FedRAMP Authorized in 8 Months or Less

What does it take to become FedRAMP Authorized?  A FedRAMP Authorization lets Federal agencies know that:

(i) a CSO has been assessed by a third-party auditor (3PAO) for compliance with FedRAMP controls,

(ii) a Federal agency (or the JAB) was satisfied with the 3PAO audit report (the “SAR”) and has granted an “Authority to Operate” (ATO), and

(iii) the CSO has also been validated by the FedRAMP PMO group inside of GSA.

Project Hosts’ “FasTrack Platform-as-a-Service (PaaS) offering on top of Microsoft Azure has passed all of these hurdles to become FedRAMP authorized.  The FasTrack platform makes it much easier for an agency to ensure that an application deployed in Azure is FedRAMP compliant.  If an agency were to deploy an application directly on Azure (or some other IaaS/PaaS like AWS, Google, etc.), that application would “inherit” from Azure compliance for ~20% of the FedRAMP controls.  It would be up to the agency to ensure that measures have been put in place that ensures compliance for the remaining 80% of the controls.  But the FedRAMP authorization of the FasTrack platform on Azure covers 80% of all of the FedRAMP controls, dramatically increasing the compliance inheritance.  Also, when an application is deployed on the Fastrack platform, Project Hosts provides agencies with an application-level SSP that describes the application-specific measures that Project Hosts has put in place for the last 20% required to ensure complete FedRAMP compliance of the application.