Getting Your App FedRAMP Compliant At The SaaS-level
By partnering with Project Hosts, Microsoft ISVs can deliver their Windows (and Linux) applications as a FedRAMP authorized cloud service much faster, and more affordably than doing it on their own.
On Your Own: 1-2 Years, $1-2 Million
If you are considering getting your applications FedRAMP authorized, you are facing a long and an expensive process. Having been through this process ourselves, and by working with more than 17 ISVs, we know that the FedRAMP process can take you anywhere from 1 to 2 years, and cost upwards of 1 million to 2 million dollars if you do it yourself. For example, for you to get a FedRAMP Moderate authorization you’ll need to:
- Hire or contract FedRAMP experts for the entire process
- Implement the balance of 231 security controls that are not implemented at the software level by Azure (Azure IaaS/PaaS covers 94/130 out of a total of 325 FedRAMP Moderate controls)
- Undergo a FedRAMP Readiness Assessment
- Secure a US Government Agency Sponsor (or the JAB)
- Develop all the documentation (typically more than 800 Pages) to be approved by Agency (or the JAB) Contract for a 3PAO Assessment
- Secure the US Government Agency authorization (ATO)
With Us: A Much Faster and Affordable Option
You can dramatically reduce the time and expense of delivering your application from a FedRAMP authorized cloud by working with Project Hosts.
- We’ll perform all the steps necessary to ensure that your application is approved to run in a FedRAMP authorized cloud at all levels: Moderate, High and DoD CC SRG IL 4/5.
- We get ISV applications implemented, documented, and assessed in a FedRAMP authorized cloud within 2 months, and at a fraction of the cost of doing it on your own.
2. We determine whether adding the application to our Federal Private Cloud would be considered a minor change or a major change. Major changes require a partial re-assessment by the 3PAO.
3. We have the ISV sign an agreement that satisfies the required FedRAMP System and Services Acquisition (SA) controls.
4. We deploy the ISV’s App(s) onto virtual server(s) in our FedRAMP test environment.
5. We run vulnerability scans on the test environment at the OS, Database and Applications level.
6. We report findings to the ISV and work with them to correct any issues; if any are found.
7. We ensure the overall environment meets all of the security controls as required by FedRAMP rev4 SaaS-Level Compliance; examples include ensuring FIPS compliance, implementing executable whitelist restrictions, configuring log correlation, and more.
8. We follow our Configuration Change Control process to include the ISV’s App in our FedRAMP-compliant System Security Plan and associated documents.
9. The ISVs software is included in each annual assessment by our FedRAMP-certified 3PAO.
10. We work with ISV to create an announcement they can use and get it
approved by the Director of FedRAMP.