amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc3976fb7f792cae1423e37b6067c57efa23f288
hermes-brain/ideas/compliance/fedramp.org
Hermes cc3976fb7f ideas: editorial sweep — atomization, interlinking, restructuring 
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in
  ideas/competitors/. Dropped date from filename. All competitor UUIDs
  generated, TOC keeps original UUID for backlink continuity.
- Deleted passepartout-economics.org archive (replaced by 27-node KB).
- Inlined 5 'See also' blocks into natural prose (compliance-index,
  first-mover-window, revenue-table, orders-of-magnitude-time,
  native-org-knowledge-base).
- Linked 7 orphan compliance pages back to compliance index + finished
  truncated sentences.
- Linked all 14 Agora requirement docs from topic-relevant pages
  (identity→lisp-machine-security, infrastructure→compute-marketplace,
  social-space→growth-strategy, exchange→agora-contracts, etc.).
- Linked ai-industry-impact from investment-thesis, sufficiency-flip,
  verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages).
- Fixed CREATED timestamps to use git commit dates instead of today.
- Made all links absolute from root (no port inheritance).
- Removed stale agora/docs/ duplicate content.
2026-05-24 16:25:55 +00:00

62 lines
3.0 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: e6993701-3c67-49bf-82f3-06907572cbf3
:ID: auto-fedramp
:CREATED: [2026-05-23 Sat]
:END:
#+title: FedRAMP (Federal Risk and Authorization Management Program)
#+filetags: :passepartout:compliance:framework:fedramp:
* FedRAMP (Federal Risk and Authorization Management Program)
** What it is
US federal government's standardized approach to security assessment,
authorization, and continuous monitoring for cloud services. OMB policy
mandate — federal agencies must use FedRAMP-authorized services when available.
Three impact levels based on data sensitivity:
| Level | Data type | Examples | Cost to achieve | Timeline |
|---------|-----------|---------------------------------|-----------------|----------|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
Two authorization paths:
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
DOD. Hardest path, most reusable across agencies.
- **Agency:** authorization by a single federal agency for its own use. Faster
but less portable.
Requires continuous monitoring (monthly scans, annual assessments, POA&M
for findings).
** Who must comply
Any cloud service provider that sells to US federal agencies. Including
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
are strongly discouraged from using non-authorized services.
** Penalties
No direct fines. Non-authorized providers are simply ineligible for federal
contracts. FedRAMP is a procurement gate, not a regulatory one.
** Why it matters for the triad
FedRAMP is the highest bar and the most expensive certification to obtain.
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
But those that do capture the US government market with minimal competition.
For the triad: a [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] provider with FedRAMP Moderate or High
authorization can sell to every federal agency. The gate stack's deterministic
audit trail maps directly to FedRAMP's continuous monitoring requirement —
producing verifiable evidence of control effectiveness on every access, not
just during the annual assessment. This is what justifies the
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
package, it is the evidence pipeline for a certification that costs $1M-$5M
and 12-36 months to obtain independently. The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] argument
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
provider for five years cannot switch without re-running the entire authorization
process with a new provider.
Reference in New Issue View Git Blame Copy Permalink