Other FedRAMP Compliance Solutions

Dedicated Solutions for Agencies

In order for a federal agency to use your SaaS solution, they will have to grant an Authority-to-Operate (ATO), after first assessing it and ensuring that FedRAMP controls are in place.  Sometimes an agency is willing to grant an ATO for a SaaS solution dedicated just to them, but they are not willing to be the first agency (the “FedRAMP sponsor”) to grant an ATO for a multitenant solution that will be used by multiple agencies.

 

If you are willing to have dedicated deployments of your SaaS, you can still serve these agencies.  The good news is that since FedRAMP only applies to multitenant cloud offerings, you do not need to go through the full FedRAMP process to serve them.  In fact, when you are doing a dedicated deployment, most agencies do not require you to get a separate 3PAO audit (since they are not willing to have that cost passed on to them).  Instead, they just require you to provide the agency’s assessors with a System Security Plan (SSP) that details how all FedRAMP controls have been implemented for the solution, along with evidence (e.g. screenshots) that verify implementation.

 

When you work with Project Hosts for these deployments, it is much easier for your agency to grant the ATO for two reasons:  First, by tying your SaaS into the Project Hosts GSS One PaaS, your SaaS inherits a majority of the control implementations.  Also, since GSS One is FedRAMP authorized already, your agency does not need to re-assess and re-approve those controls.  Second, since Project Hosts has ATOs from dozens of agencies, we know what they are looking for and can prepare the SSP and evidence in a way that makes it much easier for agency assessors to approve.

 

Often, providing a dedicated SaaS solution to an agency is a first step.  After working with us (on your behalf), the agency may very well agree to be your sponsor for a full FedRAMP authorization.  Contact us to learn more about dedicated solutions.