TL;DR

After leading SOC 2 work and prepping for FIPS 140-2/3, FedRAMP looked like the natural next step — until I sized up the surface area. For a non-US company, the real first question isn’t “which controls do we implement?” It’s “which partner do we walk in with?” This post starts a series where I document the journey from a platform engineering perspective — beginning with how I’m thinking about advisory and 3PAO vendors like Knox, A-LIGN, Schellman, and Coalfire, and why the “FedRAMP in 90 days” promise needs an asterisk the size of a 3PAO invoice.

Introduction

I’ve been heads-down on compliance work for the past year — SOC 2 audits across consulting engagements, FIPS 140-2/3 prep for healthcare AI workloads, building out the supply chain proof: SBOM, attestation, signed images, encrypted-at-rest everything. At some point, a US federal opportunity lands on the table and someone in a meeting says: “How quickly can we be FedRAMP Moderate?”

IMO, the first time you hear that question, you don’t actually know yet. And if you’re a non-US company without an existing federal customer base, the next thing you discover is that you almost certainly aren’t going to figure it out alone.

This series is my field notebook for that journey. I’ll deep-dive into the platform side — what changes in your IaC, your Kubernetes posture, your observability stack, your evidence pipeline — in later posts. This first one is about the before of all that: the framework landscape, why a partner matters, and the 90-day fairy tale.

What FedRAMP Actually Is (Compared to What You Already Know)

If you’ve done SOC 2, you know the rhythm: pick a Type II window, run your controls for the period, an auditor reviews evidence, you get a report. It’s a trust signal aimed at commercial customers.

If you’ve touched FIPS, you know it’s narrower and more technical — it’s about how cryptographic modules are built and validated, not about how your organization operates.

FedRAMP is a different animal. It’s the US federal government’s authorization framework for cloud services, built on NIST SP 800-53 controls, and it’s both broader than SOC 2 (it covers your operational posture, your supply chain, your personnel screening, your incident response, all of it) and more technical than people expect — FIPS-validated crypto is required, not optional, inside a FedRAMP boundary. Three impact levels — Low, Moderate, High — gate which agencies and data classifications can use your service.

And then there’s the shift happening right now. FedRAMP 20x, the program redesign GSA launched in 2025, is moving the framework from a document-heavy, narrative-based audit to a machine-readable, continuously-validated model. The first pilot vendor completed authorization in 119 days. The default authorization path is expected to become 20x in the second half of 2026. The role of the third-party assessor is mutating from “narrative reviewer” to “validator of your automated evidence pipeline.”

I’ll deep-dive into 20x, KSIs, and the OSCAL machine-readable submission model in a later post — there’s enough there for two or three on its own. For now, the point is this: the framework you’re certifying against in mid-2026 is not the framework that existed two years ago, and partners who haven’t internalized that are selling you yesterday’s playbook.

Why a Third-Party Partner Isn’t Optional (Especially from Outside the US)

Three roles get conflated in conversations about FedRAMP, and untangling them is the first useful thing you can do:

  1. The 3PAO — Third Party Assessment Organization. The actual auditor. They cannot also be your advisor; that’s a conflict of interest. They produce the Security Assessment Report.
  2. The advisory / readiness partner — Helps you build the program, write the SSP, implement controls, and prepare evidence. This is the role that vendors like Knox, A-LIGN’s advisory arm, Schellman’s readiness practice, Coalfire’s advisory, and similar firms play.
  3. The agency sponsor (legacy path only) — A US federal agency that sponsors your authorization. Under 20x, this requirement is going away, which is a significant unlock for non-US providers.

If you’re outside the US, the advisory partner role is where most of the value lands. Reasons, in roughly the order I keep encountering them:

  • Federal procurement culture is its own world. The language, the document templates, the unwritten expectations about how a POA&M should read — none of this is in the public documentation. You buy that knowledge.
  • Time zones and presence. Federal review cycles, joint authorization board meetings, agency sponsor coordination — having someone with US business hours and a US phone number reduces friction in ways the spreadsheet won’t capture.
  • Reciprocity translation. You probably already have SOC 2, ISO 27001, maybe FIPS. A good partner maps what you already have to FedRAMP control families, so you’re not rebuilding evidence you already produce.
  • Avoiding the “first US client” trap. An agency asks for FedRAMP Moderate. Sales says “twelve months.” The CFO sees the number. The conversation gets harder from there. A partner who has been through this lets you sequence the work intelligently before the customer conversation, not during it.

The “FedRAMP in 90 Days” Claim

Some vendors are pitching aggressive timelines now. Some of that pitch is real — the 20x pilot data shows authorizations happening in months, not the historical 18 to 24. Some of it is marketing.

Here’s how I’m reading it. The 90-day window — or 120, or 180 — is the audit and authorization window. It is not the journey. The journey is everything that has to be true about your platform before the audit window can productively start:

  • IaC as the only way infrastructure changes — no click-ops (web ui console configurations) in production
  • FIPS-validated cryptographic modules across the boundary — TLS, KMS, application-layer crypto
  • Continuous monitoring and machine-readable evidence emission, ideally in OSCAL format
  • Boundary diagrams that match reality, not aspiration
  • Personnel screening, training records, and onboarding/offboarding workflows that produce evidence on their own
  • Incident response procedures that have been rehearsed, not just written

If you walk in with all of that already operational, 90 to 180 days is plausible. If you walk in with SOC 2 and good intentions, you’re looking at a year of platform work before the audit window matters — and a partner is the one who can tell you that on the first call instead of the eighth.

My Vendor Short List (As of Now)

I’m not endorsing anyone — I’m in evaluation phase, not contract phase. Vendors I’m currently looking at as potential advisory or 3PAO partners, in alphabetical order:

  • A-LIGN — large 3PAO with an advisory arm; active in 20x as both an assessor and a pilot participant
  • Coalfire — long-established 3PAO and advisory, broad federal track record
  • Knox — newer, automation-forward, positioning around the 20x model
  • Schellman — 3PAO with a strong advisory practice and SOC 2 / ISO 27001 reciprocity experience

There are others — Secureframe, A-SCEND, Vanta-adjacent offerings, smaller boutiques. The list isn’t exhaustive; it’s where I’m starting.

The questions I’m taking into every one of those conversations:

  1. How many non-US CSPs have you taken through FedRAMP, and can I talk to two of them?
  2. What’s your read on Rev5 versus 20x for our situation, given our timeline?
  3. What does your continuous monitoring delivery look like after authorization — annual retainer, or staffed engagement?
  4. How do you handle reciprocity with SOC 2 and ISO 27001 evidence we already produce?
  5. What’s your position on OSCAL — are you emitting machine-readable packages today, or planning to?

If a partner can’t answer question 5 with specifics in mid-2026, that tells me something.

What I’d Tell My Past Self

The reframing that changed every partner conversation for me: stop asking “who can get me certified fastest” and start asking “who can help me operate as a FedRAMP-grade platform on day 200, so the audit on day 270 is anticlimactic.”

Certification is a downstream outcome of a platform that produces continuous, trustworthy evidence. If the platform isn’t there, no amount of partner velocity gets you across the line in 90 days — it just gets you a more expensive failed audit.

Conclusion

This is Part 1 of a series I’m writing as I go. I don’t know yet how many posts it’ll run to — that depends on what I learn and what’s worth sharing. What I can commit to is that future posts will go deep on the platform side: what changes in your Kubernetes posture, how IaC and policy-as-code map to FedRAMP control families, the FIPS-in-FedRAMP overlap (its own minefield), what OSCAL and 20x actually mean for the evidence pipeline, and the SOC 2 → FedRAMP delta in concrete terms.

If you’re walking a similar path — non-US company, platform or DevOps lead, staring at a federal opportunity and wondering where to start — the start is the partner conversation. Go in with the right questions.

Further Reading