Dynatrace intends to pursue FedRAMP Class D (High) certification, building on its existing FedRAMP Moderate certification established in 2020. For federal agencies managing sensitive, mission-critical workloads, this strategic direction signals a platform that can grow alongside agencies’ evolving security requirements with observability built for the AI age.
IT modernization planning for Federal agencies spans multi-year cycles: platform decisions made at a point in time must sustain through implementation timelines and evolving technologies. A vendor may be certified today, but will their technology still meet an agency’s requirements when a program reaches full operating capability tomorrow?
Federal agencies are modernizing through hybrid cloud transformation and AI adoption while threat actors are using AI to accelerate attack velocity. The pace of change in this environment demands technology that is purpose-built for it—an AI-native platform that can process, analyze, and act on the scale of data that modern environments generate.
At this moment of increased pressure on government agencies, Dynatrace is building its platform to operate across the higher security baselines that evolving federal missions require.
Where does Dynatrace stand today on FedRAMP?
The Dynatrace platform is not a new entrant to the federal market and FedRAMP certification. Dynatrace has held FedRAMP Moderate authorization since 2020 and completed reauthorization in 2024 under NIST SP 800-53 Revision 5, including expanded coverage for Dynatrace Application Security, which is becoming more crucial as attackers increasingly use AI to accelerate threat velocity.
Dynatrace is building the stringent compliance and regulatory requirements of FedRAMP Class D into its newest platform generation first—so that when certification is achieved, agencies get access to the platform’s full capability set. This full-platform compliance posture serves agencies with the most demanding security requirements. Federal agencies across civilian, defense, and intelligence sectors have been running mission-critical workloads on the Dynatrace platform for years—many in air-gapped environments.
What does FedRAMP Class D certification mean, and how does it differ from Class C?
FedRAMP High covers the government’s most sensitive unclassified data—workloads where a compromise could cause severe or catastrophic harm to national security, public safety, or critical infrastructure. Moderate covers systems where the consequences of a breach are serious but not catastrophic. The certification level an agency requires is determined by the sensitivity of the data the system processes, following the FIPS 199 high water mark rule: if any data type in scope qualifies as High impact, the entire system requires FedRAMP High.
The table below summarizes the key control baselines of NIST SP 800-53B, the regulation that governs FedRAMP, and some key differences between the Class C and Class D baselines.
| l | CLASS C (Moderate) | CLASS D (High) | DYNATRACE platform capabilities |
| Real-time threat detection | Automated monitoring tools, detection of unauthorized connections, and system-generated security alerts. | Adds visibility into encrypted traffic, behavioral anomaly detection for insider threats, host-based monitoring at specific components, and automated response to suspicious events. | Dynatrace Intelligence continuously analyzes full-stack telemetry—logs, traces, metrics, and runtime behavior—to surface anomalies and trigger automated responses, satisfying Class D’s behavioral monitoring and automated-action requirements without manual triage. |
| Automated incident response | Documented incident handling procedures and incident monitoring, with no requirement for automation. | Automated incident handling processes and automated tracking with data collection throughout the incident lifecycle (IR-4(1), IR-5(1)). | Dynatrace automates incident detection, root cause analysis, and workflow triggers via ITSM integrations (for ex, ServiceNow, PagerDuty, Jira). This directly satisfies Class D’s requirement that incident handling and tracking be automated, not just documented. |
| Ongoing compliance evidence | A continuous monitoring strategy with organization-defined metrics and frequencies; self-assessed. | All the Class C requirements, plus independent assessors or assessment teams must monitor controls on an ongoing basis. | Dynatrace produces continuous, auditable streams of compliance evidence—configuration states, policy violations, and control effectiveness data—that independent assessors can access directly, reducing the manual reporting burden Class D introduces. |
| Configuration drift detection | Document baseline configurations, monitor for deviations, and identify unauthorized changes. | Automated enforcement of configuration settings and automated remediation of unauthorized changes, with rollback capability and signed-component verification. | Dynatrace automatically inventories all system components, detects configuration changes in real time, and integrates with remediation pipelines to enable the automated enforcement and rollback workflows Class D requires beyond Class C’s document-and-monitor approach. |
For agencies currently running Dynatrace under FedRAMP Moderate, this pursuit is additive—the existing Class C (Moderate) certification remains fully in place. For agencies with workloads that span both baselines, the goal is to support both within a single platform.
What does the timeline for FedRAMP Class D certification look like?
Agency-sponsored certification paths typically run 18 to 36 months from formal initiation, although the exact timeline to complete the process varies for every provider. Announcing intent ahead of formal certification signals the strategic intent and direction Dynatrace is taking and gives agencies the visibility they need to plan.
What distinguishes the Dynatrace approach is sequencing. Rather than pursuing certification on an existing platform and then engineering to meet the boundary, Dynatrace is building the required architecture on its newest platform generation first—so that when certification is achieved, agencies get access to the platform’s full capability set. Dynatrace will communicate clear milestones, including reaching “In Process” status on the FedRAMP marketplace, as they occur.
What does FedRAMP Class D certification mean in practice for agencies?
For agencies evaluating Dynatrace today, the practical implication is continuity. Agencies don’t have to choose between what their current requirements demand and what a future, more sensitive program will require. Dynatrace is building the platform to meet them where they are today and scale with them as their mission security requirements evolve.
The Dynatrace government portfolio is designed around customer- and partner-managed deployments within agency-defined operational boundaries, ensuring data sovereignty and control across all classification levels. The FedRAMP Class D pursuit is intended to extend that compliance posture to the cloud-hosted baseline, making it available in both environments.
The Dynatrace roadmap also extends beyond FedRAMP Class D to include Department of Defense and other evolving government security standards, reinforcing its commitment to the full spectrum of public sector security requirements.
Why does AI-powered observability matter for this mission?
Federal agencies are accelerating hybrid cloud transformation, AI adoption, and modernization at the same time they’re managing increasingly complex security environments. Maintaining operational visibility across all of it—cloud, data center, and air-gapped infrastructure—requires more than monitoring. It requires precise answers, automated remediation, and the ability to understand causality across a full-stack environment in real time.
That’s what Dynatrace brings to the mission: AI-powered, full-stack observability that supports performance and security for every application, every device, and every user, regardless of where they operate. Achieving FedRAMP Class D certification means that capability will be available to agencies handling the government’s most sensitive workloads.
Agencies and partners interested in discussing Dynatrace’s public sector direction can contact their Dynatrace representative or visit dynatrace.com/solutions/industry/public-sector. For the full announcement, read the press release.
FAQ
What is FedRAMP Class D (High), and why do I need it?
FedRAMP Class D is the certification baseline for cloud services that handles the government’s most sensitive, unclassified data. If a breach could cause severe or catastrophic harm—to national security, public safety, or critical infrastructure—Class D certification is a compliance requirement, not a choice.
What is FedRAMP Class C (Moderate)?
FedRAMP Class C is the certification baseline for cloud services that handle Controlled Unclassified Information (CUI) where a breach would cause serious but not catastrophic harm. It’s the most common federal certification, covering the majority of civilian agency cloud use cases. Dynatrace has held this certification since 2020.
What are the differences between FedRAMP Class C and FedRAMP Class D?
The core difference is data sensitivity and consequence. Class C covers systems where a breach causes serious but recoverable harm. Class D covers systems where a breach could be catastrophic—national security, critical infrastructure, emergency services. Class D requires roughly 90 additional controls, with stricter thresholds across authentication, monitoring, and incident response.
Does Dynatrace have FedRAMP Class D certification today?
No. Dynatrace has announced its intent to pursue FedRAMP High authorization. The company currently holds FedRAMP Moderate authorization, achieved in 2020 and reauthorized under NIST SP 800-53 Rev. 5. FedRAMP High authorization is an active engineering and compliance effort, and Dynatrace will communicate milestones as they occur.
Who will benefit from Dynatrace achieving FedRAMP High authorization?
U.S. federal agencies handling the government’s most sensitive unclassified data—including defense, intelligence community, and highly regulated civilian agencies—will be the primary beneficiaries. The authorization will also extend to state and local government agencies, commercial customers working with federal agencies, and global public sector organizations operating in environments that require elevated security and compliance standards.
What’s the typical timeline for achieving FedRAMP High authorization?
Agency-sponsored authorization paths typically run 18 to 36 months from formal initiation. Dynatrace is not committing to a specific completion date but will communicate milestones—including reaching “In Process” status on the FedRAMP marketplace—as they occur.
Does Dynatrace support air-gapped and on-premises deployments?
Yes. Dynatrace supports customer- and partner-managed deployments within agency-defined operational boundaries for the most sensitive missions. The FedRAMP High effort extends this compliance posture to the cloud-hosted baseline—it does not replace existing deployment options.
Looking for answers?
Start a new discussion or ask for help in our Q&A forum.
Go to forum