What's The Difference Between FedRAMP IaaS, PaaS and SaaS COMPLIANCE?

Understanding the differences between IaaS, PaaS and SaaS FedRAMP compliant environments is a critical factor when choosing a Cloud Service Provider (CSP) and selling your application solution to federal and state government agencies. Simply deploying your application on the Azure IaaS/PaaS compliant platform does not make it SaaS-compliant.

For FedRAMP Moderate compliance, 325 controls in 17 families must be in place, and many of these controls have multiple parts to them. Simply moving to Microsoft Azure, however, does not provide full FedRAMP compliance. In moving to Azure, three (of the 17) entire control families are fully covered: Physical Environment, Media Protection, and Maintenance. But in the remaining 14 families, there are a significant number of controls that are the ISVs responsibility to implement. Microsoft has developed a document called “Azure Blueprint Customer Responsibility Matrix (CRM)” that it makes available to its customers. In that document, it clarifies that for Azure customers of IaaS services (virtual servers, storage, etc.), 94 of the 325 FedRAMP Moderate controls are fully satisfied by Azure, but for the remaining 231 controls, the customer is responsible for implementation of some, or all, of the control.

SaaS vs PaaS vs IaaS for FedRAMP Compliance