What's The Difference Between FedRAMP IaaS, PaaS and SaaS COMPLIANCE?

Understanding the differences between IaaS, PaaS and SaaS FedRAMP compliant environments is a critical factor when choosing a Cloud Service Provider (CSP) and selling your application solution to federal and state government agencies. Simply deploying your application on the Azure IaaS/PaaS compliant platform does not make it SaaS-compliant.

For FedRAMP compliance, 325 controls in 17 families must be in place, and many of these controls have multiple parts to them. Simply moving to Microsoft Azure, however, does not provide full FedRAMP compliance. In moving to Azure, three (of the 17) entire control families are fully covered: Physical Environment, Media Protection, and Maintenance. But in the remaining 14 families, there are a significant number of controls that are the ISVs responsibility to implement.