gbrain: sync converted org-mode brain files
This commit is contained in:
Hermes
60
ideas/compliance/fedramp.org
Normal file
60
ideas/compliance/fedramp.org
Normal file
@@ -0,0 +1,60 @@
|
||||
:PROPERTIES:
|
||||
:ID: auto-fedramp
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: FedRAMP (Federal Risk and Authorization Management Program)
|
||||
#+filetags: :passepartout:compliance:framework:fedramp:
|
||||
|
||||
* FedRAMP (Federal Risk and Authorization Management Program)
|
||||
|
||||
** What it is
|
||||
|
||||
US federal government's standardized approach to security assessment,
|
||||
authorization, and continuous monitoring for cloud services. OMB policy
|
||||
mandate — federal agencies must use FedRAMP-authorized services when available.
|
||||
|
||||
Three impact levels based on data sensitivity:
|
||||
|
||||
| Level | Data type | Examples | Cost to achieve | Timeline |
|
||||
|---------|-----------|---------------------------------|-----------------|----------|
|
||||
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
|
||||
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
|
||||
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
|
||||
|
||||
Two authorization paths:
|
||||
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
|
||||
DOD. Hardest path, most reusable across agencies.
|
||||
- **Agency:** authorization by a single federal agency for its own use. Faster
|
||||
but less portable.
|
||||
|
||||
Requires continuous monitoring (monthly scans, annual assessments, POA&M
|
||||
for findings).
|
||||
|
||||
** Who must comply
|
||||
|
||||
Any cloud service provider that sells to US federal agencies. Including
|
||||
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
|
||||
are strongly discouraged from using non-authorized services.
|
||||
|
||||
** Penalties
|
||||
|
||||
No direct fines. Non-authorized providers are simply ineligible for federal
|
||||
contracts. FedRAMP is a procurement gate, not a regulatory one.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
FedRAMP is the highest bar and the most expensive certification to obtain.
|
||||
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
|
||||
But those that do capture the US government market with minimal competition.
|
||||
For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
|
||||
authorization can sell to every federal agency. The gate stack's deterministic
|
||||
audit trail maps directly to FedRAMP's continuous monitoring requirement —
|
||||
producing verifiable evidence of control effectiveness on every access, not
|
||||
just during the annual assessment. This is what justifies the
|
||||
[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
|
||||
package, it is the evidence pipeline for a certification that costs $1M-$5M
|
||||
and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
|
||||
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
|
||||
provider for five years cannot switch without re-running the entire authorization
|
||||
process with a new provider.
|
||||
|
||||
Reference in New Issue
Block a user