0a8e77e949
- Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan
62 lines
3.0 KiB
Org Mode
62 lines
3.0 KiB
Org Mode
:PROPERTIES:
|
|
:ID: e6993701-3c67-49bf-82f3-06907572cbf3
|
|
:ID: auto-fedramp
|
|
:CREATED: [2026-05-23 Sat]
|
|
:END:
|
|
#+title: FedRAMP (Federal Risk and Authorization Management Program)
|
|
#+filetags: :passepartout:compliance:framework:fedramp:
|
|
|
|
* FedRAMP (Federal Risk and Authorization Management Program)
|
|
|
|
** What it is
|
|
|
|
US federal government's standardized approach to security assessment,
|
|
authorization, and continuous monitoring for cloud services. OMB policy
|
|
mandate — federal agencies must use FedRAMP-authorized services when available.
|
|
|
|
Three impact levels based on data sensitivity:
|
|
|
|
| Level | Data type | Examples | Cost to achieve | Timeline |
|
|
|---------|-----------|---------------------------------|-----------------|----------|
|
|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
|
|
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
|
|
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
|
|
|
|
Two authorization paths:
|
|
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
|
|
DOD. Hardest path, most reusable across agencies.
|
|
- **Agency:** authorization by a single federal agency for its own use. Faster
|
|
but less portable.
|
|
|
|
Requires continuous monitoring (monthly scans, annual assessments, POA&M
|
|
for findings).
|
|
|
|
** Who must comply
|
|
|
|
Any cloud service provider that sells to US federal agencies. Including
|
|
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
|
|
are strongly discouraged from using non-authorized services.
|
|
|
|
** Penalties
|
|
|
|
No direct fines. Non-authorized providers are simply ineligible for federal
|
|
contracts. FedRAMP is a procurement gate, not a regulatory one.
|
|
|
|
** Why it matters for Passepartout
|
|
|
|
FedRAMP is the highest bar and the most expensive certification to obtain.
|
|
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
|
|
But those that do capture the US government market with minimal competition.
|
|
For Passepartout: a [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] provider with FedRAMP Moderate or High
|
|
authorization can sell to every federal agency. The gate stack's deterministic
|
|
audit trail maps directly to FedRAMP's continuous monitoring requirement —
|
|
producing verifiable evidence of control effectiveness on every access, not
|
|
just during the annual assessment. This is what justifies the
|
|
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
|
|
package, it is the evidence pipeline for a certification that costs $1M-$5M
|
|
and 12-36 months to obtain independently. The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] argument
|
|
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
|
|
provider for five years cannot switch without re-running the entire authorization
|
|
process with a new provider.
|
|
|