[otterley]

There's a whole body of regulation around service providers to the U.S. Government making it an effective requirement to use this stuff, starting with the FedRAMP Authorization Act (https://www.congress.gov/117/bills/hr7776/BILLS-117hr7776enr...).

See also Section 4.2.4 of the FedRAMP Moderate Readiness Assessment Report (RAR) which can be found here: https://www.fedramp.gov/documents-templates/ as an example.

You cannot obtain an Authorization To Operate (ATO) unless you've satisfied the Assessor that you're in compliance.