top of page

SaaS Authorization

When Should You Choose SaaS?

If the app you want to move to the cloud does not already have a FedRAMP SaaS authorization, it may be slow and expensive to require one.

About FedRAMP SaaS Authorization: 

  • A FedRAMP Authorization typically takes at least 1-2 years

  • Authorization typically costs the CSP $2-3 million up front and ~$1 million per year

  • The CSP may need you to be their sponsoring Agency, providing initial authorization and ongoing continuous monitoring review

  • Many CSPs underestimate the difficulty, cost, or time and fail in their attempt to become authorized

Questions to Consider:

  • Can you wait 1-2 years or more?

  • Who will bear the upfront and ongoing cost?

  • Is repeating that wait and that cost for every application acceptable?

App-Specific Controls

Examples of application-level controls not covered by the FPC PaaS:


  • Web application vulnerability scanning

  • Application patching

  • Monthly POA&M for the application

  • Annual app scanning and penetration testing by a certified 3PAO

But they are covered by Project Hosts above the PaaS

  • PH does all of the above for any app deployed for an Agency on the FPC

  • These are services done on your behalf over and above the PaaS

  • All you have to do is to verify that the app-specific controls are in place

bottom of page