The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government security authorization program. FedRAMP provides standardized assurance for governance and risk by ensuring that our platform processes are managed in a secure, validated manner.
Currently, we maintain a FedRAMP Authority to Operate (ATO) at the Moderate level for customers with KSAT and PhishER subscriptions. This authorization level covers many of the security and privacy controls required in similar standards or frameworks, such as CMMC, TxRAMP, StateRAMP, NIST 800-171 as FedRAMP is based on NIST 800-53 Rev5. We have maintained this authorization for years.
What's Changing?
Starting July 16, 2026, we are changing how our FedRAMP customers authenticate to the platform. This change ensures that FedRAMP-authorized customers are using a FedRAMP Moderate-authorized provider for authentication. This change does not impact the security of the product for any customer. This required change comes at an additional cost and is shown as a dedicated line item in your contract. These costs reflect the added controls you receive with authorization, including annual 3PAO assessments and significant change requests.
Does My Organization Need a FedRAMP-Authorized Environment?
If your organization operates in a regulated environment or requires a specific compliance baseline (for example, TxRAMP or CMMC), we recommend reviewing your account type before your next renewal. If you are still unsure of your status, you can contact your Customer Success Manager or Account Manager for a dedicated compliance review.
Federal or State Accounts
If your organization is a federal or state agency, FedRAMP authorization is a non-negotiable requirement for cloud services. Federal contractors are also held to these same standards. The FedRAMP authorization is required to:
- Stay in compliance with mandatory federal cloud security requirements.
Commercial Accounts
If your organization is a commercial entity that does not require compliance with FedRAMP or similar, you don’t need the FedRAMP authorization.
What's Next?
Starting July 16, 2026, you must declare your FedRAMP status when you create a new business account. If you have an existing subscription, your account will not be affected until your subscription expires, but you must make a decision about FedRAMP status before your account renewal date. If we do not hear from you about your FedRAMP status, your Customer Success Manager will contact you as your renewal date approaches.
You can confirm your FedRAMP status by responding to the prompt in your KnowBe4 console, which will go out to select customers starting July 16. If you have any questions regarding your FedRAMP status, please reach out to your Customer Success Manager.
Frequently Asked Questions (FAQ)
- What's the difference between FedRAMP and our other compliance certifications?
- Does FedRAMP help with CMMC compliance?
- Which products are covered by the FedRAMP authorization?
- Can I get the FedRAMP authorization for PhishER alone?
- Why is there a separate charge for FedRAMP now?
- When does FedRAMP pricing go into effect?
- Can I opt out and use the non-FedRAMP version?
1. What's the difference between FedRAMP and our other compliance certifications?
FedRAMP is more stringent than both. The NIST SP 800-53 Rev 5 Moderate baseline, with over 325 controls. FedRAMP also requires continuous monitoring, including monthly scans and annual 3PAO assessments.
2. Does FedRAMP help with CMMC compliance?
Yes. Cybersecurity Maturity Model Certification (CMMC) requires that cloud services used by Defense Industrial Base contractors handling Controlled Unclassified Information (CUI) meet the FedRAMP Moderate baseline, or equivalent. You can use our FedRAMP-authorized products to meet this specific requirement.
3. Which products are covered by the FedRAMP authorization?
The FedRAMP (Rev5) Moderate ATO includes the following in-scope: KSAT Learning Management System and all included training content (ModStore, Compliance Plus), KSAT Simulated Phishing Platform, PhishER / PhishER Plus, Phish Alert Button, SecurityCoach (SCH) and AI Defense Agents (AIDA) (excluding AIDA Deepfakes).
KnowBe4 products currently excluded from scope: Free Tools (SecondChance, RanSim, Password Exposure Test, Weak Password Test, Breached Password Test, Browser Password Inspector), AIDA Deepfakes, KCES (KnowBe4 Cloud Email Security of Defend / Prevent), Protect, Workspace and Webform.
4. Can I get the FedRAMP authorization for PhishER alone?
Yes. You can purchase the FedRAMP requirement if you only have PhishER. If you have both KSAT and PhishER, purchasing FedRAMP for the KSAT licenses covers PhishER. For more information, contact your Customer Success Manager.
5. Why is there a separate charge for FedRAMP now?
We have been carrying FedRAMP compliance costs for years. The FedRAMP authorization formalizes those costs so we can continue to offer this service and also helps us to clearly track which of our customers require the authorized environment.
6. When does FedRAMP pricing go into effect?
FedRAMP pricing will be discussed at renewal and will only be applied if you opt in to the FedRAMP-authorized environment. Existing customers are not charged for FedRAMP during their current contract term.
7. Can I opt out and use the non-FedRAMP version?
Yes. The FedRAMP authorization is for customers who have a specific requirement to use FedRAMP-authorized cloud services and for customers who are FedRAMP compliant. Customers without that requirement can continue using the standard platform and subscription levels.