How ISVs Can Maintain CSP Business by Meeting Select FedRAMP Controls

Compliance and assessment audits and services

Are you an independent software vendor (ISV) wondering about the applicability of the Federal Risk and Authorization Management Program (FedRAMP) to your product? FedRAMP doesn’t apply directly to ISVs, however there are certain requirements you will need to meet if you have a customer (or several) looking to sell to the Federal government.

Here’s what you need to know about FedRAMP for your organization and the steps you need to take.

Does FedRAMP Apply to Your Organization as an ISV?

FedRAMP does not apply to your organization in the traditional sense. FedRAMP was designed to provide a cost-efficient and risk-based approach to cloud adoption for federal departments and agencies. As such, cloud service providers (CSPs) that wish to sell a commercial cloud service offering (CSO) to a government agency must obtain authorization to operate (ATO) from a government agency or the program’s Joint Authorization Board (JAB). CSPs that achieve ATO status then have their CSO listed on the FedRAMP marketplace and are eligible to do business with government agencies.

However, as an ISV, you cannot obtain ATO nor have products listed in the FedRAMP marketplace because your software is not a cloud-based “as a service” offering. “As a service” offerings include Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

But this doesn’t mean you’re not subject to FedRAMP requirements. In fact, if your product is incorporated into a CSO (such as a SaaS solution like ServiceNow or Salesforce), then the product is within the authorization boundary of that offering. This means it will have to meet certain control requirements for your CSP customer to be able to earn FedRAMP authorization.

How Can Your Organization Meet Select FedRAMP Control Requirements?

The majority (80-90%) of FedRAMP control requirements related to your organization will be inherited from the underlying PaaS/IaaS (such as Azure or AWS) or will be the responsibility of the CSP customer. For this reason, it is important for your business to use a FedRAMP-authorized PaaS/IaaS to ensure the requirements are fulfilled at those layers because you are responsible for providing controls such as monitoring, endpoint protection, and vulnerability management. The agency can choose to either manage the controls or utilize a managed service provider (MSP).

For the remaining controls that are the responsibility of your business (related to application updates, flaw remediation, database management, etc.), an accredited third-party assessment organization (3PAO), like A-LIGN, can conduct a conservatively scoped assessment that attests to any controls your organization would typically provide to a client, along with how you would protect any federal data and metadata you would receive. The assessment results in a report that can be shared with customers to ensure everyone understands the risk associated with using the product prior to deployment.

This is the best way to ensure your business as an ISV is ready to sell to a CSP seeking government business. It introduces transparency and trust in the ISV. In the end, it is up to the government agency to decide whether or not they are willing to accept the risk associated with the CSP’s CSO and grant ATO status.

What are the Benefits of Using a 3PAO for a FedRAMP ISV Assessment?

Partnering with a 3PAO to assess a scoped-down list of the common controls your organization is expected to fulfill will help ensure that you are ticking all the necessary boxes. Without undergoing such as an assessment, your business as an ISV may unintentionally hinder your CSP clients’ efforts to achieve FedRAMP authorization. Here are some of the benefits of using a 3PAO to perform this conservatively scoped FedRAMP assessment:

  • Reduces uncertainty about whether or not the right controls are being met
  • Increases transparency and trust between your organization and your CSP customers, and between those customers and the government 
  • Ability to re-use the assessment across CSP customers pursuing FedRAMP authorization
  • Helps improve your overall security posture and mitigate the risk of a data breach

Work with a Top FedRAMP Assessor

Given the complexity of the cloud security ecosystem and related compliance standards, it’s easy to become confused about the degree to which FedRAMP applies to your organization. Rest assured that your business does not have to achieve full FedRAMP authorization like your CSP customers if they are looking to do business with a government agency. But that doesn’t mean FedRAMP doesn’t apply to your business as an ISV at all. Remember, if you sell to a CSP and your product falls within the authorization boundary of their CSO, there are certain FedRAMP controls you will be required to fulfill. That’s where A-LIGN comes in.

As a top FedRAMP assessor and an experienced 3PAO, our conservatively scoped assessment designed specifically for ISVs will ensure that your business has the necessary controls in place to help your clients earn FedRAMP ATO status.