June 23, 2023

Last Updated on January 13, 2024

As you’re deciding whether to pursue a Federal Risk and Authorization Management Program Authority to Operate (FedRAMP ATO), a critical question is how FedRAMP requirements might impact the architecture of your current SaaS, PaaS, or IaaS offering. Any special requirements from your sponsoring agency would also factor into this analysis.

Mike Craig, CEO at Vanaheim Security, shares how he advises clients looking to address FedRAMP’s unique demands.

“Federalizing” your SaaS offering

If all your current SaaS clients are private sector businesses, FedRAMP’s government-specific control requirements may force you to “federalize” your commercial application. It’s not uncommon for sponsoring agencies to tack on some unique requirements as well.

Many cloud service providers end up building a second, smaller federal enclave within their overall SaaS infrastructure to meet government-specific requirements. This allows you to contain those added operating costs within the federal customer base versus rearchitecting your entire SaaS footprint and spending more to support customer that don’t require it.

You may also need to make some staffing/HR changes to support your government clients. For example, if your tech support teams are currently outside the US, finding support within the US for your government clients would be a common change.

What needs to change and how do you get there?

Depending on your starting point, you may encounter small or large architectural, process, and/or HR changes on the path to a FedRAMP ATO.

Mike explains: “With that enterprise architecture approach of your people/process/technology, all the way through to operating your SaaS for federal clients, we look at what would actually need to change? And how would you get there? So, we can start you down that path while you’re concurrently working your sponsor engagement strategy.”

Architectural choices are further supported by the market segmentation analysis that should be part of a SaaS org’s initial due diligence around whether to pursue a FedRAMP ATO. What does profitability look like for your total business? And does a separate SaaS for US government customers make sense?

What’s next?

For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.

Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!