ISV FedRAMP PROGRAM OVERVIEW:
ISVs and Solution Providers who want to sell their application as cloud service to U.S. federal and state government agencies must meet the GSA’s FedRAMP program standards at the SaaS level.
Project Hosts is a Cloud Service Provider (CSP) that provides FedRAMP SaaS-level compliant cloud services in Azure for Microsoft solutions based on Windows, SQL Server, SharePoint, Project Server, Dynamics CRM and a host of ISV applications.
ISVs with applications that run on these platforms can partner with Project Hosts to deliver their solutions from a FedRAMP SaaS-level compliant cloud on Azure Gov. Project Hosts’ ISV FedRAMP Program includes these essential services:
- Understand application deployment requirements and dependencies
- Deploy App on FedRAMP SaaS compliant test environment
- Run Vulnerability Scans on OS, Database and App
- Consult with ISV and correct issues; if needed
- Incorporate the ISV's software into Project Hosts' System Security Plan (SSP)
A more complete process definition can be found below.
By working with Project Hosts, your software applications can be hosted and tested in our Private Federal Cloud environment. We perform the necessary tests and create the documentation necessary to ensure that your application runs in our Federal Private Cloud environment and continue to meet all of the 325 security controls required for SaaS-level FedRAMP compliance.
We have a host of ISVs that have worked with us, and are now offering their applications from a FedRAMP SaaS-level compliant cloud. These include:
- Dynamics CRM
- Project Server
- UMT 360
- Urban Turtle
OUR ISV PROGRAM AND PROCESS:
The goal of the ISV FedRAMP program is to ensure that ISV application software, which is an add-on to our existing Federal Private Cloud environment (such as a SharePoint-based application) is deployed and available from our FedRAMP SaaS-compliant cloud. Throughout this process, we work with our assessor, a certified 3PAO, and the GSA to ensure all necessary tests and activities are performed correctly. A summary of this process is outlined below.
Our FedRAMP Add-on Application Process:
- ISV provides us with a high level architecture describing how their application is typically deployed.
- We determine whether adding the application to our Federal Private Cloud would be considered a minor change or a major change. Major changes require a re-assessment by the 3PAO.
- We have the ISV sign an agreement that satisfies the required FedRAMP System and Services Acquisition (SA) controls.
- We deploy the ISV’s App(s) onto virtual server(s) in our FedRAMP test environment.
- We run vulnerability scans on the test environment at the OS, Database and Applications level.
- We report findings to the ISV and work with them to correct any issues; if any are found.
- We ensure the overall environment meets the total 325 security controls as required by FedRAMP rev4 SaaS-Level Compliance; examples include ensuring FIPS compliance, implementing executable whitelist restrictions, configuring log correlation, and more
- If adding the software is considered a major change to the environment by our FedRAMP-certified 3PAO (assessor), we have the environment re-assessed with the ISV software included in it
- We follow our Configuration Change Control process to include the ISV’s App in our FedRAMP-compliant System Security Plan and associated documents.
- We work with ISV to create an announcement they can use and get it approved by the GSA’s Director of FedRAMP
WHAT'S THE DIFFERENCE BETWEEN FedRAMP IaaS, PaaS and SaaS COMPLIANCE?
Understanding the differences between IaaS, PaaS and SaaS FedRAMP compliant environments is a critical factor when choosing a Cloud Service Provider (CSP) and selling your application solution to federal and state government agencies.
IaaS and PaaS FedRAMP compliant platforms are just that – they are Infrastructure- and Platform- as-a-Service offerings. FedRAMP IaaS and PaaS- compliant cloud platforms such as Azure Gov, are tested and meet the security controls for that (IaaS/PaaS) level of of support. Simply deploying your application on a IaaS/PaaS compliant platform does not make it SaaS-compliant. To ensure SaaS-level compliance, you must ensure that the 325 FedRAMP security controls are in place, have been tested, documented and been validated by the GSA.