Understanding the differences between IaaS, PaaS and SaaS FedRAMP compliant environments is critical for U.S. Government Agencies when choosing a cloud solution and a Cloud Service Provider (CSP). IaaS and PaaS FedRAMP compliant platforms are just that – they are Infrastructure- and Platform- as-a-Service offerings. FedRAMP compliant IaaS and PaaS clouds cover about 22% and 30% (respectively) of the 325 security controls required in the FedRAMP baseline. They do not cover any of the controls at the application layer such as access authorization, executable restrictions, intrusion detection, logging, etc.
For agencies that are considering deploying software on a FedRAMP compliant IaaS or PaaS cloud, unless the agency adds all of the application-level (SaaS-level) security controls, the deployment will not be fully FedRAMP compliant.
Project Hosts’ SharePoint, CRM, PPM, TFS and Virtual Desktop clouds are 100% SaaS-level FedRAMP compliant, thus eliminating the need for an agency to implement the SaaS-level controls on its own. Federal and state agencies can rely on Project Hosts to deploy and manage their public, private, community and hybrid clouds in a secure, reliable and cost-effective manner.
“Project Hosts is the first Cloud Service Provider to have demonstrated compliance with the rev4 FedRAMP baseline,” said Matt Goodrich, FedRAMP Director, GSA. “Through the CSP supplied path, Project Hosts’ environment was assessed by a FedRAMP-accredited 3APO confirming the completion of the FedRAMP Security Assessment Framework, paving the way for Project Hosts’ customer to grant their Agency ATOs.”