Getting Your App FedRAMP Compliant At The SaaS-level

By partnering with Project Hosts, Microsoft ISVs can deliver their Windows (and Linux) applications as a FedRAMP authorized cloud service much faster, and more affordably than doing it on their own.

On Your Own: 1-2 Years, $1-2 Million

If you are considering getting your applications FedRAMP authorized, you are facing a long and an expensive process. Having been through this process ourselves, and by working with more than 17 ISVs, we know that the FedRAMP process can take you anywhere from 1 to 2 years, and cost upwards of 1 million to 2 million dollars if you do it yourself. For example, for you to get a FedRAMP Moderate authorization you’ll need to:

  • Hire or contract FedRAMP experts for the entire process
  • Implement the balance of 231 security controls that are not implemented at the software level by Azure (Azure IaaS/PaaS covers 94/130 out of a total of 325 FedRAMP Moderate controls)
  • Undergo a FedRAMP Readiness Assessment
  • Secure a US Government Agency Sponsor (or the JAB)
  • Develop all the documentation (typically more than 800 Pages) to be approved by Agency (or the JAB) Contract for a 3PAO Assessment
  • Secure the US Government Agency authorization (ATO)

 

With Us: A Much Faster and Affordable Option

You can dramatically reduce the time and expense of delivering your application from a FedRAMP authorized cloud by working with Project Hosts.

  • We’ll perform all the steps necessary to ensure that your application is approved to run in a FedRAMP authorized cloud at all levels: Moderate, High and DoD CC SRG IL 4/5.
  • We get ISV applications implemented, documented, and assessed in a FedRAMP authorized cloud within 2 months, and at a fraction of the cost of doing it on your own.

Highlights

  • Sell To U.S. Government Agencies Faster

    Microsoft ISVs who want to sell their application as cloud service to U.S. federal and state government agencies must meet the FedRAMP program standards at the SaaS level.

  • Leverage our GSA Contract

    We can add your application to our existing GSA contract making it easier for agencies to purchase your solution.

  • Moderate / High / DOD CC SRG IL 4/5

    By working with Project Hosts, your applications will be available as a service in a FedRAMP authorized cloud for all agencies: Civilian and Defense.

  • Hosted in Microsoft Azure Gov

    Your application will be hosted and managed in Microsoft Azure an advanced, reliable, available, scalable and secure cloud platform.

  • A Microsoft Sponsored ISV Program

    “This program utilizes Project Hosts’ FedRAMP SaaS-compliant status and expertise in Azure and can significantly reduce the expenseit would take ISVs to secure FedRAMP SaaS compliancy on their own,” Michael Batt, Directo Government Cloud Partner Programs, Microsoft Corp

Program Details

The ISV FedRAMP program ensures that your application is 100% FedRAMP compliant and available from a FedRAMP SaaSlevel authorized cloud. Throughout this process, we work with our assessor (a certified 3PAO) and the FedRAMP Project Management Office to ensure all necessary tests and activities are performed correctly. A summary of this process is:

1. ISV provides us with a high-level architecture describing how their application is typically deployed.
2. We determine whether adding the application to our Federal Private Cloud would be considered a minor change or a major change. Major changes require a partial re-assessment by the 3PAO.
3. We have the ISV sign an agreement that satisfies the required FedRAMP System and Services Acquisition (SA) controls.
4. We deploy the ISV’s App(s) onto virtual server(s) in our FedRAMP test environment.
5. We run vulnerability scans on the test environment at the OS, Database and Applications level.
6. We report findings to the ISV and work with them to correct any issues; if any are found.
7. We ensure the overall environment meets all of the security controls as required by FedRAMP rev4 SaaS-Level Compliance; examples include ensuring FIPS compliance, implementing executable whitelist restrictions, configuring log correlation, and more.
8. We follow our Configuration Change Control process to include the ISV’s App in our FedRAMP-compliant System Security Plan and associated documents.
9. The ISVs software is included in each annual assessment by our FedRAMP-certified 3PAO.
10. We work with ISV to create an announcement they can use and get it
approved by the Director of FedRAMP.