cc3976fb7f
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in ideas/competitors/. Dropped date from filename. All competitor UUIDs generated, TOC keeps original UUID for backlink continuity. - Deleted passepartout-economics.org archive (replaced by 27-node KB). - Inlined 5 'See also' blocks into natural prose (compliance-index, first-mover-window, revenue-table, orders-of-magnitude-time, native-org-knowledge-base). - Linked 7 orphan compliance pages back to compliance index + finished truncated sentences. - Linked all 14 Agora requirement docs from topic-relevant pages (identity→lisp-machine-security, infrastructure→compute-marketplace, social-space→growth-strategy, exchange→agora-contracts, etc.). - Linked ai-industry-impact from investment-thesis, sufficiency-flip, verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages). - Fixed CREATED timestamps to use git commit dates instead of today. - Made all links absolute from root (no port inheritance). - Removed stale agora/docs/ duplicate content.
3.0 KiB
FedRAMP (Federal Risk and Authorization Management Program)
FedRAMP (Federal Risk and Authorization Management Program)
What it is
US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services. OMB policy mandate — federal agencies must use FedRAMP-authorized services when available.
Three impact levels based on data sensitivity:
| Level | Data type | Examples | Cost to achieve | Timeline |
|---|---|---|---|---|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
Two authorization paths:
- JAB (Joint Authorization Board): provisional authorization by DHS, GSA, DOD. Hardest path, most reusable across agencies.
- Agency: authorization by a single federal agency for its own use. Faster but less portable.
Requires continuous monitoring (monthly scans, annual assessments, POA&M for findings).
Who must comply
Any cloud service provider that sells to US federal agencies. Including IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies are strongly discouraged from using non-authorized services.
Penalties
No direct fines. Non-authorized providers are simply ineligible for federal contracts. FedRAMP is a procurement gate, not a regulatory one.
Why it matters for the triad
FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. For the triad: a compute marketplace provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not just during the annual assessment. This is what justifies the FedRAMP gate package at $100K/yr (the highest price) — it is not a software package, it is the evidence pipeline for a certification that costs $1M-$5M and 12-36 months to obtain independently. The verification monopoly argument applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider.