FAQ

No, using a FedRAMP Authorized infrastructure does not automatically make your service FedRAMP compliant. Each layer (i.e., IaaS, PaaS, and SaaS) must be evaluated on its own and become FedRAMP Authorized. However, when your software sits on a FedRAMP Authorized infrastructure, it will inherit controls from that authorized system, and you can explain this in your documentation.

https://help.fedramp.gov/hc/en-us/articles/27706438906779-If-a-Software-as-a-Service-SaaS-or-Platform-as-a-Service-PaaS-resides-on-a-FedRAMP-Authorized-Infrastructure-as-a-Service-IaaS-does-that-mean-it-is-also-FedRAMP-Authorized