4

Our company is limited to using products that maintain FedRAMP compliance, and we are looking to implement a new data collection tool. We are interested in a product that utilizes Microsoft Azure, which I understand is FedRAMP compliant. Is FedRAMP something that applies to this new software (or company that develops it) that is being hosted in MS's Azure environment? Or only to Azure itself?

As someone relatively new to the cybersecurity world, I want to be sure I understand the scope of FedRAMP and how it affects our options going forward.

KBreton
  • 43
  • 2

1 Answers1

3

REF: https://www.fedramp.gov/faqs/

It looks to me like you need to have everything authorized.

If an Agency purchases an outsourced service (software) that is built on top of a cloud platform, how is that handled within FedRAMP?

Obtaining a FedRAMP authorization requires all system components be assessed based on the control requirements in the FedRAMP baseline. If a FedRAMP authorized IaaS is leveraged, the Agency only needs to assess controls that are not addressed by the managed IaaS provider. If a SaaS is hosted on a FedRAMP-authorized IaaS, the SaaS vendor would need to have a separate FedRAMP authorization. The IaaS authorization would remain as-is and then the SaaS would leverage/re-use the IaaS authorization and applicable security controls (for the IaaS portion of requirements). If a SaaS or PaaS is leveraging a non-FedRAMP authorized infrastructure, then the entire FedRAMP stack would need to be authorized together.

Raimonds Liepiņš
  • 994
  • 5
  • 9