0a8e77e949
- Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan
3.0 KiB
FedRAMP (Federal Risk and Authorization Management Program)
FedRAMP (Federal Risk and Authorization Management Program)
What it is
US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services. OMB policy mandate — federal agencies must use FedRAMP-authorized services when available.
Three impact levels based on data sensitivity:
| Level | Data type | Examples | Cost to achieve | Timeline |
|---|---|---|---|---|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
Two authorization paths:
- JAB (Joint Authorization Board): provisional authorization by DHS, GSA, DOD. Hardest path, most reusable across agencies.
- Agency: authorization by a single federal agency for its own use. Faster but less portable.
Requires continuous monitoring (monthly scans, annual assessments, POA&M for findings).
Who must comply
Any cloud service provider that sells to US federal agencies. Including IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies are strongly discouraged from using non-authorized services.
Penalties
No direct fines. Non-authorized providers are simply ineligible for federal contracts. FedRAMP is a procurement gate, not a regulatory one.
Why it matters for Passepartout
FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. For Passepartout: a compute marketplace provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not just during the annual assessment. This is what justifies the FedRAMP gate package at $100K/yr (the highest price) — it is not a software package, it is the evidence pipeline for a certification that costs $1M-$5M and 12-36 months to obtain independently. The verification monopoly argument applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider.