There are different types of FedRAMP solutions to be familiar with.

  1. IaaS – Infrastructure as a Service
  2. PaaS – Platform as a Service
  3. SaaS – Software as a Service

The FedRAMP solution you choose will dictate the cost and amount of security effort you will need to do on your side.

FedRAMP Options Cost Among Options Client Security Package Effort
IaaS Lowest Highest
PaaS Moderate Moderate
SaaS Highest Lowest

Specifically, depending on the solution you select:

  • IaaS – You accept the IaaS FedRAMP package but must do the security work for the ATO for the Operating System and Maximo/WebSphere.
  • PaaS – You accept the PaaS FedRAMP package (which can and should include IaaS) but you must do the security work for the software (Maximo and WebSphere).
  • SaaS – You accept the SaaS FedRAMP package (which can and should include IaaS and PaaS). You present the complete package and letter to the DAA for signature.

Note that even with SaaS, you are still responsible for aspects of your security that are beyond the provider such as Personnel, Physical, Configuration Management and so on. (Ref NIST 800-53)

Overall Cost for FedRAMP

The cost for any FedRAMP is going to be significantly higher than other simple hosting or SaaS solutions.  You are paying for the security and rigidity of the solution and the efforts taken by the provider and the effort it takes to maintain it.

Other Items of Note for SaaS

  • LDAP – Your LDAP will need to be in order and server accessible by the FedRAMP solution.
  • SAML – You will be required to use SAML for Single Sign-On (SSO) capabilities.
  • Database Access – You will not have direct access to the database or underlying systems as you do with your on-premise system.
  • System Access – You will have to schedule system-level events that require rebooting.