FedRAMP Compliance

What does it take to become FedRAMP Certified?  Well that is a trick question since there is no “certification” per se for FedRAMP.  Instead, a Cloud Service Offering (CSO) can become “FedRAMP Authorized”.  That label lets Federal agencies know that (i) a CSO has been assessed by a third party auditor (3PAO) for compliance with FedRAMP controls, (ii) a Federal agency (or the JAB) was satisfied with the 3PAO audit report (the “SAR”) and has granted an “Authority to Operate” (ATO), and (iii) the CSO has also been validated by the FedRAMP PMO group inside of GSA.

Project Hosts’ “Federal Private Cloud” (FPC) Platform-as-a-Service (PaaS) offering on top of Microsoft Azure has passed all of these hurdles and become FedRAMP authorized.  The FPC PaaS makes it much easier for an agency to ensure that an application deployed in Azure is FedRAMP compliant.  If an agency were to deploy an application directly on Azure (or some other IaaS/PaaS like AWS, Google, etc.), that application would “inherit” from Azure compliance for ~20% of the FedRAMP controls.  It would be up to the agency to ensure that measures have been put in place that ensure compliance for the remaining 80% of the controls.  But the FedRAMP authorization of the FPC PaaS on Azure covers 80% of all of the FedRAMP controls, dramatically increasing the compliance inheritance.  Also, when an application is deployed on the FPC PaaS, Project Hosts provides agencies with an application-level SSP that describes the application-specific measures that Project Hosts has put in place for the last 20% required to ensure complete FedRAMP compliance of the application.