IRAP and FedRAMP are the cloud security regimes of two different governments. IRAP assesses a system against the Australian Information Security Manual for Australian government use. FedRAMP authorises cloud services against NIST 800-53 for United States federal use. Neither replaces the other. Sell to both governments and you need both.
What is the difference between IRAP and FedRAMP?
They solve the same problem for different governments. IRAP, the Infosec Registered Assessors Program, is how the Australian Signals Directorate has cloud and SaaS systems assessed against its own controls. FedRAMP, the Federal Risk and Authorization Management Program, does the same job for United States federal agencies and is run from the General Services Administration. FedRAMP was codified by the FedRAMP Authorization Act in December 2022; IRAP sits under the Protective Security Policy Framework and the ISM.
They are not competing standards you pick on merit. The buyer decides which one applies. An Australian agency will not accept a FedRAMP authorisation in place of IRAP, and a US federal agency will not accept an IRAP report. For the IRAP side of the picture, start with what an IRAP assessment is and the complete IRAP guide.
What does each one assess against?
Different rulebooks. An IRAP assessor measures a system against the Information Security Manual, the ASD control catalogue, and the classification is set under the PSPF: OFFICIAL: Sensitive, PROTECTED or SECRET. FedRAMP measures against NIST Special Publication 800-53, and its sensitivity model is the three FIPS 199 impact levels, Low, Moderate and High.
The two catalogues trace to similar control families, but they are written by different authorities, numbered differently and tailored to different threat models. FedRAMP moved to 800-53 Rev 5 on 30 May 2023; a Moderate baseline carries roughly 320 controls and a High baseline roughly 410 (indicative, they shift each revision). The ISM holds many hundreds of controls across its guidelines and updates through the year. A control that satisfies the ISM is not automatically an 800-53 control, and the reverse holds too.
Who runs the assessment, and what do you get?
An independent assessor either way, but not the same one. IRAP work is done by an ASD endorsed IRAP assessor. FedRAMP work is done by a Third Party Assessment Organization, a 3PAO accredited by the American Association for Laboratory Accreditation. Here is the part both programmes share and most vendors get wrong: neither ends in a certification. Neither has a pass mark.
IRAP produces an assessment report and a control matrix; the consuming agency’s authorising officer then decides whether to accept the residual risk under PSPF requirement 0086. FedRAMP produces a Security Assessment Report and a federal agency issues an Authority to Operate. In both, an official accepts risk. A label like “IRAP certified” or “FedRAMP certified” is a misread. The point is covered in is IRAP a certification.
Which one do you actually need?
Follow the customer and the data, not the logo. If you sell cloud or SaaS to the Australian government and the system will hold information at OFFICIAL: Sensitive or above, you need IRAP; PSPF Table 21 and requirement 0109 are the trigger. If you sell to US federal agencies, you need FedRAMP. If you sell to both, you need both, run as two separate exercises. Size does not decide it. The buyer does.
How this lands for software vendors specifically is set out in IRAP for SaaS and cloud providers and do you need an IRAP assessment. If an IRAP assessment is on your roadmap, Cybernion runs independent IRAP assessments.
Can you reuse evidence across IRAP and FedRAMP?
Partly. The technical control families overlap, so artefacts such as architecture documentation, access control evidence, logging configuration and vulnerability management records can often be reused across both. What does not transfer is the authorisation. There is no reciprocity between FedRAMP and IRAP. A FedRAMP authorisation does not shorten the ISM assessment, and an IRAP report carries no weight with a US agency. Treat shared evidence as a head start on documentation, not as a credit against the other programme’s controls.
What is changing in each programme?
Both are moving. On the US side, FedRAMP replaced the Joint Authorization Board with a FedRAMP Board in May 2024 and collapsed its old dual track into a single FedRAMP Authorized designation from August 2024. FedRAMP 20x, the first major overhaul in over a decade, is rolling out automated, continuous validation built on Key Security Indicators; the Low standard was published on 29 August 2025 and the Moderate standard was expected in December 2025.
On the Australian side, the ISM is on a steady update cycle. Its principles were restructured into six functions in March 2026, aligning with the NIST Cyber Security Framework, and the June 2026 release added AI application controls. Check the current position before you scope either. Both are live, not fixed.
IRAP vs FedRAMP at a glance
| IRAP (Australia) | FedRAMP (United States) | |
|---|---|---|
| Purpose | Assess cloud and SaaS for Australian government use | Authorise cloud services for US federal use |
| Run by | Australian Signals Directorate | General Services Administration |
| Control basis | Information Security Manual (ISM) | NIST SP 800-53 (Rev 5) |
| Sensitivity model | OFFICIAL: Sensitive, PROTECTED, SECRET (PSPF) | Low, Moderate, High (FIPS 199) |
| Independent assessor | ASD endorsed IRAP assessor | 3PAO (A2LA accredited) |
| Outcome | Report plus control matrix; agency authorising officer decides | Security Assessment Report; agency issues an ATO |
| Certification? | No, no pass mark | No, no pass mark |
| Staying current | Reassess within 24 months (PSPF 0109) | Continuous monitoring (ConMon) |
Frequently asked questions about IRAP and FedRAMP
No. The Australian government requires an IRAP assessment against the ISM for its cloud and SaaS systems. FedRAMP is the United States federal programme and carries no formal standing with an Australian agency.
Neither is. Both end in a government risk decision rather than a certificate or a pass mark. An IRAP report feeds an authorising officer decision; a FedRAMP assessment feeds an agency Authority to Operate.
It gives you a documentation head start because the technical control families overlap, but it is not a shortcut. The ISM assessment is separate, and there is no reciprocity between the two programmes.
Whichever your buyer requires. If your customers are Australian government agencies holding OFFICIAL: Sensitive data or above, IRAP comes first. If they are US federal agencies, FedRAMP does.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Information Security Manual, ASD, June 2026
- Cloud assessment and authorisation, ASD, 2026
- Protective Security Policy Framework (Table 21, requirement 0109), 2024 release
- Moving to One FedRAMP Authorization, FedRAMP, 12 August 2024
- FedRAMP Board launched, GSA, 14 May 2024
- NIST SP 800-53 Rev 5, NIST, 2023
Last updated: 21 June, 2026