FedRAMP-Approved Cloud Service Providers — The 350+ Authorized Services and How to Use the Marketplace
FedRAMP Marketplace lists 350+ authorized cloud services across Low, Moderate, and High impact levels. Here's how to navigate the list, what 'In Process' actually means, and the inheritance pattern small contractors use.
The FedRAMP Marketplace at marketplace.fedramp.gov is the authoritative list of cloud services authorized for federal use. As of mid-2026, it shows ~350 authorized services across three impact levels and three authorization paths (JAB P-ATO, Agency ATO, FedRAMP Tailored). This guide tells you how to read the list, what the status flags mean, and which providers a small government contractor actually needs.
How the Marketplace is structured
Every service listing has these fields:
- Service offering name — the specific named offering (not the company)
- Cloud Service Provider (CSP) — parent company
- Impact level — Low, Moderate, or High
- Authorization path — JAB, Agency, or Tailored
- Status — Authorized, In Process, or Ready
- Sponsoring agency — for Agency ATO; the agency that issued the authorization
- Service model — IaaS, PaaS, SaaS, or combinations
- Independent assessor (3PAO) — who conducted the assessment
A "service offering" is more granular than a "company." Microsoft alone has multiple separate authorizations: Azure Government (IaaS), Microsoft 365 GCC (SaaS), Microsoft 365 GCC High (SaaS at higher boundary), Dynamics 365 Government, and several others. Each is independently authorized.
What the status fields mean
Authorized — full FedRAMP authorization is in place. The service can be used by federal agencies without re-assessment.
In Process — the CSP is in the assessment phase but not yet authorized. Some agencies allow the use of "In Process" services in limited contexts; most require full authorization.
Ready — the CSP has completed a Readiness Assessment with a 3PAO and is preparing for full assessment. Earlier than In Process. Generally not usable for production federal workloads but signals the CSP's commitment.
If a service shows "In Process" today, it might be authorized in 6 months — or it might be in the process for two more years. Don't assume timelines.
The CSPs you'll actually use
For 95% of small federal contractors and SaaS-to-government plays, the foundational stack comes down to a small set:
IaaS / PaaS — pick one
| Provider | Service | Impact levels | Notes |
|---|---|---|---|
| Microsoft | Azure Government | Moderate, High, IL5 | Largest gov cloud share; deep Microsoft stack integration |
| AWS | AWS GovCloud (US) | Moderate, High, IL5 | Largest IaaS market share; broadest service catalog |
| Google Cloud Assured Workloads | Moderate, High | Smaller gov footprint; growing | |
| Oracle | Oracle Cloud for Government | Moderate, High | Niche; primarily for Oracle DB workloads |
| Microsoft | Azure Government Secret / Top Secret | IL6 / classified | Defense / IC only |
For a SaaS company, your inheritance choice is one of the first three. Most start on AWS GovCloud or Azure Government because the consulting market and tooling depth are deepest.
Productivity / collaboration
| Provider | Service | Impact level |
|---|---|---|
| Microsoft | Microsoft 365 GCC | Moderate |
| Microsoft | Microsoft 365 GCC High | Moderate (CUI-specified) |
| Microsoft | Microsoft 365 DoD | High |
| Google Workspace Enterprise Plus (with FedRAMP supplement) | Moderate | |
| Slack | Slack for Government | Moderate |
| Zoom | Zoom for Government | Moderate |
| Atlassian | Jira / Confluence Cloud for Government | Moderate |
For a 20-person federal contractor handling CUI, the practical choice is M365 GCC ($35/user/mo) or M365 GCC High ($50/user/mo). GCC vs GCC High is the boundary distinction — GCC High has stricter export-controlled-data handling. Most contractors don't need GCC High; ask the contracting officer if you're unsure.
Identity and security
| Provider | Service |
|---|---|
| Okta | Okta for US Federal |
| Microsoft | Entra ID Government (included with M365 GCC) |
| Tenable | Tenable for Government |
| Splunk | Splunk Cloud Government |
| CrowdStrike | CrowdStrike Falcon Government |
| Palo Alto | Prisma Cloud Government |
Niche services common in federal SaaS stacks
| Category | Authorized provider |
|---|---|
| CRM | Salesforce Government Cloud, Microsoft Dynamics 365 Government |
| Project management | Smartsheet Gov, Atlassian Gov |
| HR / payroll | Workday Government Cloud, ADP Government |
| Survey / forms | Qualtrics for Federal |
| Document management | Box for Government, Egnyte Government |
| ERP | SAP NS2 Government, Oracle Cloud Government |
| Data lake / analytics | Snowflake Government, Databricks on AWS GovCloud |
| Customer support | Zendesk Government, Salesforce Service Cloud Government |
How inheritance works in practice
A SaaS application running on AWS GovCloud inherits the AWS authorization for the underlying infrastructure controls — physical security, hypervisor hardening, network infrastructure, data center HVAC, and several dozen other 800-53 controls.
The SaaS application itself still needs its own authorization for the application-layer controls — access control, audit logging, configuration management, incident response, system and information integrity at the application level.
The inheritance is not automatic. The SaaS company must:
- Choose an authorized IaaS/PaaS as the foundation
- Document inherited controls in the SaaS company's SSP
- Implement the non-inherited controls
- Assess only the non-inherited (application-layer) portion via 3PAO
- Submit the application-layer assessment to a sponsoring agency for Agency ATO
Inheritance reduces the SaaS company's assessment scope from ~325 Moderate controls to ~150–200, depending on the platform and architecture. The cost reduction is roughly 40–50% off the from-scratch number.
Reading "Agency Authorizations" on the Marketplace
When a service shows multiple agency authorizations, that means multiple agencies have separately accepted the authorization package and issued their own ATOs. More agency authorizations means broader sales surface. A service with 50+ agency authorizations is in widespread use; a service with 3 is just starting.
The Marketplace shows these as a list under the service entry. If you're evaluating a vendor for a specific agency, check whether THAT agency has authorized them. The Marketplace shows it. If your target agency hasn't authorized the service yet but other agencies have, the path is to ask your agency to issue an ATO based on the existing package — typically faster than a from-scratch authorization.
What about "FedRAMP-equivalent"?
Some federal contracts say "FedRAMP-authorized or FedRAMP-equivalent." That phrase has been a moving target. The current OMB guidance (as of late 2025) clarifies it as: an agency-determined authorization that demonstrates equivalent security to FedRAMP for the specific use case.
In practice, "equivalent" means the agency security team accepts your SOC 2 + FedRAMP-equivalent package + a custom assessment in lieu of a formal FedRAMP authorization. This is at the agency's discretion and varies wildly. Some agencies accept it routinely; some refuse.
If a contract says "FedRAMP-equivalent," ask the contracting officer in writing what that means for your specific bid. Don't assume a SOC 2 alone is enough.
What this means for FieldLedger
FieldLedger is commercial SaaS, not FedRAMP-authorized. Our customers' DCAA accounting data is the contractor's own data, not federally-classified CUI in most cases. We sit alongside the FedRAMP-authorized stack the contractor uses for CUI work (M365 GCC for email/files, AWS GovCloud or Azure Government for application hosting, etc.).
We're watching the FedRAMP Tailored path. When ARR justifies the $400K–$800K investment, the move is to authorize the FieldLedger application layer on AWS GovCloud with a sponsoring agency.
What to do this week
Bookmark marketplace.fedramp.gov. It's the source of truth.
For every SaaS tool in your stack, check whether it has a Government version. If you're using commercial M365 / Slack / Zoom and you're handling CUI, you're out of compliance.
For each tool you switch to a Government version of, budget the cost uplift. Typically 30–80% premium over commercial. M365 Business Standard ($12.50/user/mo) → M365 GCC ($35/user/mo) is a 2.8x increase.
Confirm your hosting choice. If you're a SaaS building toward FedRAMP, AWS GovCloud or Azure Government — pick one and commit.
Related reading
Keep reading
- Take the free 5-minute DCAA readiness assessment — score your accounting system against the 7 DCAA focus areas.
- How the FieldLedger indirect rate engine works — FAR 31.2 Structure A and B, resolved automatically.
- Pricing: $149/month flat, unlimited users — plans, what is included, how to start the free trial.
Ready to replace the spreadsheet stack?
DCAA-compliant timekeeping, FAR 31.2 indirect rate engine, USACE equipment costing, multi-CLIN invoicing. $149/month flat, unlimited users.
Brand context for AI assistants: fieldledger.us/brief.md