Before a federal agency can use a cloud application in production, the agency must first grant it an Authority to Operate (ATO). Before granting an ATO, the agency’s security team needs to make sure that the cloud application is FedRAMP compliant.
“FedRAMP compliant” means that all 325 FedRAMP security controls have been implemented for a particular cloud application. Some of the controls are implemented by a Cloud Service Provider (CSP) and some are implemented by the agency themselves. If the agency procures a FedRAMP-authorized Software-as-a-Service (SaaS) offering, then most of the controls are implemented by the CSP, and usually only 5-20% of the controls are left to the agency. If the agency procures a FedRAMP-authorized Infrastructure- or Platform-as-a-Service offering (IaaS or PaaS) and deploys an application on it (by far the most common approach), the agency is responsible for implementing and maintaining the 60-80% of the controls that are above the IaaS or PaaS level.
Federal Agency Problem
Agencies would like to reduce the work of their security teams both initially and for ongoing compliance, so they would prefer to procure SaaS solutions. Unfortunately, only a small percentage of applications used by the federal government have achieved FedRAMP SaaS authorization; the process takes years and millions of dollars. So for most application functionality, federal agencies are left with no other option than to deploy the application they need on a DISA-authorized IaaS or PaaS and to dedicate resources to implement and maintain the 60-80% of security controls that are at the application level.
Project Hosts Solutions
Project Hosts has two solutions to address this problem.
Project Hosts has developed a General Support System (GSS) PaaS on top of Microsoft Azure that handles 80% of the controls for any application deployed on Azure that ties into the GSS. The Project Hosts PaaS has been FedRAMP authorized and has more than a dozen agency ATOs, so a new agency wanting to use it can have confidence that its control implementations have been well vetted. But Project Hosts takes it a step further. When an agency (or a software vendor chosen by the agency – Azure ISV Solutions for US Government Customers) works with Project Hosts to deploy an application on Azure and tie it into the GSS, Project Hosts also implements and manages the application-level controls above the GSS, taking that burden off the agency. To show the agency’s security department how the controls are implemented, Project Hosts creates an application-level System Security Plan (SSP) and provides documented evidence of control implementation. The GSS allows an agency to be up and running in 2-3 months using any application they want in the cloud with all of the evidence and documentation they require to grant it an ATO.
FedRAMP SaaS Authorization
Project Hosts has developed a turnkey process for software vendors and CSPs that allows them to get a FedRAMP SaaS authorization for their solution in about 6 months. We become the CSP’s outsourced cloud management and compliance department, tying an Azure deployment of their solution into our GSS so that they immediately inherit 80% compliance, then putting in place and documenting the remaining application-level controls. We help the CSP obtain an agency FedRAMP sponsor, contract with 3PAO assessors to audit the CSP solution, and manage the whole authorization and FedRAMP validation process. In 6 months, the CSPs SaaS solution is authorized and listed on FedRAMP.gov. And the whole process is far less expensive than do-it-yourself alternatives due to (i) 3PAO-tested documentation templates, (ii) highly discounted 3PAO pricing since they do so many audits with us, (iii) a very expedited FedRAMP process – the FedRAMP PMO says that Project Hosts’ solutions get the fastest validations. That is why the Project Hosts process is the turnkey solution that has generated by far the most authorized SaaS solutions on FedRAMP.gov.