Home / Timeline

FedRAMP Authorization Timeline

A complete phase-by-phase breakdown of the FedRAMP authorization process for Moderate impact. Total elapsed time from preparation to ATO typically runs 12-18 months. High impact authorizations frequently extend to 24 months. Updated 26 March 2026.

Pre-auth: 3-6 mo

Documentation: 3-5 mo

3PAO assessment: 2-4 mo

Remediation: 1-3 mo

Agency review: 1-3 mo

Total (Moderate): 12-18 mo

Phase 1

Pre-Authorization Preparation

Duration

3-6 months

Budget share

10-15% of total authorization budget

Before engaging a 3PAO or agency sponsor, organizations need to define the authorization boundary, select the impact level, and begin gap analysis against the applicable control baseline.

Define and document the authorization boundary

Select target impact level (Low, Moderate, or High)

Conduct internal gap analysis against NIST 800-53

Identify and begin engaging agency sponsor

Select and contract with a 3PAO assessor

Stand up or configure a FedRAMP-compliant environment

Begin documentation framework

Phase 2

Documentation Development

Duration

3-5 months

Budget share

20-25% of total authorization budget

The System Security Plan (SSP) is the central artifact of FedRAMP authorization. It documents all 300+ (Moderate) control implementations, system architecture, and supporting processes. This phase also includes policy documentation and procedure development.

Develop the System Security Plan (SSP) with all control implementations

Write Incident Response Plan, Contingency Plan, and Configuration Management Plan

Document information security policies and procedures

Complete the Customer Responsibility Matrix (CRM)

Develop User Guide and Rules of Behavior

Prepare Authorization Boundary Diagram and Data Flow Diagrams

Complete Control Implementation Summary (CIS)

Phase 3

3PAO Assessment

Duration

2-4 months

Budget share

35-45% of total authorization budget

The accredited 3PAO conducts an independent assessment of your security controls. This includes documentation review, interviews, and technical testing. For Moderate, the 3PAO tests a representative sample of controls plus all high-priority controls.

Kickoff with 3PAO and review assessment plan

3PAO reviews all SSP documentation

Control testing and technical validation (vulnerability scans, pen testing)

Staff interviews and process walkthroughs

3PAO prepares Security Assessment Report (SAR)

Organization reviews findings and prepares responses

Findings categorized as open or resolved

Phase 4

Remediation

Duration

1-3 months

Budget share

10-20% of total authorization budget

Open findings from the 3PAO SAR must be addressed before authorization can proceed. High-severity findings typically must be resolved. Moderate and low findings are documented in a Plan of Action and Milestones (POA&M) with remediation dates.

Prioritize findings by severity (High, Moderate, Low)

Remediate all High findings identified by 3PAO

Document Moderate and Low findings in initial POA&M

3PAO validates remediation of High findings

Update SSP to reflect remediated controls

Finalize SAR with remediation status

Phase 5

Agency Review and ATO

Duration

1-3 months

Budget share

5-10% of total authorization budget

The sponsoring agency's Authorizing Official (AO) reviews the full authorization package (SSP, SAR, POA&M) and determines whether to issue an Authority to Operate. This phase involves agency-specific requirements and AO discretion.

Submit complete authorization package to agency sponsor

Agency security team reviews documentation

Address agency-specific questions and additional requirements

Agency AO makes authorization decision

ATO letter issued with specific conditions and expiration date

Listing on FedRAMP Marketplace

Phase 6

Continuous Monitoring

Duration

Ongoing - annual cycle

Budget share

$150,000 - $350,000 per year (Moderate)

FedRAMP authorization is not a one-time event. Authorized CSPs must maintain continuous monitoring obligations indefinitely. Failure to meet ConMon requirements can result in authorization revocation.

Monthly vulnerability scanning and reporting to agencies

Annual penetration testing

Annual assessment of a subset of controls by 3PAO

POA&M management and remediation tracking

Significant change notifications to agencies

Incident reporting within required timeframes

Annual update of SSP and supporting documentation

Common Causes of Timeline Delays

3PAO finding volume

Organizations with weak security postures often receive 50+ findings from their 3PAO assessment, requiring 3-6 additional months of remediation before ATO can proceed.

SSP quality issues

Poorly written control implementations require multiple revision cycles between the organization, 3PAO, and agency. High-quality SSP authoring from the start is critical.

Authorization boundary scope creep

Expanding the authorization boundary mid-authorization resets significant documentation and testing work. Define boundaries tightly before starting.

Agency sponsor capacity

Agency AOs and security teams have many competing priorities. Build in extra time for agency review phases, especially with agencies that process many ATOs.

Infrastructure changes

Significant changes to the authorized environment during the process can require re-testing and SSP updates, adding months to the timeline.

3PAO scheduling constraints

Experienced 3PAOs are in high demand. Delays in scheduling assessment kickoffs of 6-8 weeks are common. Engage your 3PAO 3-4 months before you expect to be ready.

Estimate your total authorization cost

Use the calculator for a phase-based cost breakdown aligned to your impact level and security posture.

Open Calculator