Skip to main content

Focus on FedRAMP

Project Hosts: A Small CSP Who Likes FedRAMP

Project Hosts is a small business cloud service provider (CSP) that submitted its FedRAMP paperwork in April  2014 and achieved FedRAMP SaaS compliance in January, 2015.

I like FedRAMP.

Don’t get me wrong. The demanding standards, policies and processes required by FedRAMP arepainful to implement. But it’s worth it.

Why?

FedRAMP provides a much needed prescriptive security standard

Other security standards such as ISO 27001 ensure that a cloud service provider follows the policies that they themselves determine, but ISO is not prescriptive about what those policies should be in the first place. A company can choose its own password complexity requirements, its own server hardening standards, its own encryption policies, etc. An ISO auditor reviews a company’s policies and verifies that they are being followed. But ISO 27001 and many other standards do not set a bar of minimum requirements for the policies.

FedRAMP sets a bar. Passwords must have very specific requirements, hardening must be according to USGCB or STIG (for DoD) or CIS standards, encryption must be FIPS compliant, etc. As a result, if a CSP is assessed to be FedRAMP compliant, an agency really knows what it is getting – a well-defined level of security.

FedRAMP saves us a lot of time and money

In addition to federal agency customers, Project Hosts has a lot of customers that are state and local governments or large enterprises. The security organizations with those customers are keenly aware that most security standards are not prescriptive. Consequently, they develop their own in-house security standards. When considering a cloud solution, they then require CSPs to fill out detailed security questionnaires (often 50+ pages) and undergo an audit to verify compliance with their specific (often unique) security standards. These questionnaires and customer-specific audits take a lot of time and are expensive both for us and for the customer.

The good news is that many state and local governments and commercial enterprises are beginning to adopt FedRAMP as their security requirement. They know that by adopting this standard, they will no longer need CSPs to fill out long questionnaires or undergo audits that then need to be reviewed by their overworked security teams. They simply ask CSPs for evidence of FedRAMP compliance and annual assessments. Not only is this easier for them, this also saves us a lot of time and money.

FedRAMP saves federal agencies a lot of time and money

Before FedRAMP, federal agencies had to do a separate FISMA accreditation and audit for each deployment. Just as for the large enterprise customers mentioned above, this was very time-consuming and expensive. But now, federal agencies can easily obtain evidence of FedRAMP compliance and annual assessments, and much more quickly grant an ATO or leverage another agency’s ATO. This saves them a lot of time and money.

As a taxpayer, I like anything that saves the federal government money.

Yes, FedRAMP was painful to implement. But the huge advantage for us is that now that we are FedRAMP compliant, we can leverage that compliance time and time again with both government and commercial customers. Customers are sure about what they are getting, and we are not mired in the mess of being forced to implement a separate security standard for each customer.

About Project Hosts’ Federal Private Cloud (FedRAMP SaaS with Agency ATO)

The Federal Private Cloud for Windows and Linux Applications (FPC) provides cloud-based access to Microsoft applications including SharePoint, Project Server, Dynamics CRM, Power BI, Visual Studio, TFS, Remote Desktop, and Office; applications from other commercial software vendors such as AvePoint,

BrightWork, Gimmal, Innovative-e, Nintex, eSignLive, UMT360, and Urban Turtle; and open source applications such as Drupal, WordPress and Joomla for agency website content management. A hybrid cloud architecture allows agencies to leverage shared services for some functions (e.g. authentication, monitoring, scanning) while still having the option to choose dedicated servers for applications and databases. The option for dedicated virtual or physical servers allows agencies to meet compliance requirements and also provides them with greater flexibility to implement customizations to meet their functional requirements.