FedRAMP
SaaS Authorization
When Should You Choose SaaS?
If the app you want to move to the cloud does not already have a FedRAMP SaaS authorization, it may be slow and expensive to require one.
​
About FedRAMP SaaS Authorization:
-
A FedRAMP Authorization typically takes at least 1-2 years
-
Authorization typically costs the CSP $2-3 million up front and ~$1 million per year
-
The CSP may need you to be their sponsoring Agency, providing initial authorization and ongoing continuous monitoring review
-
Many CSPs underestimate the difficulty, cost, or time and fail in their attempt to become authorized
​
Questions to Consider:
-
Can you wait 1-2 years or more?
-
Who will bear the upfront and ongoing cost?
-
Is repeating that wait and that cost for every application acceptable?
​
App-Specific Controls
Examples of application-level controls not covered by the FPC PaaS:
-
Web application vulnerability scanning
-
Application patching
-
Monthly POA&M for the application
-
Annual app scanning and penetration testing by a certified 3PAO
But they are covered by Project Hosts above the PaaS
-
PH does all of the above for any app deployed for an Agency on the FPC
-
These are services done on your behalf over and above the PaaS
-
All you have to do is to verify that the app-specific controls are in place