Once you have achieved a FedRAMP authorization for your SaaS solution, your ongoing challenge is to maintain that authorization through continuous monitoring activities.
The Expensive and Risky Path
If you go through the authorization process with a consultant, you will need to deploy a collection of third-party tools that they recommend. These tools manage key aspects of FedRAMP compliance such as authentication, access control, scanning, patching, logging, change control, incident response, disaster recovery, and POA&M management. Either your people have to become experts on these tools (including ensuring compatibility with your solution as the tools constantly update), or you can hire the consultant for ongoing services to manage them for you. If you choose the latter, there will inevitably be conflicts: Although they are experts in the tools, they are not experts in your SaaS solution or how the tools integrate to them. These conflicts inevitably lead to unexpected expenses, delays, and even downtime. On top of this, your sponsoring agency and the FedRAMP PMO will be constantly changing their requirements (making them more and more strict if history is any guide). Your full solution – your SaaS integrated with these third-party tools – will have to adapt to those changes. You may be presented with unexpected requirements that require you to redevelop your solution quickly or lose your authorization. But the required redevelopment may cause problems with your customers. The problems escalate …
With Project Hosts, all of the tools that manage the compliance of your SaaS solution are incorporated into the FedRAMP-authorized PaaS that is fully managed by us. What’s more, during our initial onboarding process, our application experts become very familiar with your SaaS solution, so they have a holistic view of the entire solution that includes both the PaaS and your SaaS. We manage the authentication, access control, scanning, patching, logging, change control, incident response, disaster recovery, and POA&M in a holistic fashion, eliminating surprises. Since we are managing so many FedRAMP-authorized SaaS solutions, we come in front of agencies and the FedRAMP PMO all the time, so we have early warning on their new, emerging “hot buttons” and changes they will soon be requiring of cloud solution providers. We not only give you early warning of these upcoming changes, we often suggest accepted alternative implementations that allow you to avoid new development while still satisfying the new compliance standard. With the FasTrack, your continuous monitoring is free of surprises, so it allows you to focus instead on making your solution better and meeting customer needs.