up:: The Mandates MOC
FedRAMP and PQC
FedRAMP, the Federal Risk and Authorization Management Program, is the U.S. government program that standardizes how federal agencies assess and authorize the security of cloud services, and it’s the channel through which the federal post-quantum migration reaches cloud service providers. A cloud vendor doesn’t answer to an agency’s post-quantum memo directly, but it does answer to FedRAMP, and FedRAMP inherits its cryptographic requirements from the same NIST controls and OMB mandates that drive the rest of the federal timeline. So the post-quantum deadlines written for agencies propagate to the cloud market through FedRAMP, which is how a requirement aimed at the government lands on any vendor that sells cloud to it.
The short version:
- FedRAMP is a single, reusable security authorization for cloud services sold to the federal government, run by the General Services Administration and codified into law by the FedRAMP Authorization Act.
- Its security requirements are built on the NIST SP 800-53 control baseline and sit inside the FISMA framework, so FedRAMP’s cryptographic rules move whenever NIST’s underlying controls move.
- The federal post-quantum mandates reach cloud providers through FedRAMP: OMB M-23-02 tells agencies to get the cryptographic inventory of FedRAMP-authorized products through the FedRAMP office, and OMB M-26-15 has CISA and the Department of War lead the PQC migration for FedRAMP-authorized cloud used at multiple agencies.
- The algorithm clock is NIST IR 8547: as its transition schedule and the underlying FIPS 140-3 validations mature, the cryptography a FedRAMP authorization requires migrates with them.
- The practical effect is that a cloud provider serving federal customers is on the federal post-quantum timeline whether or not any memo names it, because keeping its authorization eventually requires post-quantum-capable, validated cryptography.
Think of FedRAMP like a fire-safety certification that a landlord must hold to lease space to a large, safety-conscious tenant. The tenant doesn’t inspect the wiring itself; it requires a current certificate, and the certificate’s standard is written by a code authority the tenant trusts. When that authority updates the code to require a new kind of fire-rated cabling, every landlord who wants to keep leasing to that tenant has to upgrade, not because the tenant knocked on the door, but because the certificate they depend on now demands it. FedRAMP is that certificate for federal cloud, and the post-quantum standards are the code update working its way in.
What is FedRAMP?
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Its founding idea is “do once, use many times”: rather than every agency separately assessing the same cloud service, a service earns a FedRAMP authorization once and agencies reuse that assessment, which is why the FedRAMP Authorization Act establishes a presumption of adequacy for an already-authorized service and directs agencies to check for an existing authorization before starting their own. The program is run by the General Services Administration.
Source: FedRAMP Authorization Act, enacted as part of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Public Law 117-263, December 23, 2022, codified at 44 U.S.C. §§ 3607 through 3616, congress.gov.
Three facts about its standing shape how post-quantum requirements reach it, and they’re worth stating precisely:
- It’s law, run by GSA. FedRAMP existed as OMB policy from 2011 and was written into statute by the FedRAMP Authorization Act in December 2022, which codified the program within GSA and set up a FedRAMP Board to advise on requirements and prioritization.
- Its controls come from NIST SP 800-53. FedRAMP’s security requirements are baselines drawn from the NIST SP 800-53 control catalog, tailored for cloud, so a change to the relevant NIST controls is a change to what FedRAMP requires.
- It sits inside FISMA. FedRAMP operates within the Federal Information Security Modernization Act framework, and it uses FIPS 199 impact categorization (Low, Moderate, High) to decide which control baseline applies to a given service.
How does FedRAMP relate to FISMA and NIST?
FedRAMP is the cloud-specific application of the same FISMA-and-NIST machinery that governs federal information security generally, which is exactly why post-quantum requirements flow into it automatically rather than needing a separate FedRAMP rule for every change. FISMA is the statute that requires federal systems to be secured to a risk-based standard; NIST writes that standard as the SP 800-53 control catalog and the FIPS categorization scheme; and FedRAMP packages those controls into reusable baselines for cloud services. The dependency runs downhill: FISMA sets the obligation, NIST sets the controls, and FedRAMP inherits them.
The stack reads cleanly as four layers, each inheriting from the one above it:
| Layer | What it sets | Who owns it |
|---|---|---|
| FISMA | The statutory duty to secure federal systems to a risk-based standard | Congress, via statute |
| NIST SP 800-53 and FIPS categorization | The control catalog and the Low/Moderate/High impact scheme | NIST |
| FedRAMP baselines | Those controls packaged into reusable cloud authorization baselines | GSA |
| A cloud service’s authorization | The specific controls a given service must meet to sell to agencies | The cloud provider, assessed against the baseline |
Because each layer inherits from the one above, a change at the NIST layer flows down to what a FedRAMP authorization requires without a separate rule at every level. The cryptography-specific link is the control that requires cryptographic protection. FedRAMP requires that cryptography used to protect federal information be provided by a validated module, which is why FedRAMP’s own cryptographic-module policy points at FIPS 140-3 validation as the bar a cloud service’s cryptography has to clear.
Source: FedRAMP, “Policy for Cryptographic Module Selection and Use,” which requires cryptographic modules to be FIPS 140-3 validated, fedramp.gov.
Because the requirement is expressed as “use validated cryptography that meets the NIST controls” rather than “use these specific named algorithms forever,” the post-quantum transition reaches FedRAMP through the underlying standards. When the NIST controls and the FIPS 140-3 validation program recognize the post-quantum algorithms, the cryptography a FedRAMP authorization requires moves with them, without FedRAMP having to rewrite its program from scratch.
How do the federal post-quantum mandates reach cloud providers?
Through FedRAMP as the coordination point, in two concrete ways written into the OMB mandates themselves. The mandates were built to reach vendor-operated and cloud-hosted systems, and FedRAMP is the mechanism they use to do it.
- The inventory mandate routes through the FedRAMP office. OMB M-23-02 requires agencies to inventory the quantum-vulnerable cryptography in every system they operate or have operated on their behalf, which includes FedRAMP-authorized cloud products, and it directs agencies to work with the FedRAMP program office to obtain the cryptographic inventory for those products. An agency can’t push accountability for cloud cryptography onto the provider, so FedRAMP becomes the channel for getting the cryptographic facts out of the cloud service.
- The execution mandate assigns the cloud migration centrally. OMB M-26-15 tells agencies to engage their FedRAMP-authorized cloud providers to delineate PQC migration responsibilities under the shared-responsibility model, and it has CISA and the Department of War, coordinating with GSA, lead the migration for FedRAMP-authorized cloud providers and for SaaS, PaaS, and IaaS solutions used at more than one agency. Instead of every agency separately pressing the same shared cloud service, the migration for widely-used cloud is coordinated once, through FedRAMP.
Source: OMB, “Migrating to Post-Quantum Cryptography,” M-23-02, November 18, 2022, §II.A footnote 7 (agencies work with the FedRAMP PMO for the cryptographic inventory of FedRAMP-accredited cloud products), whitehouse.gov.
Source: OMB, “Execution of the Migration to Post-Quantum Cryptography,” M-26-15, June 24, 2026, §3.C (CISA and the Department of War, with GSA, lead the migration for FedRAMP-authorized cloud and multi-agency SaaS, PaaS, and IaaS), whitehouse.gov.
The design of this is deliberate and matches the “do once, use many times” logic of the whole program. A shared cloud service authorized under FedRAMP is used by many agencies at once, so coordinating its post-quantum migration through FedRAMP rather than agency by agency is both more efficient and more consistent, and it means the requirement lands on the provider once for all its federal customers.
What does this mean for a cloud service provider?
It means a provider serving federal customers is on the federal post-quantum timeline as a condition of keeping its business there, even though the OMB memos are addressed to agencies rather than to vendors. The FedRAMP authorization a provider depends on is anchored to NIST controls and FISMA, and the same mandate stack that sets 2030 and 2035 for agencies works its way into what a cloud authorization requires. The practical obligations that follow:
- Be ready to produce a cryptographic inventory of your service. Agencies must obtain it through the FedRAMP office, so a provider that can hand over an algorithm-level CBOM for its service is meeting the demand its federal customers are already under.
- Track the FIPS 140-3 validation of your post-quantum implementation. FedRAMP requires validated cryptography, so a post-quantum algorithm satisfies the requirement only once it sits inside a FIPS 140-3 validated module, however correctly the algorithm itself is implemented.
- Plan the migration on the NIST clock. The transition schedule in NIST IR 8547 is the algorithm clock the whole federal stack aligns to, and a cloud provider’s roadmap has to reach post-quantum key establishment and signatures in step with it to keep serving federal workloads.
- Build crypto-agility in. A provider whose cryptography changes only through a re-platforming is signing up for a construction project every time the standard moves, so crypto-agility is what lets an authorization stay current cheaply as the post-quantum requirements land.
The timing caution that applies everywhere in the federal stack applies here too. As of this writing the specific years in NIST IR 8547 sit in an Initial Public Draft, and the FIPS 140-3 validation of post-quantum modules is still maturing, so a provider’s exact post-quantum obligations firm up as those two pieces finalize. The direction is settled even while the precise dates are not.
How does FedRAMP fit the rest of the mandate landscape?
It’s the cloud-specific propagation channel inside the U.S. federal stack, one of the paths by which a rule written for the government reaches organizations the text never names. In the propagation model that runs through the mandate landscape, government sets the rule, regulators translate it, and procurement carries it into the market. FedRAMP is a piece of that procurement stage for cloud: it’s the purchase condition that makes federal cloud buyers require post-quantum readiness, so the deadline reaches the provider through the authorization it needs to sell.
- OMB M-23-02 and OMB M-26-15 are the memos that name FedRAMP explicitly as the coordination point for cloud inventory and cloud migration.
- NIST IR 8547 is the algorithm schedule FedRAMP’s cryptography aligns to as it matures.
- The NIST CSF and the SP 800-53 controls beneath FedRAMP are the framework layer that places cryptographic risk under governance and asset management, the same structure a cloud provider uses to organize its own readiness.
For a provider that also sells outside the U.S. government, FedRAMP is one of several overlapping pressures. The EU Cyber Resilience Act reaches any vendor placing a connected product on the EU market, so a global cloud provider often holds a FedRAMP obligation and a CRA obligation at once, and crypto-agility is what lets one codebase satisfy both as their post-quantum requirements arrive on different clocks.
Common misconceptions
- “FedRAMP already mandates post-quantum cryptography today.” It requires validated cryptography meeting the NIST controls, and the post-quantum requirements land as those controls and the FIPS 140-3 validations mature. The obligation arrives through the underlying standards rather than as a separate, already-final FedRAMP PQC rule.
- “The OMB memos don’t apply to cloud providers, so cloud is exempt.” The memos reach vendor-operated and cloud-hosted systems by design, and they name FedRAMP as the channel. A provider serving federal customers inherits the post-quantum expectation through the authorization it holds.
- “FedRAMP is separate from FISMA and NIST.” It’s the cloud-specific application of both. FedRAMP’s baselines are drawn from NIST SP 800-53, it uses FIPS 199 impact levels, and it operates inside the FISMA framework, so it moves when they move.
- “An agency can make the cloud provider solely responsible for PQC compliance.” The agency stays accountable for the cryptographic posture of every system that processes its information, including cloud, and it obtains the cryptographic inventory through the FedRAMP office rather than delegating the obligation away.
- “A correctly implemented post-quantum algorithm satisfies FedRAMP.” Not until it’s in a FIPS 140-3 validated module. FedRAMP requires validated cryptography, so the validation status of the implementation is part of the requirement, not a formality on top of it.
Questions people ask
Does FedRAMP require post-quantum cryptography right now? Not as a separate final rule yet. FedRAMP requires FIPS 140-3 validated cryptography that meets the NIST SP 800-53 controls, and the post-quantum requirements reach cloud providers as those controls and the validation program mature and as the NIST IR 8547 schedule finalizes. The direction is set even while the exact dates are still firming up.
How do the OMB post-quantum memos reach a cloud provider? Through FedRAMP. OMB M-23-02 has agencies obtain the cryptographic inventory of FedRAMP-authorized cloud products through the FedRAMP office, and OMB M-26-15 has CISA and the Department of War, with GSA, lead the migration for FedRAMP-authorized cloud used across multiple agencies. The requirement lands on the provider through the program, not through a memo addressed to it.
What’s the relationship between FedRAMP, FISMA, and NIST? FISMA is the statute requiring federal systems to be secured to a risk-based standard, NIST writes that standard as SP 800-53 and the FIPS categorization scheme, and FedRAMP is the cloud-specific packaging of those controls into reusable authorization baselines. FedRAMP’s cryptographic rules change whenever the NIST controls beneath them change.
Does FedRAMP use FIPS 140-3? Yes. FedRAMP’s cryptographic-module policy requires cryptography protecting federal information to come from a FIPS 140-3 validated module, so a post-quantum algorithm has to be in a validated module to count toward the requirement.
Is FedRAMP a law? The program began as OMB policy in 2011 and was codified into statute by the FedRAMP Authorization Act, enacted in December 2022 as part of Public Law 117-263, which placed the program in GSA and established a presumption of adequacy for authorized cloud services.
If I’m a cloud provider, what should I do now? Be ready to produce an algorithm-level cryptographic inventory of your service, track the FIPS 140-3 validation of your post-quantum implementations, plan your migration against the NIST IR 8547 schedule, and build crypto-agility in so your authorization stays current cheaply as the requirements land.
Everything here is the map, given freely. When your team needs the federal cloud post-quantum requirements translated into a migration plan sequenced against your FedRAMP authorization and your customers’ deadlines, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.