Tuesday, July 7, 2026
Home » FedRAMP Compliant Object Storage

FedRAMP Compliant Object Storage

If you run storage for a federal agency, or for a cloud service provider (CSP) that sells to one, you have almost certainly been asked a deceptively simple question: “Is our object storage FedRAMP compliant?” The honest answer is that the question needs unpacking, because FedRAMP does not work the way most people assume, and “compliant storage” means something specific.

This guide explains what FedRAMP actually authorizes, how its certification classes change what your storage has to do, the core controls object storage must satisfy, and what the move to FedRAMP 20x means for teams buying or building storage.

What FedRAMP is, in one section

The Federal Risk and Authorization Management Program (FedRAMP) standardizes how cloud services are security-assessed and certified for use by US federal agencies. It is built on the Federal Information Security Modernization Act (FISMA) and uses the control catalog in NIST Special Publication 800-53 as its baseline. In practice, FedRAMP gives agencies a common, reusable way to trust a cloud service instead of each agency assessing it from scratch.

The critical detail: FedRAMP authorizes a cloud service offering and its defined authorization boundary. It does not stamp individual components like a database, a load balancer, or a storage system as “FedRAMP approved” on their own. That single fact resolves most of the confusion around compliant storage, and we will come back to it.

FedRAMP, FISMA, StateRAMP, and DoD Impact Levels

These terms get used interchangeably and should not be. FISMA is the law that requires federal systems to be secured; agencies running their own systems (including private or hybrid cloud) do so under FISMA. FedRAMP is the program for certifying commercial cloud services to federal agencies. StateRAMP applies the same idea at the US state and local level. The Department of Defense adds its own Impact Levels (such as IL4 and IL5) for defense workloads on top of FedRAMP. Knowing which of these you actually fall under determines everything downstream, so pin it down before you evaluate a single storage feature.

FedRAMP Certification Classes and what they mean for storage

Under the Consolidated Rules for 2026, FedRAMP officially retired the legacy FIPS 199 “Impact Level” designations (Low, Moderate, High) along with the “FedRAMP Validated” label. Everything is now standardized under the term “FedRAMP Certified” across four specific Certification Classes:

  • Class A (Transitional On-Ramp): Replaces “FedRAMP Ready” as an initial entry point into the marketplace. It requires a smaller subset of initial monitoring, intended for providers with mature external frameworks (like SOC 2 Type II) building toward full assessment within a two-year window.
  • Class B (Low): Replaces the legacy Low and Li-SaaS baselines. It applies to systems handling non-sensitive federal information where a security breach would cause limited, minor harm.
  • Class C (Moderate): Replaces the legacy Moderate baseline. This is the broadest certification tier, covering roughly 80% of all FedRAMP-certified services. It applies to systems handling Controlled Unclassified Information (CUI) and non-public federal data where a breach could cause serious harm. This is where most agency backup, archive, and unstructured-data workloads land.
  • Class D (High): Replaces the legacy High baseline. Reserved for mission-critical federal information, law enforcement, and critical infrastructure where a breach could produce severe or catastrophic consequences. It requires the most demanding control set (over 410 controls).

The higher the certification class, the more rigorous the demands on the storage layer: stronger encryption expectations, tighter access control, more complete logging, and higher availability and recovery guarantees. When someone asks whether storage is compliant, the useful first question back is: for which certification class, and for which data?

Does object storage have to be “FedRAMP certified”?

This is the heart of it. Because FedRAMP certifies an offering and its boundary rather than a component, object storage is almost never certified in isolation. Instead, it shows up in one of two ways.

In the first scenario, a federal agency runs its own private or hybrid cloud under FISMA and uses the FedRAMP and NIST 800-53 baseline as its control set. Here the object storage is part of the agency’s own system, and it has to implement the controls the agency is accountable for: encryption, access management, logging, and so on.

In the second scenario, a service provider or integrator is pursuing a FedRAMP certification for a cloud offering. The object storage sits inside that authorization boundary and is assessed as part of the overall offering, not separately.

The practical takeaway for a storage buyer is the same in both cases. You are not looking for a box labeled “FedRAMP certified.” You are looking for storage that can satisfy the required controls and produce the evidence to prove it, wherever you deploy it. Any vendor claiming its storage product is itself “FedRAMP certified” is, at best, being loose with the language.

Core requirements your object storage must meet

Whichever scenario you are in, the same categories of control apply to the storage layer. Here is what to look for.

Data-at-rest encryption with a validated cryptographic module

FedRAMP requires that cryptography protecting federal data uses a module validated under the NIST Cryptographic Module Validation Program (CMVP). The important nuance: the requirement is a validated module with an active certificate, not simply the presence of an algorithm like AES-256. A system can use strong algorithms and still fall short if the module itself is not validated.

Note the timing. The federal government is completing the transition from FIPS 140-2 to FIPS 140-3, and FIPS 140-2 is no longer accepted for new module submissions after September 2026. When you evaluate storage, ask specifically about the FIPS 140-3 validation status of the cryptographic module, not just “do you encrypt.”

Encryption in transit and key management

Data moving in and out of storage must be protected in transit with validated cryptography as well. Beyond the encryption itself, FedRAMP environments expect disciplined key management: integration with a key management service, key rotation, and separation of duties so that the people who manage keys are not the same people who manage the data.

Access control, identity, and least privilege

Storage must enforce role-based access control, multi-factor authentication for privileged access, and least-privilege policies down to the bucket and object level. The question is not whether the storage has permissions, but whether those permissions are granular, auditable, and centrally governed.

Audit logging and continuous monitoring

FedRAMP is built around continuous monitoring, so the storage layer needs to produce complete, tamper-resistant audit logs and export them to the tools your security team already uses, such as a SIEM. If you cannot answer “who accessed what, when, and from where” with confidence, the storage is not ready for a FedRAMP environment.

Data integrity, immutability, and ransomware resilience

Federal guidance increasingly treats recoverability as a security control, not just an operations concern. Object storage that supports object lock or write-once-read-many (WORM) protection, and that can be air-gapped or logically isolated, gives agencies a defensible last line against ransomware and insider tampering. This matters even more given the volume of attacks aimed at public-sector targets.

Availability, durability, and multi-site resilience

Higher certification classes carry higher availability expectations. Look for strong data durability (for example through erasure coding), multi-site replication, and recovery objectives that map to the agency’s RTO and RPO targets. Durability protects the data from loss; availability keeps it reachable when a site or component fails.

Data residency and sovereignty

For federal data, where the data physically lives and who can operate on it are first-class concerns. That usually means data on US soil, inside the authorization boundary, with operational access limited to appropriately screened US persons. Storage that gives you explicit control over data location and access supports this directly.

FedRAMP 20x: what is changing, and why storage teams should care

FedRAMP is in the middle of its biggest evolution since inception. Under the Consolidated Rules for 2026, the program is shifting away from traditional, manual paperwork and point-in-time annual audits toward automation, machine-readable evidence (via JSON schemas), and continuous validation.

The centerpiece of this shift is a set of Key Security Indicators (KSIs)—outcome-focused, machine-verifiable security capabilities that replace traditional NIST control narratives. Instead of writing a massive document asserting how you plan to protect a system, 20x requires you to prove the control is working through automated data collection.

The rollout dates are hitting right now: the 20x pipeline opens for Class A in August 2026, followed by Class B and Class C pipelines in late August 2026. The strict Class D (High) 20x automated pathways are slated for early 2027.

Why should a storage owner care? Because 20x punishes platforms that rely on an engineer taking manual configuration screenshots once a year. It rewards software-defined architectures that can continuously emit active security telemetry via APIs. When you evaluate object storage today, API-driven compliance telemetry is no longer a nice-to-have bonus; it’s a load-bearing compliance requirement.

On-premises and private-cloud object storage for FedRAMP and FISMA

There is a common assumption that “cloud compliance” means a public hyperscaler. It does not have to. Many agencies and high-assurance providers deliberately choose on-premises, private-cloud, or air-gapped deployments to keep full control of sensitive data, to support Class D (High) workloads, and to avoid over-dependence on a single provider.

Software-defined, S3-compatible object storage makes this practical: teams get cloud-like operations and the widely adopted S3 API behind their own boundary. For a storage owner weighing options, the deployment model is a strategic decision. On-premises and private cloud maximize control and sovereignty; public cloud can reduce operational burden. FedRAMP compliance is achievable in either model as long as the controls above are met and the evidence exists.

A checklist for evaluating object storage in a FedRAMP environment

Use this as a quick screen when you assess a storage platform:

  • [ ] Data-at-rest encryption using a FIPS 140-3 CMVP-validated module (ask for the certificate)
  • [ ] Encryption in transit plus key management integration, rotation, and separation of duties
  • [ ] Role-based access control, multi-factor authentication, and object-level policies
  • [ ] Complete, tamper-resistant audit logs that export to your SIEM
  • [ ] Object lock or WORM immutability, with air-gap or isolation options
  • [ ] Strong durability (for example erasure coding) and multi-site resilience aligned to your RTO and RPO
  • [ ] Explicit control over data residency and operational access
  • [ ] API-driven, machine-readable configuration and telemetry to support FedRAMP 20x Key Security Indicators (KSIs)

Putting it together: a FedRAMP-ready storage strategy

FedRAMP compliant object storage is less about a label and more about fit. Match the certification class to the sensitivity of your data. Insist on a validated cryptographic module, not just a strong algorithm. Build for immutability and multi-site durability so recovery is a security control, not an afterthought. Keep your evidence machine-readable so you are ready for where FedRAMP 20x is heading. And choose your deployment model—on-premises, private cloud, or public—based on how much control and sovereignty the data demands.

The one line worth remembering: object storage is not “FedRAMP certified” on its own. It either helps an agency meet its FISMA and FedRAMP controls, or it lives inside a provider’s authorized boundary. Once you frame it that way, the evaluation gets a lot clearer.

Frequently asked questions

Is object storage FedRAMP certified?

Not on its own. FedRAMP authorizes a cloud service offering and its boundary, not an individual storage product. Storage either helps an agency satisfy its controls or is assessed as part of a provider’s authorized offering.

What FedRAMP certification class do I need for storage?

It depends on the sensitivity of the data, categorized under the Consolidated Rules for 2026. Common small-scale workflows require Class B (Low); core enterprise data and CUI require Class C (Moderate); mission-critical, national security, or law enforcement data requires Class D (High).

Does FedRAMP require FIPS 140-3 encryption?

FedRAMP requires cryptography using a NIST CMVP-validated module. The government is moving from FIPS 140-2 to FIPS 140-3, and 140-2 is no longer accepted for new module submissions after September 2026, so ask about 140-3 validation status specifically.

Can on-premises object storage be FedRAMP compliant?

Yes. Compliance is about meeting the controls and producing the evidence, not about being in a public cloud. On-premises and private-cloud deployments are common for Class D and sovereignty-sensitive workloads.

What is the difference between FedRAMP and FISMA?

FISMA is the law requiring federal systems to be secured, including systems an agency runs itself. FedRAMP is the program for certifying commercial cloud services to agencies, utilizing unified rulesets and machine-readable continuous evaluation.


Further reading (educational): a primer on FIPS 140 validated encryption, an explainer on the NIST Cybersecurity Framework, and how immutable, air-gapped storage supports ransomware resilience. For the current state of the program, see the official FedRAMP 20x page.