What federal contractors need to know about FedRAMP

by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.

Updated June 8, 2026

If you’re choosing a cloud platform to use for work on a federal contract, “FedRAMP authorized” sounds like the answer. All you have to do is pick a vendor listed in the FedRAMP Marketplace, right? Not necessarily.

FedRAMP authorization tells you a vendor passed a standardized security review. It doesn’t tell you whether that vendor’s setup meets your specific compliance obligations. For defense contractors handling export-controlled data, the gap between those two things can mean rebuilding your entire cloud setup from scratch.

DOGE cuts have left the FedRAMP program office running on about $10M a year with roughly two dozen employees, its leanest staffing in a decade. Deep technical review is increasingly rare. A new initiative, FedRAMP 20x, aims to automate continuous validation of cloud services. But authorization remains a process certification, not a security guarantee.

QUICK ANSWER:

What is FedRAMP and why does it matter for federal contractors?

FedRAMP sets standards for cloud services that will hold federal data. Federal agencies and the contractors they work with are expected to protect this data. Using a FedRAMP listed product does not mean that you are automatically compliant. You must still configure the systems, implement policies, and be able to prove your own compliance. If you’re a federal contractor, enlisting the help of an experienced MSP like E-N Computers is invaluable.

What is your IT maturity? Find out with our free self-assessment

What federal data is included?

FedRAMP is designed for the security of all federal data on cloud services. That includes, but is not limited to, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). So does FedRAMP apply to your federal contract? Yes.

Defense contractors are required under DFARS 252.204-7012 to make sure the cloud services they use are FedRAMP Moderate authorized or equivalent. Under CMMC, they must prove that the services they use are compliant.

Chart of FedRAMP impact levels, data examples, and related cloud services

	Potential adverse effects of a breach	Data examples	Products we use
Low	Limited	Login credentials (username, password, email); no PII
Moderate	Serious; e.g. bodily harm, operational damage, financial loss	– Juvenile court records – Critical energy infrastructure – Investment info (e.g., M&A) – Railroad safety	– FutureFeed (seeking equivalency certification) – Cisco Meraki for Government – Microsoft 365 GCC (Office 365 Multi-Tenant)
High	Catastrophic, e.g. loss of life or financial ruin	DoD CUI, including: – missile defense – nuclear information – export controlled “no foreign dissemination” marking	Microsoft 365 GCC High

What is FedRAMP Moderate authorized?

FedRAMP Moderate authorized means that a cloud service has implemented security controls, developed supporting documentation, gone through a third-party assessment, remediated any problems, and has had all of this reviewed by the federal agency they are partnered with and the FedRAMP office. Once a cloud service is FedRAMP Moderate authorized, other federal agencies and their contractors can use it without going through the same process.

Because the process is rigorous, time-consuming, and has required an agency partnership until now, some cloud service providers have opted for equivalency rather than authorization.

What does FedRAMP Moderate equivalent mean?

According to this DoD memorandum dated December 21, 2023 (PDF):

To be considered FedRAMP Moderate equivalent, CSOs [Cloud Service Offerings] must achieve 100% compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization (3PAO) and present the documentation to the contractor …

Required documentation includes a System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR) prepared by a FedRAMP-recognized 3PAO, and Plan of Action and Milestones (POA&M). The POA&M must show that any issues have been corrected and validated.

In short, FedRAMP Moderate Equivalent means that a product or service has all the required security controls and has successfully completed an independent audit by a FedRAMP-recognized assessor within the last year. However, they do not have an established partnership with a federal agency, nor do they have a FedRAMP Marketplace Designation.

As a contractor, you should receive the body of evidence from a cloud service provider. That’s a System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M) for continuous monitoring only. You also need proof that a third-party assessment has happened in the last year. You, the contractor that plans to keep data in this system, are responsible for validating that the cloud service provider is compliant and report on this. For this reason, we advise clients to be very careful about relying on such services.

What is FedRAMP 20x, and what does it mean for federal contractors?

FedRAMP 20x, announced in March 2025, replaces the static, document-heavy authorization model with continuous validation. Vendors maintain systems that demonstrate secure configurations in real time via Key Security Indicators (KSIs), rather than submitting a one-time documentation package.

The program is in its last stage of pilot testing. Between July and September 2026, FedRAMP plans to open submissions to all vendors. Existing FedRAMP-authorized vendors will migrate over a multi-year window without a hard deadline. Until then, we’re still relying on each vendor’s last audit, not an ongoing check.

What this means for contractors evaluating vendors

Authorization isn’t a one-time stamp anymore. A vendor authorized today can face remediation or lapse if their KSIs slip. Checking the FedRAMP Marketplace once at procurement isn’t enough. Your MSP should be continuously monitoring the tools you depend on.

FedRAMP and ITAR: Why the authorized label isn’t enough for export-controlled data

FedRAMP tells us that a vendor implemented specific technical controls and passed a standardized review. ITAR expects additional policy and staffing controls that restrict access to only US persons. So FedRAMP authorization alone is not sufficient for protecting export-controlled data.

We can illustrate using Microsoft 365.

FedRAMP Authorized
Commercial
GCC
GCC High

FedRAMP Authorized
No
Moderate
High

US data center
Probably, if you’re a US customer
Required, but same US data centers as commercial customers
Yes, fully isolated

Restricted to US persons (ITAR)
No
No
Yes

Terms of service
Standard
Modified
Modified to meet ITAR terms

GCC runs in the same US data centers as commercial Microsoft 365, and both can be accessed by non-US support staff. GCC just adds contract protections. Only GCC High runs in separate, US-only data centers with terms that meet ITAR. Same vendor, same product family — but only two are FedRAMP authorized, and only one meets ITAR. The label alone doesn’t tell you which one you need.

ITAR’s restrictions are person-based, not system-based. A contractor can satisfy every technical control and still violate ITAR if a foreign national has access to controlled data, whether they’re an employee or a vendor’s support staff.

Take a construction firm with a GCC setup that has all technical controls properly implemented. They win a contract that involves receiving building plans labeled a national security interest. Only US persons are permitted to access those drawings, which isn’t possible to guarantee in a GCC setup. In effect, they built the perfect building in a flood plain. They have to knock it down and move it to a safer location. And even though you can migrate data like SharePoint and mailboxes, you still have to re-establish all your device relationships, which is a huge project.

Some companies look at Azure virtual desktops and other types of CUI enclaves as a way around these concerns, but they’re not a silver bullet, either.

FedRAMP authorization isn’t a guarantee of trustworthiness

A March 2026 ProPublica investigation reported that FedRAMP reviewers lacked confidence about GCC High’s overall security as far back as 2020. Ultimately, they authorized it in part because it was already widely deployed.

The lesson is that FedRAMP authorization says a vendor has completed a review process and reasonably meets a baseline, but it isn’t a guarantee of trustworthiness or immediate usefulness. For example, even though Microsoft 365 GCC and GCC High are FedRAMP authorized, they ship unconfigured with a Secure Score of only about 50 out of 100. They give you the foundation for compliance, but you still need someone who can implement security controls.

What this means for you

Since you can’t rely on FedRAMP as a sign that your cloud services are already fully compliant and turnkey-ready, you must take action. You need to audit your systems against what your federal contract requires. Many small and medium businesses aren’t equipped to do this on their own. That’s why engaging with a qualified MSP is a smart move.

You need to look at your systems and answer questions like:

What data am I contractually required to protect?
Which people and systems touch that data?
Can I prove that I am protecting data, and is my proof current?
If I handle ITAR data, am I certain that my vendors restrict access to US persons?
Do I have the right licensing to secure my cloud services?
Are my cloud services configured correctly?
Do I have policies and procedures in place to protect data?

How to evaluate a cloud platform vendor

The FedRAMP Marketplace sorts vendors by what they passed, not by what you need. Start with your contract.

FCI only (invoices, basic correspondence, contract logistics): 17 controls, self-attestation. A FedRAMP Moderate authorized or equivalent cloud is enough — commercial Microsoft 365 works.

CUI (anything your contract labels CUI, even routine work product): 110 controls, third-party assessment. FedRAMP Moderate authorized or equivalent, with every control implemented and provable.

CUI that’s also export-controlled under ITAR: everything above, plus US-persons-only backend access, US data centers, and contract terms matching ITAR.

FedRAMP authorized vs. equivalent

Authorized — full review with a federal agency sponsor. The listing is your evidence. Good for FCI and CUI.

Equivalent — third-party audit, no agency sponsor. You’re responsible for collecting and validating the SSP, SAP, SAR, and POA&M. Use carefully.

Not listed — don’t use it for federal data.

For export-controlled work, look beyond FedRAMP

The FedRAMP Marketplace doesn’t cover ITAR. FedRAMP is run by the General Services Administration (GSA) and focuses on cloud security; ITAR is enforced by the State Department and governs who can access export-controlled data.

For any cloud platform that will hold export-controlled data, confirm three things:

US data centers with a contractual commitment
US-persons-only backend administration, and
terms of service or an attestation that address ITAR directly.

This is all well-documented for the three major players — Microsoft GCC High, AWS GovCloud, Box for Government. Search “[product name] ITAR” or check the vendor’s compliance page. Products labeled as “US Sovereign Cloud” or “GovCloud” usually have the commitments built in.

Some web apps aren’t built for federal data, especially defense-related info. Their compliance pages talk aobut SOC 2 and ISO 27001 but say nothing about US persons or US data centers. In our experience, that means “not supported”.

One platform usually beats two

Some contractors run two systems side by side: one system for general use, and another for federal contracts. It can work, but we think the tradeoffs aren’t worth it: more licensing, two onboarding processes, and the risk of someone exposing data by using the wrong system without thinking.

In our experience, consolidating onto a single compliant platform usually costs less in the long run. You might not have as many options, but you simplify your management and your risk exposure. For defense contractors that handle CUI, it’s a particularly worthwhile trade.

Does ENC use FedRAMP-compliant tools?

We use FedRAMP-authorized and FedRAMP Moderate Equivalent software when necessary. And we work with you to make sure that any federal data you handle is appropriately protected on any systems it touches — because ultimately you are responsible for the data entrusted to you. Here are some details about a few of the tools we use.

Microsoft 365 GCC and GCC High

Microsoft 365 has several cloud offerings, including the Commercial Cloud, Government Community Cloud (GCC), and GCC High. Their government products are FedRAMP compliant and they provide a GCC High blueprint with guidance on implementing controls.

We are consolidating as much of our tooling into Microsoft 365 as possible. While the tools provided still need to be configured and managed correctly, we find that consolidation gives clients a much better experience. Consolidated tooling simplifies onboarding, offboarding, compliance, and billing. It allows us to manage your environment, including configuration, alerts, and licensing, more efficiently.

ENC is able to directly acquire GCC licenses and we have a partner through whom we can acquire GCC High licenses. These licenses are 50%–75% more expensive than their commercial equivalent. If you require some GCC licenses, we recommend keeping all your licenses at that level for better management and flexibility.

Cisco Meraki

Cisco Meraki provides simplified cloud-based network management and fantastic hardware that we love working with. In February 2024, they achieved FedRAMP authorization.

Microsoft Purview vs. FutureFeed

For most of our clients, we recommend Microsoft Purview Compliance Manager for tracking compliance against standards like NIST 800-171 and CMMC. This is an integrated, centralized dashboard available to customers with Microsoft 365 Business Premium or E3 or above licenses, and it inherits the FedRAMP and ITAR status of whichever Microsoft 365 tier you’re on — Moderate in commercial, High in GCC High. We find that it meets the needs of small and medium organizations without the cost or complexity of another third-party tool.

For certain clients, we recommended a GRC tool called FutureFeed. It can be helpful for organizations running significant third-party tooling, or those that need to bring non-technical stakeholders (program managers, C-suite) into the compliance process across a more complex setup. Its interface is accessible and easy to use, and it handles on-premise setups more cleanly.

FutureFeed completed its FedRAMP Moderate Equivalency certification in February 2026. Lunarline, Inc., a FedRAMP-accredited 3PAO, assessed FutureFeed’s AWS GovCloud infrastructure and confirmed 100% implementation of the FedRAMP Moderate baseline with no unresolved findings. You can see the attestation letter here.

Get started today

Setting up the technical controls and policies for federal contracts typically takes 12 to 18 months — sometimes faster, often longer, depending on your size, budget, and where you’re starting from. If you’re a defense contractor working through FedRAMP compliance, or trying to figure out whether your current cloud tools meet your obligations, we’re happy to take a look. Get in touch and we’ll help you sort it out.

Not sure if you need managed IT services?

Take the IT Maturity Self-Assessment

In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.

Take the Assessment

Contact