FedRAMP

Last updated: 2026-04-11 • ← All frameworks

Overview

The Federal Risk and Authorization Management Program (FedRAMP) is the US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. FedRAMP authorization is based on NIST Special Publication 800-53 control baselines (Low, Moderate, and High), and requires assessment by a FedRAMP-accredited Third Party Assessment Organization (3PAO).

Current status

Not currently pursuing authorization

Backbuild is not currently pursuing FedRAMP authorization. Customers with FedRAMP obligations should contact us to discuss shared responsibility, boundary mapping, and whether Backbuild is appropriate for their specific data classification and workload.

While no FedRAMP ATO is in place, Backbuild has internally aligned significant portions of its control library to the NIST SP 800-53 Moderate baseline as part of its broader compliance program.

NIST SP 800-53 control alignment

Controls implemented at Backbuild map to the following NIST 800-53 control families:

• AC — Access Control: account management, least privilege, separation of duties, remote access, session controls.
• AU — Audit and Accountability: audit event definition, content, storage, protection, review, and analysis.
• IA — Identification and Authentication: organizational user identification, multi-factor authentication, authenticator management.
• SC — System and Communications Protection: boundary protection, transmission confidentiality and integrity, cryptographic protection.
• SI — System and Information Integrity: flaw remediation, malicious code protection, information system monitoring, software integrity.
• CM — Configuration Management: baseline configuration, change control, least functionality.
• IR — Incident Response: incident handling, monitoring, reporting, and response assistance.

A detailed control-by-control mapping against the Moderate baseline is maintained internally and can be shared with qualified customers under a mutual non-disclosure agreement.

Current limitations for FedRAMP workloads

• FIPS 140-2/3 validated cryptography: Backbuild uses strong, modern cryptographic primitives, but not all cryptographic modules in the stack have been verified against FIPS 140-2 or 140-3 validation requirements.
• No dedicated GovCloud deployment: Backbuild runs on Cloudflare's global commercial network. There is no dedicated US-only, US-persons-only, or GovCloud-equivalent environment.
• No 3PAO engagement: Backbuild has not engaged a FedRAMP-accredited 3PAO and has no current System Security Plan (SSP) submitted to the Joint Authorization Board or a sponsoring agency.
• Continuous monitoring: Backbuild maintains its own continuous monitoring program, but it is not aligned to FedRAMP ConMon reporting cadences or deliverables.

Roadmap

FedRAMP Low or Moderate authorization is not currently committed on the Backbuild roadmap. Customers who require a FedRAMP-authorized service for specific data types or workloads should plan to use Backbuild only for non-covered data, and should contact us early in their procurement process so we can help determine whether this is feasible for their use case.