MKTotherstable

Marketplace Listing

The Marketplace Listing rules define how FedRAMP decides which cloud service offerings, assessors, and advisors may be listed in the FedRAMP Marketplace. These rules help agencies and other customers rely on the Marketplace as a consistent source of eligible services and supporting organizations, while requiring listed organizations to supply accurate, accessible, and machine-readable information.

Effective dates

Obtain by: 2026-07-04
Maintain by: 2026-07-04
Optional adoption: 2026-07-04
Grace period: 2026-07-04

FedRAMP Responsibilities General Provider Responsibilities General Assessor Responsibilities General Advisor Responsibilities Provider Responsibilities for Initial Implementation Phase Listings

FedRAMP ResponsibilitiesFRP

1 rules

These rules apply to FedRAMP activities related to the FedRAMP Marketplace.

Types20xRev5

PathsProgramAgency

ClassesABCD

AffectsFedRAMP

MKT-FRP-SOF

Scope of FedRAMP

MUST NOT

FedRAMP MUST NOT list cloud service offerings in the Marketplace or perform any FedRAMP Certification activities unless it determines the cloud service offering is within the scope of FedRAMP.

References

Scope of FedRAMP ↗

TermsCloud Service Offering

General Provider ResponsibilitiesCSO

2 rules

These rules apply to providers seeking a listing in the FedRAMP Marketplace.

Types20xRev5

PathsProgramAgency

ClassesABCD

AffectsProviders

MKT-CSO-MLR

Marketplace Listing Requirements

MUST

Providers MUST address at least these FedRAMP rules to apply for a new FedRAMP Marketplace listing OR to request updates to an existing listing:

Certification Data Sharing: CDS-CSO-PUB (Public Information)

RelatedCDS-CSO-PUB

TermsCertification Data Provider

MKT-CSO-PML

Provider Marketplace Listing Requests

MUST

Providers MUST notify FedRAMP using the FedRAMP Marketplace Providing Listing Request Form to request a listing in the FedRAMP Marketplace.

FedRAMP does not accept applications for a FedRAMP Marketplace Listing via email!

References

FedRAMP Marketplace Provider Listing Request Form ↗

TermsProvider

General Assessor ResponsibilitiesIAS

3 rules

These rules apply to independent assessment services seeking a listing in the FedRAMP Marketplace.

AffectsAssessors

MKT-IAS-LRQ

Listing Requests for Assessors

MUST

Assessors MUST complete the Assessor Listing Request Form to request listing in the FedRAMP Marketplace.

References

[For Assessors/Advisors] Marketplace Listing Form ↗

TermsAssessor

MKT-IAS-OFR

Only FedRAMP Recognized Assessors

MUST

Assessors MUST obtain and maintain FedRAMP Recognition to be listed in the FedRAMP Marketplace.

TermsAssessor FedRAMP Recognized

MKT-IAS-WEB

Website Requirements for Assessors

MUST

Assessors MUST have an appropriate web site that publicly supplies at least the following information in human-readable and JSON formats:

General description of the independent assessment service
Contact information
Types of independent services offered
Optional: Positive attestations from customers or customer references

Required Artifacts

URL to the human-readable data.
URL to the machine-readable data.

References

FedRAMP Assessor Information Schema ↗

TermsAssessor

General Advisor ResponsibilitiesCAS

3 rules

These rules apply to consulting and advisory services seeking a listing in the FedRAMP Marketplace.

AffectsAdvisors

MKT-CAS-LRQ

Listing Requests for Advisors

MUST

Advisors MUST complete the Advisor Listing Request Form to request listing in the FedRAMP Marketplace.

References

[For Assessors/Advisors] Marketplace Listing Form ↗

TermsAdvisor

MKT-CAS-RFR

Advisor Responses to FedRAMP

MUST

Advisors MUST reply to all requests from @fedramp.gov or @gsa.gov email addresses sent to the contact information provided in their advisor listing within 5 business days.

Corrective Actions

If an advisor fails to respond to a request within 5 business days, FedRAMP will send a follow-up email.
If an advisor fails to respond to the follow-up email within 5 business days, FedRAMP will remove their listing from the Marketplace.
Advisors removed from the Marketplace for failure to respond to FedRAMP will not be eligible for listing for at least 6 months unless there are extenuating circumstances.

TermsAdvisor

MKT-CAS-WEB

Website Requirements for Advisors

MUST

Advisors MUST have an appropriate web site that publicly supplies at least the following information in consistent machine-readable and human-readable formats:

General description of the consulting or advisory service
Contact information
Types of consulting or advisory services offered
Optional: Positive attestations from customers or customer references

Required Artifacts

URL to the human-readable data.
URL to the machine-readable data.

References

FedRAMP Advisory Service Information Schema ↗

TermsAdvisor Machine-Readable

Provider Responsibilities for Initial Implementation Phase ListingsIIP

3 rules

FedRAMP allows cloud service providers that are actively preparing to obtain a FedRAMP Certification to apply for listing in the FedRAMP Marketplace. All cloud service providers must obtain a Initial Implementation Phase Marketplace Listing before they can apply for FedRAMP Certification. These rules apply to providers seeking a Initial Implementation Phase listing in the FedRAMP Marketplace.

Types20xRev5

PathsProgramAgency

AffectsProviders

MKT-IIP-AGU

Agency Use Cases

MUST

Providers MUST demonstrate that a cloud service offering is intended for one of the following use cases:

Direct Use: The product will be used directly by agency customers for integration into a federal information system that falls within the scope of 44 USC § 3506 and will receive an agency Authorization to Operate.
Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers.

FedRAMP will not list products or services that are outside the explicit statutory scope of FedRAMP; See MKT-FRP-SOF (Scope of FedRAMP).
Services used by private companies to meet other compliance requirements (such as CMMC) that do not also meet one of the above use cases are outside the scope of FedRAMP.

RelatedMKT-FRP-SOF

TermsAgency Cloud Service Offering Information Resource Provider Third-Party Information Resource

MKT-IIP-DCP

Demonstrating Continuous Progress

MUST

Providers MUST demonstrate continuous progress towards a FedRAMP Certification, documented in their Trust Center or website and updated at least quarterly; progress is measured by the provider against documented goals and milestones.

This is an opportunity for a business to showcase its goals and progress, and should be seen as a marketing and customer experience challenge instead of a compliance challenge.

TermsProvider Trust Center

MKT-IIP-DLA

Deadline for Assessment

MUST

Providers MUST demonstrate that an assessment for a FedRAMP Certification Class B, C, or D has been scheduled within 2 years of initial listing in the Initial Implementation Phase.

Corrective Actions

If a provider fails to schedule an assessment for a FedRAMP Certification Class B, C, or D within 2 years of initial listing in the Initial Implementation Phase, FedRAMP will remove their listing from the Marketplace until they provide evidence of a scheduled assessment.

TermsCertification Class Provider