When should you choose SaaS?
If the app you want to move to the cloud does not already have a FedRAMP SaaS authorization, it may be slow and expensive to require one.
About FedRAMP SaaS authorization:
- A FedRAMP Authorization typically takes at least 1-2 years
- Authorization typically costs the CSP $2-3 million up front and ~$1 million per year
- The CSP may need you to be their sponsoring Agency, providing initial authorization and ongoing continuous monitoring review
- Many CSPs underestimate the difficulty, cost, or time and fail in their attempt to become authorized
Questions to consider:
- Can you wait 1-2 years or more?
- Who will bear the upfront and ongoing cost?
- Is repeating that wait and that cost for every application acceptable?
App-Specific Controls
Examples of application-level controls not covered by the FPC PaaS:
- Web application vulnerability scanning
- Application patching
- Monthly POA&M for the application
- Annual app scanning and penetration testing by a certified 3PAO
But they are covered by Project Hosts above the PaaS
- PH does all of the above for any app deployed for an Agency on the FPC
- These are services done on your behalf over and above the PaaS
- All you have to do is to verify that the app-specific controls are in place