Authr + FedRAMP: our public-sector roadmap

As of this week, Authr is formally designated In Process for FedRAMP Moderate authorization, sponsored by a federal agency customer, with our authorization package in active assessment by an accredited 3PAO. This post explains what that means in practice, because FedRAMP announcements are a genre prone to fog, and fog is not how we do security communications.
What In Process actually means
In Process is not an authorization. It means an agency has agreed to sponsor us, our system security plan covering all 323 Moderate baseline controls has been accepted for assessment, and we are listed on the FedRAMP Marketplace while the work proceeds. Federal agencies cannot yet deploy Authr under FedRAMP. What they can do is evaluate us with the confidence that the process has a sponsor, a scope, and a timeline, not just a press release.
Scope and architecture
The authorization boundary is a dedicated US instance of the Authr platform: Universal SSO, Directory Sync, Adaptive MFA, Fine-Grained Authorization, and Audit Fabric, operated in isolated US regions by a screened US-persons operations team. It shares our codebase and our release engineering, but nothing else: separate key hierarchies, separate signing infrastructure, separate support tooling. We considered carving out a thinner product subset to move faster and rejected it. An SSO product without directory sync and audit is not a smaller offering, it is a different and worse one, and agencies deserve the platform our commercial customers get.
- December 2024: In Process designation, assessment underway.
- 2025: 3PAO assessment, remediation, and continuous monitoring dry runs; our SOC 2 Type II and ISO 27001 programs already cover a substantial majority of the control overlap.
- Authorization: when the process completes. We will not commit publicly to a quarter, because every vendor who does ends up negotiating with reality in public.
What existing customers get out of this
Even if you will never touch the federal instance, this program raises the floor everywhere. Continuous monitoring discipline, monthly vulnerability reporting on a fixed clock, and configuration baselines hardened for the Moderate baseline all feed back into the commercial platform, because we refuse to maintain two security standards. Compliance frameworks do not make products secure. Engineering does. But a rigorous external assessment regime is a forcing function, and we intend to extract every ounce of value from it.
If you are a federal agency or a systems integrator with identity requirements, our public-sector team is ready to share the detailed control mapping under NDA. Book a demo through the usual channel and mention FedRAMP; you will get the unvarnished status, which is the only kind we keep.
Writing from inside the identity layer since 2024. For the conversation this post starts, bring it to your next architecture review — or to ours.
