Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Federal Risk and Authorization Management Program (FedRAMP) application invitation

Solicitation Number: QTABR001
Agency: General Services Administration
Office: Federal Acquisition Service (FAS)
Location: ITS Office of Acquisition Operations (QTA)
  • Print
Sources Sought
Added: Jun 04, 2012 9:43 am

The purpose of this announcement is to invite cloud service providers (CSP), both commercial and government, to apply to the Federal Risk and Authorization Management Program (FedRAMP), starting June 6, 2012. 

The Federal Risk and Authorization Management Program (FedRAMP) will begin to accept applications from Cloud Service Providers for the security assessment process on an on-going basis starting June 6, 2012.

FedRAMP is a unified government-wide risk management program focused on security for cloud-based systems. FedRAMP provides a standard approach for conducting security assessments of cloud systems based on an accepted set of security controls and consistent processes. Per OMB policy, agencies acquiring cloud services are required to use FedRAMP.

The FedRAMP controls and processes create a standardized approach for agencies to leverage security assessments for cloud services. This "approve once, and use many" approach will  benefit CSPs by speeding the adoption of cloud services by agencies and reducing the cost and time required to conduct redundant, individual agency security assessments. 

How to Apply:

The FedRAMP application form will be posted on on June 6, 2012.

To apply, complete the FedRAMP application form at To access the form, click the CSP icon or select Cloud Service Providers from the left-hand navigation, then click on the "Apply" icon.

Questions about applying to FedRAMP should be sent to 

In preparation for applying to FedRAMP, gather the following information before completing the request form:

Points of contact (Primary, secondary, back-up)

•·         System name and owner

•·         Brief description of the service proved by the system

•·         Cloud service model (IaaS, PaaS, SaaS)

•·         Cloud Deployment Model (public, private, hybrid, community)

•·         Expected Security Impact Level (Low, Moderate)

•·         The desired level of authorization:

•o    CSP Supplied: A CSP supplies an assessment package without an agency ATO, the assessment must have used a FedRAMP-accredited 3PAO

•o    Agency ATO: A CSP or Agency supplies an assessment package that has an Agency ATO but did not use a FedRAMP-accredited 3PAO

•o    Agency ATO with FedRAMP 3PAO: A CSP or Agency supplies an assessment package that has an Agency ATO and used a FedRAMP-accredited 3PAO

•o    FedRAMP JAB Provisional Authorization: A CSP or Agency is requesting FedRAMP to begin the assessment and authorization process for a provisional authorization from the JAB

•·         If the system previously received an Agency ATO:

•o    Provide issuing agency name, agency POC, and date ATO was issued

•·         If a FedRAMP accredited 3PAO previously assessed the system:

•o    Provide the 3PAO name and 3PAO POC information

Before applying to FedRAMP, CSPs should review the FedRAMP process, requirements and templates and research selecting a FedRAMP accredited Third Party Assessment Organization (3PAO). To download templates, access information about FedRAMP, and view a list of FedRAMP accredited 3PAOs, go to and select Cloud Service Provider.

After receiving the initial applications, the FedRAMP program management office (PMO) will develop a queue order in which FedRAMP resources will review authorization packages.

Applications will be placed in the queue based on meeting the objective to assess and authorize cloud systems that can be leveraged government-wide. In order to accomplish this, FedRAMP will follow the priority queue requirements as identified by the Joint Authorization Board. FedRAMP will prioritize secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services in alignment with the Administration's 'Cloud First' policy as discussed in the '25 Point Implementation Plan to Reform Federal Information Technology Management'.

CSPs should send questions about FedRAMP and the application process to DO NOT CALL THE CONTRACTING OFFICER (Ben Reed) LISTED AT THE BOTTOM OF THIS NOTICE. The above email address and contact personnel will constitute your contact point for this effort. 

FAQs are posted at

10304 Eaton Place
Fairfax , Virginia 22030
United States
Matt Goodrich
Phone: Matt Goodrich 202-208-1303