Schellman first to assess 200 FedRAMP cloud services

Schellman has become the first FedRAMP Third Party Assessment Organisation to assess 200 cloud service offerings on the FedRAMP Marketplace. The milestone puts the firm at the forefront of a market that helps cloud providers sell services to the US federal government.

The total includes assessments across all FedRAMP authorisation levels - Low, Moderate and High - as well as Department of Defence impact levels IL4, IL5 and IL6. Its work has spanned providers entering the federal market for the first time and defence contractors handling sensitive government environments.

FedRAMP is the security review programme US federal agencies use to evaluate cloud services before procurement. That makes Third Party Assessment Organisations central to a process many software and infrastructure suppliers must navigate to win public sector business.

The milestone comes as the programme is being updated through the FedRAMP 20x initiative, which aims to revise how the framework operates and scales. Against that backdrop, firms that have conducted large numbers of assessments are likely to attract attention from cloud vendors seeking guidance on an approval system that remains demanding and highly procedural.

Reaching 200 assessed offerings gives Schellman a broad view of where providers face the greatest difficulty in the FedRAMP process and how expectations are changing. The firm says that breadth of work has been built over more than a decade in the federal cloud security market.

Avani Desai, chief executive officer of Schellman, linked the milestone to the company's long involvement in the programme.

"This milestone is a proud moment for Schellman because it reflects more than a decade of focus and commitment to the FedRAMP program," said Avani Desai, Chief Executive Officer, Schellman. "Reaching 200 assessments means our team has helped clients navigate one of the highest bars for cloud security and trust. I am incredibly proud of the professionals who built this practice and continue to raise the standard every day. The trust our clients place in us to assess some of their most critical environments is something we never take lightly."

Federal demand

For cloud providers, a FedRAMP assessment can be a gateway to contracts with civilian agencies and, in some cases, defence-related buyers. The process examines whether a service meets a catalogue of security controls and whether those controls are implemented in a way that satisfies government requirements.

Schellman also operates across adjacent federal compliance areas, including CMMC, NIST 800-53, NIST 800-171, FISMA, CJIS, ITAR and Department of Defence assessment frameworks. That overlap matters because many government suppliers must meet several standards at the same time, depending on the data they handle and the agencies they serve.

Market participants have long viewed experience as a differentiator in the FedRAMP field, in part because authorisations can be complex and may require both technical testing and close engagement with agencies. The volume of completed assessments may therefore signal to cloud companies that an assessor has a track record across different service categories and risk levels.

Matt Hungate, Federal Practise Leader at Schellman, said the company's clients have gone on to secure a large number of approvals across government.

"For over a decade, FedRAMP has set the gold standard for cybersecurity compliance, and Schellman has become the assessor that federal agencies and cloud service providers trust to get it right," said Matt Hungate, Federal Practise Leader, Schellman. "We've always prioritized genuine security over checkbox compliance, and the results speak for themselves. Our clients have received over 870 ATOs across 71 federal agencies which is a reflection of the team's program depth, technical expertise, and commitment to quality that defines how we work."

The reference to more than 870 authorities to operate across 71 agencies points to the scale of activity among suppliers that use the firm's assessment services. In federal procurement, an authority to operate is a formal approval that allows a system to be used within an agency environment.

Schellman is known in the compliance and attestation market as a large provider of audit and assessment services. Its position in FedRAMP adds to a broader portfolio aimed at companies that need to demonstrate adherence to cybersecurity and regulatory standards in both government and regulated commercial sectors.

The latest milestone underlines how important concentrated expertise has become in the federal cloud market, where vendors face significant scrutiny before services can be adopted.