FedRAMP Vendor Authorization Status

FedRAMP defines three impact levels based on NIST FIPS 199:

High — For cloud systems where a loss of confidentiality, integrity, or availability would have severe or catastrophic effects on organizational operations, assets, or individuals. Requires 421 security controls. Examples: AWS GovCloud, Microsoft Azure Government.

Moderate — For systems where loss would have serious adverse effects. Requires 325 security controls. This is the most common authorization level. Examples: Salesforce Government Cloud, Okta, GitHub Enterprise Cloud, Zoom for Government, Datadog for Government.

Low / LI-SaaS — For systems where loss would have limited adverse effects. LI-SaaS (Low Impact SaaS) is a streamlined path for low-risk SaaS applications. Requires fewer controls than Moderate.

Based on the FedRAMP Marketplace as of 2026, the following commonly-used vendors hold FedRAMP authorization:

Authorized (High): Amazon Web Services (GovCloud), Microsoft Azure (Government), Microsoft 365 (Government)

Authorized (Moderate): Salesforce, Okta, GitHub, Zoom, Snowflake, Datadog, Twilio, DocuSign, Box, ServiceNow, Splunk, CrowdStrike, Zscaler, PagerDuty

Not listed on FedRAMP Marketplace: Stripe, Dropbox, Google Workspace (standard edition — note that Google Workspace for Government is FedRAMP authorized separately), SendGrid, Slack, HubSpot, Notion, Airtable, 1Password, Linear, Shopify, MongoDB, Vercel, Supabase, New Relic, DigitalOcean

A vendor not being listed on the FedRAMP Marketplace does not mean they are insecure — it means they have not completed the federal authorization process. Many vendors maintain strong security programs (SOC 2, ISO 27001, PCI DSS) without pursuing FedRAMP because their customer base does not require it.

However, if your organization is subject to federal compliance requirements (FISMA, CMMC, FedRAMP itself), you must use FedRAMP-authorized services for covered workloads. For non-federal workloads, FedRAMP authorization is a positive signal but not a requirement. Your vendor due diligence checklist should include FedRAMP status as one data point among many — alongside SOC 2 verification, sanctions screening, cyber risk scoring, and adverse media analysis.

ThirdProof's vendor risk investigation includes FedRAMP authorization verification as part of its 22-source assessment. The platform checks the FedRAMP Marketplace registry, scans the vendor's trust page for compliance claims, and classifies each certification as independently verified (confirmed in a public registry), vendor-attested (claimed on trust page only), or not found in evidence. This three-tier verification approach ensures you know the confidence level behind every compliance claim — not just whether the vendor says they have it.

ThirdProof's investigation of Dropbox illustrates a common FedRAMP scenario. Dropbox received a Tier 3 — Moderate Risk rating at 86% confidence. The investigation identified 10 compliance certifications on Dropbox's trust page — including SOC 1, SOC 2, ISO 27001, ISO 27017, ISO 27018, HIPAA, PCI DSS, CSA STAR, GDPR, and CCPA. All 10 were classified as vendor-attested — claimed on the trust page but not independently verifiable through a public registry.

Critically, Dropbox is not listed on the FedRAMP Marketplace. This means Dropbox has not completed the federal authorization process through a 3PAO assessment. For organizations subject to FISMA, CMMC, or federal acquisition regulations, standard Dropbox cannot be used for covered workloads. The investigation also flagged aging adverse media related to phishing-related breaches in 2022 and 2024.

How to document this in your risk register: record that Dropbox is not FedRAMP authorized, note the specific impact on any federal workloads, document compensating controls if the organization chooses to accept the risk for non-federal use, and set a reassessment date to check whether Dropbox pursues authorization in the future.

This is one of the most common pain points in federal compliance. A vendor's marketing page claims "FedRAMP compliant" or "FedRAMP ready," but when you search marketplace.fedramp.gov, they are not listed. The distinction matters.

FedRAMP Authorized means the vendor has completed a full security assessment by a certified Third Party Assessment Organization (3PAO), the authorization package has been reviewed and approved by either a sponsoring federal agency (Agency ATO) or the FedRAMP Joint Authorization Board (JAB P-ATO), and the vendor is subject to ongoing continuous monitoring. This is the only status that satisfies federal procurement requirements.

FedRAMP Compliant is not an official designation. Vendors use this term loosely to mean they follow FedRAMP-aligned security practices or have begun the authorization process. It carries no legal weight and should not be accepted as evidence of authorization.

FedRAMP Ready means the vendor has completed a Readiness Assessment Report (RAR) with a 3PAO, demonstrating they are likely capable of achieving authorization. They appear in the marketplace with "Ready" status but are not yet authorized for federal use.

When a vendor claims FedRAMP compliance without marketplace listing, document the discrepancy in your assessment, ask the vendor for their specific authorization status and timeline, and flag it as a finding requiring risk acceptance if federal workloads are involved.

Your risk register entry for FedRAMP should capture four elements. First, the verification result — Authorized (with impact level and authorization date), Ready, In Process, or Not Listed. Always cite the FedRAMP Marketplace as the source, not the vendor's marketing materials. Second, the scope — FedRAMP authorization covers specific cloud service offerings, not the vendor's entire product line. Slack offers GovSlack with FedRAMP Moderate authorization, but standard Slack is not authorized. Document which product you are using and whether it falls within the authorized scope. Third, the impact on your workloads — note which of your systems or data flows rely on this vendor and whether they involve federal data, CUI, or CMMC-scoped assets. If the vendor is not authorized but your workload is federal, document the compensating controls or alternative vendor selection. Fourth, the reassessment trigger — set a date to re-check the marketplace, particularly for vendors that are In Process or Ready, as their status may change within 6-12 months.