FedRAMP Compliance Check for Vendors

Step 1: Search the FedRAMP Marketplace. Go to marketplace.fedramp.gov and search for the vendor by name. If they appear with "Authorized" status, note the impact level (High, Moderate, or Low/LI-SaaS), the sponsoring agency, and the specific cloud service offering that is authorized. If they do not appear, they are not FedRAMP authorized.

Step 2: Check for government-specific products. Some vendors offer separate government editions with FedRAMP authorization while their standard product is not authorized. Slack offers GovSlack with FedRAMP Moderate authorization — standard Slack is not authorized. Zoom offers Zoom for Government. AWS offers GovCloud. Make sure the authorized product is the one you are actually using.

Step 3: Check for equivalent certifications. If the vendor is not FedRAMP authorized, check whether they hold StateRAMP, IL-4/IL-5 provisional authorization, or other government-aligned certifications that may satisfy your specific requirements.

Step 4: Document the finding. Whether the vendor is authorized or not, document the result in your risk register with the verification date and source (FedRAMP Marketplace URL). For vendors not authorized, document the impact on your workloads and any compensating controls.

"Vendor says FedRAMP compliant but isn't in the marketplace." "FedRAMP compliant" is not an official designation. It means nothing in terms of federal procurement requirements. Only "FedRAMP Authorized" (listed in the marketplace with an active authorization) satisfies federal compliance. See our detailed guide on FedRAMP authorization status for the full distinction between compliant, ready, and authorized.

"We need FedRAMP but the vendor isn't authorized — can we still use them?" For federal workloads involving CUI or covered data, you must use FedRAMP-authorized services. For non-federal workloads, FedRAMP is a positive signal but not a requirement. If you need the vendor for a federal workload and they are not authorized, document the gap, evaluate alternatives, and if no alternative exists, develop compensating controls and obtain formal risk acceptance from your authorizing official.

"Does FedRAMP authorization cover all the vendor's products?" No. FedRAMP authorization covers specific cloud service offerings (CSOs), not the vendor's entire product line. Salesforce Government Cloud is authorized; standard Salesforce may or may not be. Always verify that the specific product you use is within the authorized scope.

ThirdProof automatically checks the FedRAMP Marketplace for every vendor investigated and includes the result in the compliance assessment section. The check runs as part of the 22-source investigation — no separate lookup required.

ThirdProof's investigation of Dropbox documented that Dropbox is not listed on the FedRAMP Marketplace. The report noted 10 compliance certifications on Dropbox's trust page (SOC 2, ISO 27001, HIPAA, PCI DSS, and others) but classified all as vendor-attested. For a government contractor evaluating Dropbox for CUI workloads, this finding is actionable: Dropbox cannot be used for covered workloads, and alternatives must be evaluated.

Conversely, Slack claims FedRAMP authorization on its trust page. ThirdProof classifies this as vendor-attested and includes a recommended action: "Verify FedRAMP Moderate authorization independently at marketplace.fedramp.gov — search for 'Slack' and confirm the authorization status and scope." This takes under five minutes and converts the vendor-attested claim to independently verified.

Based on the FedRAMP Marketplace and ThirdProof investigation data:

Authorized (High Impact): AWS GovCloud, Microsoft Azure Government, Microsoft 365 Government

Authorized (Moderate Impact): Salesforce Government Cloud, Okta, GitHub Enterprise Cloud, Zoom for Government, Snowflake, Datadog for Government, Box, ServiceNow, Splunk, CrowdStrike, Zscaler

Not listed on FedRAMP Marketplace: Stripe, Dropbox, Notion, HubSpot, Airtable, 1Password, Shopify, MongoDB, Vercel, DigitalOcean, Supabase

A vendor not being listed does not mean they are insecure. It means they have not completed the federal authorization process — a 12-18 month, $1M+ investment that only makes business sense for vendors with significant federal customer demand. For non-federal workloads, evaluate these vendors on their other certifications (SOC 2, ISO 27001, PCI DSS) and overall risk posture.

ThirdProof checks FedRAMP authorization status automatically as part of every vendor investigation. Try free.