Skip to content

Page Info

Description: An overview of the whole Certification game without going into too many specifics, that mostly directs folks to the specific rules. Reminds folks when they need an assessment vs not and the broad overall differences and processes, plus timelines and contacts.

Purpose: Folks will know how to jump into the full steps and rules for specific Certification profiles with an idea of what they're getting into.

Getting Certified

flowchart LR
  A["Preparation"] --> B[Initial Implementation]
  B --> cat
  cat@{ img: "/2026/assets/sad-thumbs-up-cat.jpg", h: 72, constraint: "on" }
  cat --> C[Ongoing Certification]

  classDef current stroke:#00A86B,stroke-width:3px;
  class B current;

You just got the thumbs up from your information security and GRC engineering teams, backed by independent assessment. You've met all of the requirements for Initial FedRAMP Certification and your entire team has mixed feelings as you prepare to transition into Ongoing FedRAMP Certification. Everyone knows that all the work done so far was just to get ready for everything that comes after, but you still deserve to cross that final milestone and have your work confirmed by FedRAMP.

Applying for FedRAMP Certification

By now you're familiar with navigating the FedRAMP Consolidated Rules for 2026 and probably already have an idea of what's next - instead of narrative instructions, just follow the rules and apply for FedRAMP Certification.

IFP-APP-AFC (Applying for FedRAMP Certification)

On the outside it might look like FedRAMP is a big scary government program, but the reality is that we're a small tight-knit team of gentle humans operating without a lot of the modern tools available in private sector. We try to make the application process as clean and rewarding as possible within our operating constraints.

Our goal is to process all applications within 30 days!

You may have heard in the past that FedRAMP PMO review could take a year or more, but those days are hopefully long past. We don't offer an SLA for the review process but our own internal strategic goal is to consistently make an initial decision within 30 days of receiving any FedRAMP Certification application.

When you submit your application it will enter our FedRAMP assessment and review pipeline, which works something like this:

  • We perform a cursory scan of the submission as early as possible to confirm it is complete and let you know if we have any concerns.
  • A Review Team is assigned to the application and will request access to your trust center materials following the process outlined in your submission.
  • The Review Team completes a review of the Certification Package Overview as quickly as possible.
  • For FedRAMP 20x, Review Team will likely want to schedule a Deep Dive with your team to understand the whole approach and discuss both the Certification Package Overview and Security Decision Record with you. Please make yourselves available at your earliest convenience, because our clock stops while we are waiting on you.
  • We'll let you know as quickly as possible if we encounter anything particularly scary or broken. Depending on how bad it is, that might result in an initial rejection or we might ask you to make changes before we continue our review.
  • Once the review is complete, we'll send you our final assessment and talk about next steps - hopefully this will include a FedRAMP Certification notice!

Our clock stops any time we're waiting on you.

Our 30 day review target stops counting when there's nothing we can do to move things forward because we are waiting for something from you. In general, we do not follow up regularly with applicants when we have requested something from them. You can help us by paying careful attention to emails from FedRAMP and responding in a timely fashion.

FedRAMP is a government program, operating under incredibly strict expectations of fairness, that is regularly audited by oversight bodies!

FedRAMP cannot provide guidance or special considerations, and asking just makes things terribly awkward for everyone. Please refrain from asking for special considerations such as prioritized reviews, special conditions such as delayed reviews or exemptions, or asking for guidance on how to proceed in any circumstances. We do not grant such requests.

Every single cloud service provider goes through the same process in the same way at the same pace. Federal ethics rules require us to avoid even the appearance of impropriety and we enforce this strictly.

Comments