DataBank Establishes $725M Financing Facility to Support Growth. Read the press release.

FedRAMP PaaS Compliance: Should You Consider It?

FedRAMP PaaS Compliance: Should You Consider It?

Becoming FedRAMP PaaS compliant can open up a lot of exciting opportunities for businesses. This means it can be more than worth the effort of achieving a FedRAMP PaaS certification. Here is a quick guide to what you need to know.

FedRAMP PaaS vs other security certifications

As the use of IT has proliferated, so has the number of security certifications you can acquire to keep your infrastructure secure. Some of these apply to any form of IT infrastructure. Others are specific to certain areas of IT (such as the cloud) and/or certain categories of data (e.g. HIPAA).

Some companies are required to meet certain specifications due to the nature of the data they store. In other cases, a company may choose to meet certain security specifications because of their business benefits. FedRAMP PaaS could fit into either category. You will need to acquire it if you wish to carry out any sort of work for any federal government agency. It can also be a competitive advantage if you wish to carry out work for state or local agencies or certain private businesses/organizations.

In fact, in some sectors, not having FedRAMP PaaS compliance can effectively leave you at a major disadvantage. If your competitors have it and you don’t, they may simply be seen as the safer option. For completeness, it is easy for anyone to check if a business is FedRAMP PaaS certified as the federal government lists all certified businesses in the FedRAMP marketplace. This was created for government agencies but is open to the public.

The basics of FedRAMP PaaS compliance

At its core, FedRAMP PaaS compliance is very straightforward. To achieve certification, providers must be able to demonstrate that they can achieve the following.

1. Effectively restrict access to data in accordance with access controls.
2. Ensure that data integrity is maintained (i.e. prevent data corruption).
3. Demonstrate that they can keep data available at all times.

The level of proof required depends on the level of certification required. The categories are High, Medium Low, and Low-Impact Software-as-a-Service (LI-SAAS). LI-SAAS is probably better known as FedRAMP tailored. It’s intended for collaboration tools such as project-management software.

It is possible for businesses to start at a lower level of certification and move up. At the same time, it’s important to consider whether or not this would be an overall gain. You might find that it is actually simpler just to aim for a higher level of compliance in the first place.

Time and resources needed to achieve FedRAMP PaaS compliance

In principle, you can achieve FedRAMP compliance in around three months or even less. In practice, this is only likely to be possible with the lowest category of security. Even then, it is likely to be a best-case scenario.

For higher grades of security, 6-12 months is likely to be a more realistic estimate. It’s not uncommon for FedRAMP compliance to take even longer although it is unusual for it to take more than 18-24 months. This is exactly why organizations that value FedRAMP PaaS compliance tend to give strong preference to businesses that already have it.

Given that the process is fairly lengthy, it will inevitably place some level of extra demand on resources. It can be very hard to judge these in advance since you won’t necessarily know what will be required to achieve FedRAMP PaaS certification.

With that said, one of the early stages of the process is an assessment of your current status. Once you have this, it is likely to be much easier to see what sort of steps you need to take and hence what sort of resources will be required. If it does prove to be too much, you can always back out of the process (and restart it later if you wish).

The process of becoming FedRAMP PaaS compliant

There are two routes to becoming FedRAMP PaaS compliant. One is to be certified by a federal government agency. The other one is to go through the Joint Authorization Board (JAB).

Technically, only government agencies can sign off on a FedRAMP authorization to operate (ATO). JAB can only sign off on a provisional authorization to operate PATO. In the real world, however, both authorizations have equal standing.

The path to acquiring authorization through a federal agency is slightly different from the path for acquiring authorization through JAB. These differences are, however, very minor.

Agency process

1 – Partnership establishment
2 – Full security assessment
3 – Authorization process
4 – Continuous monitoring

JAB process

1 – Readiness assessment and FedRAMP connect
2 – Full security assessment
3 – Authorization process
4 – Continuous monitoring

For completeness, government agencies strongly recommend that businesses complete a readiness assessment. This is, however, optional.


Read More:

What Is FedRAMP Compliance?

What You Need To Know About CMMC vs FedRAMP

Share Article


Discover the DataBank Difference

Discover the DataBank Difference

Explore the eight critical factors that define our Data Center Evolved approach and set us apart from other providers.
Download Now
Get Started

Get Started

Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.

Get A Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of the team members will be in touch.

Schedule a Tour

Tour Our Facilities

Let us know which data center you’d like to visit and how to reach you, and one of the team members will be in touch shortly.