amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f4c72d3527fbe2b5370d551780546bb0ddae5340
hermes-brain/ideas/compliance/fedramp.org
Hermes 44299599f9 gbrain: sync converted org-mode brain files
2026-05-23 06:35:21 +00:00

2.9 KiB
Raw Blame History

FedRAMP (Federal Risk and Authorization Management Program)

FedRAMP (Federal Risk and Authorization Management Program)

What it is

US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services. OMB policy mandate — federal agencies must use FedRAMP-authorized services when available.

Three impact levels based on data sensitivity:

Level Data type Examples Cost to achieve Timeline
Low Public or low-sensitivity Public websites, unclassified comms $500K-$1M 6-12 months
Moderate Controlled Unclassified Info (CUI) Tax records, health data, law enforcement $1M-$3M 12-24 months
High National security, classified Defense, intelligence, critical infra $3M-$5M 18-36 months

Two authorization paths:

  • JAB (Joint Authorization Board): provisional authorization by DHS, GSA, DOD. Hardest path, most reusable across agencies.
  • Agency: authorization by a single federal agency for its own use. Faster but less portable.

Requires continuous monitoring (monthly scans, annual assessments, POA&M for findings).

Who must comply

Any cloud service provider that sells to US federal agencies. Including IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies are strongly discouraged from using non-authorized services.

Penalties

No direct fines. Non-authorized providers are simply ineligible for federal contracts. FedRAMP is a procurement gate, not a regulatory one.

Why it matters for the triad

FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. For the triad: a compute marketplace provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not just during the annual assessment. This is what justifies the FedRAMP gate package at $100K/yr (the highest price) — it is not a software package, it is the evidence pipeline for a certification that costs $1M-$5M and 12-36 months to obtain independently. The verification monopoly argument applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider.

Reference in New Issue View Git Blame Copy Permalink