significantly (anecdotally, 30-40%) by giving them clean, timestamped evidence rather than ad-hoc spreadsheets — but it doesn’t eliminate the engagement.When you’re ready
Reports → FedRAMP evidence package outputs:- SSP supporting evidence (per-control implementation evidence)
- Continuous monitoring report (monthly format)
- POAM with current status
- Boundary diagram + data flow diagram (you draw these; Codex tracks the underlying inventory)
- Authority list (named control owners + responsibility matrix)
- 3PAO-friendly export format (designed to drop into the standard FedRAMP templates)