Cloud Partner Program for Salesforce® ISVs
ISVs that want to sell their Salesforce software application as cloud service to U.S. federal and state government agencies must meet the GSA’s FedRAMP program standards at the SaaS level.
Project Hosts is a Cloud Service Provider (CSP) that provides FedRAMP compliant SaaS-level cloud services for Windows, SQL Server, Linux, MySQL, Salesforce, Drupel, WordPress, Joomla, SharePoint, Project Server, Dynamics, and other application platforms.
ISVs and Solution Providers with software applications that run on these platforms can partner with Project Hosts to deliver their solutions in a FedRAMP SaaS level compliant cloud.
The goal of the program is to ensure that the ISV's application software, which is included as an add-on to our existing Federal Private Cloud environment (such as a Salesforce-based application that is part of hybrid-cloud that includes an interconnect to the Salesforce cloud) is deployed and available from our FedRAMP SaaS-compliant cloud. Throughout this process, we work with our assessor, a certified 3PAO, and the GSA to ensure all necessary tests and activities are performed correctly.
ISVs with applications that run on these platforms can partner with Project Hosts to deliver their software solutions from a FedRAMP SaaS-level compliant cloud on Azure Gov. Project Hosts’ ISV FedRAMP Program includes these essential services:
- Understand application deployment requirements and dependencies
- Deploy App on FedRAMP SaaS compliant test environment
- Run Vulnerability Scans on OS, Database and App
- Consult with ISV and correct issues; if needed
- Incorporate the ISV's software into Project Hosts' System Security Plan (SSP)
By partnering with Project Hosts, Salesforce ISVs can deliver their applications and services in a highly secured Azure Cloud with FedRAMP SaaS-level compliance.
A more complete process definition can be found below. By working with Project Hosts, your software applications can be hosted and tested in our Private Federal Cloud environment. We perform the necessary tests and create the documentation necessary to ensure that your application runs in our Federal Private Cloud environment and continues to meet all of the 325 security controls required for SaaS-level FedRAMP compliance. We have a range of solutions available, and many ISVs that have worked with us to put their software application in a FedRAMP SaaS-level compliant cloud.
- Dynamics CRM
- Project Server
- UMT 360
- Urban Turtle
OUR ISV PROGRAM AND PROCESS
Summary of our ISV FedRAMP program process for including a Salesforce software application into the Federal Private Cloud:
- ISV provides us with a high level architecture describing how their application is typically deployed.
- We determine whether adding the application to our Federal Private Cloud would be considered a minor change or a major change. Major changes require a re-assessment by the 3PAO.
- We have the ISV sign an agreement that satisfies the required FedRAMP System and Services Acquisition (SA) controls.
- We deploy the ISV’s App(s) onto virtual server(s) in our FedRAMP test environment.
- We run vulnerability scans on the test environment at the OS, Database and Applications level.
- We report findings to the ISV and work with them to correct any issues; if any are found.
- We ensure the overall environment meets the total 325 security controls as required by FedRAMP rev4 SaaS-Level Compliance; examples include ensuring FIPS compliance, implementing executable whitelist restrictions, configuring log correlation, and more.
- If adding the software is considered a major change to the environment by our FedRAMP-certified 3PAO (assessor), we have the environment re-assessed with the ISV software included in it
- We follow our Configuration Change Control process to include the ISV’s App in our FedRAMP-compliant System Security Plan and associated documents.
- We work with ISV to create an announcement they can use and get it approved by the GSA’s Director of FedRAMP
WHAT'S THE DIFFERENCE BETWEEN FedRAMP IaaS, PaaS and SaaS COMPLIANCE?
Understanding the differences between IaaS, PaaS and SaaS FedRAMP compliant environments is a critical factor when choosing a Cloud Service Provider (CSP) and selling your application solution to federal and state government agencies.
IaaS and PaaS FedRAMP compliant platforms are just that – they are Infrastructure- and Platform- as-a-Service offerings. FedRAMP IaaS and PaaS- compliant cloud platforms such as Azure Gov, are tested and meet the security controls for that (IaaS/PaaS) level of of support. Simply deploying your application on a IaaS/PaaS compliant platform does not make it SaaS-compliant. To ensure SaaS-level compliance, you must ensure that the 325 FedRAMP security controls are in place, have been tested, documented and been validated by the GSA