The two paths, briefly
There are two practical paths to a FedRAMP authorization: the Agency ATO path, where a single federal agency sponsors you and issues the authorization, and the JAB P-ATO path (Joint Authorization Board), where DoD, DHS, and GSA jointly issue a provisional authorization. In 2026 the overwhelming majority of new authorizations are Agency ATO. The JAB process is reserved for services expected to see broad cross-agency use. For most CSPs, especially small and mid-size ones, Agency is the realistic path.
- Months 1–3 — Boundary and documentation: Define system boundary, select controls, begin SSP. Select a 3PAO early — assessment queues run 4–6 months.
- Months 4–6 — Control implementation: Implement all required controls, configure monitoring, complete evidence collection. Most programs underestimate this phase.
- Months 7–12 — 3PAO assessment: Independent assessment, remediation of findings, Security Assessment Report. Most delays happen here.
- Months 12–18 — Agency review and ATO: Agency reviews SAR, issues ATO or requests additional remediation. Agencies with mature FedRAMP programs move faster.
Why. One sponsor is easier to align than three. The JAB queue is thin. The JAB's business-case gate is high. Agency ATO moves at whatever velocity the agency sponsor and your engineering team can collectively sustain, which is faster.
The high-level timeline
| Phase | Duration | Owner |
|---|---|---|
| 0. Readiness and sponsor identification | 2 - 4 months | CSP |
| 1. SSP authoring and pre-assessment | 3 - 5 months | CSP |
| 2. 3PAO assessment | 3 - 4 months | 3PAO |
| 3. Remediation and POA&M | 2 - 4 months | CSP |
| 4. Agency review and ATO issuance | 1 - 3 months | Agency AO |
| 5. Continuous monitoring (ongoing) | Forever | CSP + Agency |
Add those up and the floor is 11 months. The ceiling, in real projects, routinely reaches 18 or more. The variance is not random. It concentrates in three places.
Phase 0: Readiness and sponsor
Before an agency will sponsor, they want to see a FedRAMP Ready designation or, at minimum, a credible readiness assessment from a 3PAO. The readiness work itself is not light. A typical sequence:
- Internal gap analysis against the target baseline (Moderate, High, Li-SaaS).
- System categorization memo — FIPS 199 analysis documented and signed.
- Authorization boundary diagram — which components are in and which are interconnections.
- 3PAO Readiness Assessment Report (RAR) — 3PAO's formal judgment that the CSP is ready for full assessment.
In parallel, you find a sponsor. The sponsor is an agency that intends to use the service. They designate an Authorizing Official (AO), assign an ISSO, and commit to doing the agency-side work. This commitment is real — the AO's office will spend hours reviewing your package. A sponsor who says yes out of politeness will deliver a slow ATO. A sponsor with a named budget and a go-live deadline will deliver an ATO on time.
Phase 1: SSP authoring and pre-assessment
The SSP (System Security Plan) is the artifact at the center of the process. In 2026 it should be authored in OSCAL. The document has to cover, at minimum:
- System description, authorization boundary, data flows
- Component inventory with CVE posture
- Per-control implementation statement for every control in the baseline (325 at Moderate, 421 at High, 156 at Li-SaaS)
- Inherited control mapping from the underlying IaaS/PaaS
- Policies and procedures (AC policy, AU policy, CM policy, etc.) referenced and attached
- Contingency plan, incident response plan, configuration management plan
- Interconnection agreements for every external system in scope
Three months is aggressive if you are authoring from scratch. Five is realistic. This is the phase where SSP-as-code discipline pays off — teams that iteratively built their SSP as they built the system spend closer to three months; teams writing it all after the fact spend six or seven.
Phase 2: 3PAO assessment
The 3PAO (Third Party Assessment Organization) runs a formal assessment against the SSP. This is not a collaborative exercise — the 3PAO is testing whether your implementation statements are true. The phases inside this phase:
- Security Assessment Plan (SAP) — the 3PAO writes a plan describing what they will test and how. Typically two to four weeks.
- Kickoff and evidence collection — the 3PAO begins collecting evidence, reviewing configurations, interviewing staff. Four to six weeks.
- Technical testing — vulnerability scans (authenticated, internal, external, database, web), penetration testing, configuration review. Two to four weeks.
- Security Assessment Report (SAR) — findings, risk ratings, recommendations. Two to four weeks to draft and finalize.
The 3PAO will produce a findings list. High findings typically number in the low tens even for well-prepared systems. Low and informational findings number in the dozens to low hundreds. None of this is a failure — it is the purpose of the assessment.
Phase 3: Remediation and POA&M
Findings get remediated before authorization or tracked in the POA&M (Plan of Action and Milestones) for remediation on a defined schedule. The allocation rules in 2026:
- High findings — must be remediated before ATO issuance unless the AO formally accepts risk. Most AOs will not.
- Moderate findings — remediate or POA&M with near-term milestones (30-90 days).
- Low findings — POA&M with reasonable milestones (up to a year).
The remediation cycle is where timelines slip. A vulnerability that is easy to describe ("upgrade library X to version Y") can be painful to execute if library Y breaks a downstream consumer. Budget 10-20 percent of your original engineering effort for post-assessment remediation, more if your pre-assessment was thin.
Phase 4: Agency review and ATO issuance
With SSP, SAR, and POA&M complete, the package goes to the sponsoring agency's AO office. The AO's team reviews, asks questions, potentially requires additional evidence, and issues the ATO letter. How long this takes depends almost entirely on the agency:
| Sponsor posture | Review time |
|---|---|
| Motivated — named go-live date | 4 - 8 weeks |
| Supportive but not time-pressured | 8 - 12 weeks |
| Polite sponsor, no pull | 12 - 24 weeks |
Phase 5: Continuous monitoring
The ATO is not the finish line. Continuous Monitoring (ConMon) is the ongoing submission of vulnerability scans, configuration compliance data, incident reports, and POA&M progress on a cadence defined in the package (typically monthly). Annual assessment by the 3PAO verifies the CSP is maintaining the posture. Significant changes to the system trigger significant change requests (SCRs). This never ends. Budget ConMon as a line item from day one.
Three places timeline actually slips
1. Undocumented engineering work
You know your system has encryption in transit. Can you show the ISSO the TLS version, cipher suite, and certificate management procedure? Can you show where that is documented in your procedures? If the answer is "I would have to go look," you have weeks of SSP work ahead of you that you did not budget. The fix is to document as you build, not after.
2. Interconnections
Every external system you talk to (identity provider, log aggregator, dependency registry, payment processor) is an interconnection. Each one needs an agreement — ISA or MOU — and a description in your SSP. Teams routinely discover in Phase 1 that their system has 12 interconnections instead of the 3 they diagrammed. The ISA paperwork alone can eat weeks.
3. Agency attention
The single largest source of calendar slip is the sponsoring agency's review bandwidth. An agency with three CSPs in flight and no dedicated AO staff will be slow. Negotiate upfront: named AO, named ISSO, target review turnaround times. If your sponsor cannot commit to any of that, you have the wrong sponsor.
Bottom line
Plan 12 months if you are disciplined, well-sponsored, and already running OSCAL. Plan 18 months if you are average. Plan 24 if you are documenting the system retroactively with a distracted sponsor. The FedRAMP process itself is well-defined; the delays come from upstream preparation and downstream agency attention. Spend on both.
Frequently asked questions
Typical range is 12 to 18 months from the start of formal readiness to ATO letter. Well-prepared, well-sponsored packages can close in 11-12. Poorly prepared or poorly sponsored packages regularly run 18-24 months.
No. Agency ATO is almost always faster because aligning one agency AO is easier than aligning the Joint Authorization Board's three. Agency is the default path in 2026.
It is not formally mandatory for Agency ATO, but most sponsoring agencies require either a Ready designation or a 3PAO readiness assessment before they commit sponsorship.
High findings must be remediated before ATO issuance unless the AO formally accepts the risk. Most AOs will not accept High risks. Plan remediation time in the post-assessment phase.
Three to four months typically. Security Assessment Plan (2-4 weeks), evidence collection and interviews (4-6 weeks), technical testing (2-4 weeks), Security Assessment Report drafting (2-4 weeks).
Three things: retroactive SSP authoring, undocumented interconnections, and slow agency AO review. The first two are within your control. The third requires picking a sponsor with named AO bandwidth.