amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a8e77e9492bbe281d7f11ee39690dfa2d41bb02
hermes-brain/projects/passepartout/strategy/compliance/fedramp.org
Hermes 0a8e77e949 Reorganize brain: projects/ top level, rename filenames, update homepage 
- Moved everything from ideas/passepartout/ to projects/passepartout/
- Moved legal structures to projects/flags/
- Created missing _index.org files for all subdirectories
- Stripped redundant passepartout- prefix from filenames
- Rewrote root _index.org as generalized brain index (projects + concepts)
- Updated Hugo nav to Projects/Concepts
- Updated build script section descriptions
- Deleted stale ideas/passepartout-economics.md orphan
2026-05-24 18:54:14 +00:00

62 lines
3.0 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: e6993701-3c67-49bf-82f3-06907572cbf3
:ID: auto-fedramp
:CREATED: [2026-05-23 Sat]
:END:
#+title: FedRAMP (Federal Risk and Authorization Management Program)
#+filetags: :passepartout:compliance:framework:fedramp:
* FedRAMP (Federal Risk and Authorization Management Program)
** What it is
US federal government's standardized approach to security assessment,
authorization, and continuous monitoring for cloud services. OMB policy
mandate — federal agencies must use FedRAMP-authorized services when available.
Three impact levels based on data sensitivity:
| Level | Data type | Examples | Cost to achieve | Timeline |
|---------|-----------|---------------------------------|-----------------|----------|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
Two authorization paths:
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
DOD. Hardest path, most reusable across agencies.
- **Agency:** authorization by a single federal agency for its own use. Faster
but less portable.
Requires continuous monitoring (monthly scans, annual assessments, POA&M
for findings).
** Who must comply
Any cloud service provider that sells to US federal agencies. Including
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
are strongly discouraged from using non-authorized services.
** Penalties
No direct fines. Non-authorized providers are simply ineligible for federal
contracts. FedRAMP is a procurement gate, not a regulatory one.
** Why it matters for Passepartout
FedRAMP is the highest bar and the most expensive certification to obtain.
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
But those that do capture the US government market with minimal competition.
For Passepartout: a [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] provider with FedRAMP Moderate or High
authorization can sell to every federal agency. The gate stack's deterministic
audit trail maps directly to FedRAMP's continuous monitoring requirement —
producing verifiable evidence of control effectiveness on every access, not
just during the annual assessment. This is what justifies the
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
package, it is the evidence pipeline for a certification that costs $1M-$5M
and 12-36 months to obtain independently. The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] argument
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
provider for five years cannot switch without re-running the entire authorization
process with a new provider.
Reference in New Issue View Git Blame Copy Permalink