FedRAMP provides certification for platforms like ServiceNow, AWS, Azure, etc. ServiceNow Scoped Apps don’t get certified for FedRAMP. The platform does.
Here is a statement from ServiceNow directly regarding FedRAMP certification of Store apps:
“Customers wishing to use AssetTrack for ServiceNow in their ServiceNow FedRAMP environment need to add the app to their Authority to Operate (ATO). Any app that runs on the instance has to use the ATO to run.
There are two ServiceNow Application Stores — The commercial ‘ServiceNow Store’, and the ‘ServiceNow Federal Store.’
The ServiceNow Federal Store exists on the ServiceNow FedRAMP High Cloud, and is only accessible to Federal employees and Federal contractors with access to the ServiceNow instances running in the FedRAMP High Cloud.
When Our Servicenow and our ISV Partners release applications, the application first goes through a rigorous ServiceNow Store certification process. This process includes a deep security certification process to ensure Servicenow’s extensive security regimen.
Upon completing the ServiceNow Store certification process, the application further goes through a ServiceNow Federal Store review process to ensure it meets ServiceNow FedRAMP requirements.
After completing the ServiceNow Federal Store review, ServiceNow promotes the application to Federal Customer FedRAMP ServiceNow instances. The application is then available for installation in the customer’s environment.
The application is thus residing on the customer’s ServiceNow instance in the FedRAMP Cloud and is part of ServiceNow’s FedRAMP authorization.”
– Dave Cosio
ISV Advisory Solution Architect