How to Verify an AI Contractor's FedRAMP Posture (Before You Award)

Start at the source of truth: the FedRAMP Marketplace

The FedRAMP Marketplace at marketplace.fedramp.gov is the federal government’s authoritative registry of cloud service offerings that hold a FedRAMP designation — roughly 502 authorized services as of early 2026. It’s the first place you look, and a listing tells you, field by field: the authorization status, the impact level, the package ID (used to request the security documentation), the authorizing agency and the 3PAO that assessed it, and how many other agencies have already issued their own ATOs reusing the package — your peer-vetting signal.

Pull the listing yourself. Don’t accept a screenshot, a logo treatment, or a sales rep’s verbal assurance. FedRAMP’s own guidance is blunt that labels like “FedRAMP Compliant” or “FedRAMP Equivalent” are not FedRAMP authorizations and do not meet the legal definition. The listing is the front door — but the procurement decision lives in the package behind it.

What do the authorization states actually mean?

There are exactly three official designations, and each has a precise procurement meaning:

Two governance shifts you need to carry into 2026.

The JAB is gone. Under OMB M-24-15 (July 2024), the Joint Authorization Board and its provisional-ATO path were dissolved in August 2024; the FedRAMP Board established by the FedRAMP Authorization Act (44 U.S.C. §§ 3607–3616) took over governance, and the agency authorization path is now the only active route under Rev 5. A vendor still marketing a “JAB P-ATO” as a current designation is selling a historical artifact — those listings now simply read “FedRAMP Authorized.”

FedRAMP 20x is live, and it changes what a package looks like. GSA announced 20x on March 24, 2025 as an automation-first overhaul. As of mid-2026 it runs in parallel with Rev 5: 20x Phase One Low produced its first authorized cohort in July 2025 (Flock Safety, Infusion Points, Meridian Knowledge Solutions, Vanta), and 20x Phase Two Moderate launched in December 2025. The substantive change for a buyer: 20x replaces the ~325-control Rev 5 narrative baseline with machine-readable Key Security Indicators — about 56 KSIs at Low and 61 at Moderate — delivered as OSCAL rather than a narrative SSP. A 20x service is still “FedRAMP Authorized,” but your ISSO should expect different artifacts. This is fast-moving; verify exact specifics against current FedRAMP.gov documentation. For the reference-architecture side — region-pinning, audit logging, FIPS posture — see the FedRAMP-aware edge stack.

Match the impact level to your data — not the vendor’s preference

FedRAMP impact level is not a menu the vendor picks from. It’s a function of your data, set by your FIPS 199 categorization (NIST SP 800-60 maps information types to impacts):

• LI-SaaS / Low (~156 Rev 5 controls; 56 KSIs at 20x Low): low-sensitivity SaaS, no PII beyond login credentials.
• Moderate (~323 controls; 61 KSIs at 20x Moderate): the default for CUI, PII, financial, and sensitive-but-unclassified data — and the bar DFARS 252.204-7012 cross-references for DoD covered defense information. Moderate is roughly 80% of all FedRAMP authorizations.
• High (~410 controls): law enforcement, healthcare, financial, and anything where a breach could cause severe or catastrophic harm.

Run your FIPS 199 categorization first, then confirm the listing’s level meets or exceeds it. A FedRAMP Moderate-only AI service is not sufficient for a High-impact mission, however impressive the demo.

Read the package, not the listing

The listing is metadata. The procurement-grade evidence lives in the FedRAMP secure repository, and any agency can request it via the FedRAMP Package Access Request Form, citing the package ID. At minimum, have your ISSO/ISSM pull and read:

• The SSP — especially the authorization boundary diagram (ABD), data flow diagrams, and the ports/protocols/services section. The ABD is where the truth lives about what’s inside the authorization versus an external connection. Every component named in the SSP narrative should appear on the ABD with a clear in- or out-of-boundary marker.
• The 3PAO’s Security Assessment Report — findings, open vulnerabilities, and the authorization recommendation.
• The POA&M — what’s broken and when it’s fixed. FedRAMP remediation clocks are 30 days for High/Critical, 90 for Moderate, 180 for Low; items past those clocks are themselves a finding.
• Continuous monitoring deliverables — current monthly scans, an updated POA&M, and the most recent annual reassessment. A FedRAMP Authorized listing with stale ConMon is a paper authorization. Under the post-JAB model, each authorizing agency now runs its own ConMon review.
• The customer responsibility matrix (CRM) — the controls you still own. A FedRAMP authorization never absolves your AO; under FISMA, OMB Circular A-130, and the NIST SP 800-37 RMF, you still issue your own ATO and accept residual risk. FedRAMP gives you a vetted, reusable package — your AO still applies it to your mission.

The AI-specific wrinkles — where buyers most often get burned

Verifying a “regular” SaaS vendor is hard. Verifying an AI service is harder, because of one structural question.

Is the GenAI in the boundary? The first question to ask an AI vendor is not “are you FedRAMP authorized?” but “is the specific generative-AI or inference component my users will call inside your authorization boundary?” It is common for a vendor to hold a Moderate or High authorization for its core platform while the model it actually calls is a commercial endpoint outside the boundary. If prompts, outputs, or context windows leave the boundary, the authorization doesn’t cover them. The ABD and data flow diagrams are where you confirm this; if the model shows up as an external interconnection, your AO needs to make a deliberate decision, not be surprised after award.

Which AI services are actually authorized (mid-2026)? The landscape moved fast, so verify the current Marketplace state for your exact model, region, and SKU — but as of this writing: Azure OpenAI Service is FedRAMP High within Azure Government (and DoD IL4/5/6). Amazon Bedrock is FedRAMP High in AWS GovCloud (US), and as of May 2025 a set of in-Bedrock models — including Anthropic Claude (3.5 Sonnet v1, 3 Haiku) and Meta Llama 3, plus Bedrock Agents, Guardrails, and Knowledge Bases — are approved at FedRAMP High and DoD IL4/5 within that boundary. Google Vertex AI (the Gemini family) and Agentspace are FedRAMP High, and Google notes explicitly that “individual LLMs aren’t independently authorized” — the listing is for the Google Cloud service that hosts them. OpenAI’s ChatGPT Enterprise and API Platform received FedRAMP 20x Moderate authorization, shown on the Marketplace under package ID FR2533155773. And Anthropic’s Claude for Government holds no independent Anthropic-name authorization — it’s accessed at FedRAMP High via the Palantir Federal Cloud Service package, via AWS Bedrock GovCloud, or via Google Vertex AI Assured Workloads; direct “Claude Enterprise” is not FedRAMP authorized.

The buyer takeaway: when a vendor says “we’re powered by Claude” or “we use GPT,” the real question is which authorized service path they consume the model through — and whether their own product is in-boundary or merely a wrapper calling an authorized model from an unauthorized place.

Data, training, and M-25-22. Even if the AI is in-boundary, the contract has to handle data correctly. OMB M-25-22 (April 3, 2025) applies to AI acquired under solicitations issued after September 30, 2025, and directs agencies to restrict vendors from using non-public agency inputs and outputs to train publicly or commercially available models without explicit agency consent, to minimize data collection and retention, to require data isolation, and to address vendor lock-in and IP. Before award, confirm the vendor’s terms for the authorized offering already contain — or write into the contract — explicit prohibitions on training, fine-tuning, or model improvement on your data and outputs without written consent. The text-to-procurement mapping is in OMB M-25-21 reads like a buying spec.

The “we run on AWS” problem. An AI service almost always inherits some controls from an underlying cloud (AWS, Azure, GCP). Inheritance is legitimate — but it is not the same as having your own authorization. A SaaS or PaaS hosted on a FedRAMP-authorized IaaS is not automatically authorized itself. Confirm the specific AI service has its own Marketplace listing, or confirm in writing that the capability your users consume is within the underlying cloud’s authorized boundary (e.g., Bedrock as a service inside AWS GovCloud’s High boundary) and that the CRM allocates the remaining controls correctly. If the vendor can’t point you to either, assume they’re not authorized for your use case.

Red flags and common misrepresentations

Treat each of these as a stop-work for legal/compliance review:

• “FedRAMP Certified” as a self-applied label. The legacy designations are Ready, In Process, and Authorized. (Confusingly, GSA’s 2026 Marketplace consolidation has begun using “Certified” for some 20x-authorized listings — same procurement status as Authorized — so verify any “Certified” claim against the Marketplace listing itself rather than a vendor’s website.)
• “FedRAMP Equivalent” without DoD-defined evidence. Per the December 21, 2023 DoD CIO memorandum, a cloud service is “equivalent” for DFARS 7012 purposes only if it achieves 100% compliance — zero open findings against the FedRAMP Moderate baseline, assessed by a recognized 3PAO, with a complete Body of Evidence delivered to the contractor. Equivalency is a DoD CUI construct, not a FedRAMP authorization, and the verification burden is on the buyer and prime.
• Claiming the underlying cloud’s authorization as the vendor’s own. “We run on AWS GovCloud” describes inheritance, not the vendor’s boundary.
• Stale or lapsed authorizations. Ready is valid only 12 months; an authorized service with no recent ConMon or an expired annual assessment is a flag. Check the listing’s last-updated date and the most recent assessment.
• Scope/boundary mismatch. The product you’re buying must be the product that was assessed — a different SKU, region, or new GenAI add-on may be out of scope.
• The cautionary tale. A December 2025 federal indictment charged a contractor manager with concealing a cloud platform’s noncompliance with FedRAMP and the DoD Risk Management Framework, and with obstructing third-party assessors during required audits by hiding deficiencies during testing and demonstrations. The platform reportedly served at least six agencies — including the Army, State, and VA — across contracts valued at more than $250 million. The charges are allegations, not a conviction, but the buyer-side lesson stands: the Marketplace listing is necessary, not sufficient. Verify the package, verify ConMon, and document your due diligence. The pilot-to-production failure modes that compound bad vendor verification are in why federal AI pilots stall.

When is it CMMC, not FedRAMP?

A short, important distinction — CMMC is not the right frame for verifying a cloud service, and it’s not a substitute for FedRAMP. They solve different problems for different actors:

• FedRAMP authorizes the cloud service that handles federal information.
• CMMC assesses the DoD contractor’s own systems that process Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Where they meet: DFARS 252.204-7012 requires that a cloud holding covered defense information be FedRAMP Moderate Authorized or meet the DoD’s Moderate Equivalency definition. The CMMC program was finalized at 32 CFR Part 170 (effective December 16, 2024), and the implementing DFARS acquisition rule (DFARS 252.204-7021) took effect November 10, 2025, on a four-phase rollout: self-assessment in Phase 1, Level 2 C3PAO certification as a condition of award for CUI work beginning Phase 2 (November 10, 2026), and full implementation by 2028. For DoD work where the contractor holds CUI on its own systems, verify its CMMC status in SPRS at the level the solicitation requires — a separate check from the cloud’s FedRAMP authorization, not an interchangeable one.

The pre-award verification checklist

Print it, use it, file it. Bold items are where you stop and escalate.

Authorization & impact

• Listing pulled directly from marketplace.fedramp.gov. Not there → treat as unauthorized.
• State = FedRAMP Authorized (not Ready, In Process, “Equivalent,” or self-labeled “Certified”).
• Marketplace impact level ≥ my FIPS 199 categorization. Lower → do not award without an authorization at the correct level.
• Package ID, authorizing agency, and last-updated date captured.

Package review

• SSP and authorization boundary diagram reviewed by ISSO/ISSM.
• 3PAO findings reviewed; open Highs understood and accepted by the AO.
• POA&M current; no overdue High/Critical past the 30-day clock.
• Continuous monitoring current; customer responsibility matrix obtained and agency controls assigned.

AI-specific

• Confirmed the GenAI/inference component is inside the boundary (verified on the ABD).
• Inheritance from an underlying CSP, if any, is documented and the CRM reconciled.
• Contract prohibits training/fine-tuning on agency inputs and outputs without explicit consent (M-25-22).
• Data residency, retention, and deletion confirmed in writing.

Agency authorization

• AO has reviewed the reused package; agency ATO (or inheritance) issued or scheduled before go-live.
• If DoD CUI is on contractor systems, CMMC status verified in SPRS at the required level.

If any box is unchecked at award, document the residual risk in the authorization decision — or don’t award until it’s checked.

Truvisory’s posture

Truvisory is an SBA-verified Service-Disabled Veteran-Owned Small Business in Denver, focused on federal AI modernization. We are FedRAMP-aware: we design and ship AI capabilities to federal cloud security requirements — confirming in-boundary inference, FIPS 199 alignment, M-25-22-compliant data terms, and CRM clarity — and we build on FedRAMP-authorized cloud foundations rather than asking buyers to take security claims on faith. To be precise: Truvisory does not hold CMMC Level 2 certification and does not represent itself as CMMC-certified; where DoD CUI on contractor systems is in scope, we partner with primes and cloud providers whose CMMC status fits the work.

If you’re about to award AI/IT work and want a second set of eyes on a vendor’s authorization boundary, the SSP, or the M-25-22 data-handling terms before you sign, start with a scoping call — and see the $5M sole-source how-to, which contract vehicle should you buy AI on?, and the federal AI modernization pillar for the full path.