FedRAMP and Its Applicability to ISVs Hosted on FedRAMP-Authorized IaaS

Karen laughton

Karen Laughton

EVP, Advisory Services, Coalfire

September 27, 2019

Independent Software Vendors (ISVs) often ask Coalfire about the FedRAMP compliance framework and how it applies to them. They hear that all software procured by the U.S. federal government must be FedRAMP authorized, and they come to the experts to help them navigate the process. The good news is that the FedRAMP program is not directly applicable to most ISVs. An ISV cannot get their native product listed in the FedRAMP marketplace because it is a “software,” not a “service,” and the FedRAMP program was designed for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) providers that provide multi-tenant cloud solutions to the U.S. federal government. 

An ISV is defined as individuals and organizations that develop, market, and sell software that runs on third-party software and hardware platforms such as Microsoft Azure, Salesforce Government Cloud, Google Cloud Platform, IBM Cloud for Government, and Amazon Web Services (AWS). Essentially, an ISV is a software developer. An agency interested in using the software would buy and deploy it within their FedRAMP-authorized IaaS environment, much like you would buy a laptop and install Microsoft Office. 

While an ISV product does not meet the requirements to be listed in the FedRAMP marketplace, agencies can still ask that the product meet FedRAMP requirements. Most of these requirements are inherited from the FedRAMP-authorized PaaS/IaaS provider or are the responsibility of the agency that procured the software product from the ISV; but the ISV is not completely off the hook. There are still around 40 FedRAMP controls that Coalfire has determined apply to ISVs to some degree.   

ISVs do not process, store, or transmit federal or system data. They have no access to their agency customers’ production environments unless explicitly granted it by the agency for troubleshooting purposes, where they would be treated by the agency as third-party personnel. The roles/permissions provided to the ISV would be assigned by the agency and removed when no longer necessary. The ISV would be responsible for continuing application development (the software development lifecycle), updates to the application/flaw remediation, and supporting agency customers with troubleshooting the software if their contract requires them to provide that level of support. In addition, the ISV would need to ensure that any personnel in a customer support role meet the personnel security requirements of the agency they are supporting.

The underlying PaaS/IaaS provider is responsible for supplying all the infrastructure and platform-layer controls to include endpoint protection, SIEM/monitoring, ticketing, file integrity monitoring, directory services, border protection, secrets management, multifactor authentication, configuration management (non-software related), vulnerability management, and host-based intrusion prevention/detection. The agency can either manage these controls themselves or outsource to a managed service provider; but ultimately, it is up to the agency, not the ISV. It is important for the ISV to partner with a FedRAMP-authorized PaaS/IaaS provider to ensure FedRAMP requirements are met at the PaaS/IaaS layers.

The agency customer leveraging the software product provided by the ISV is responsible for everything that is configurable within the PaaS/IaaS as well as the software, including access roles/permissions and updating the software as patches or new releases are made available by the ISV. 

Coalfire has worked with ISVs and the PaaS/IaaS providers that host them to develop a methodology to ensure ISVs are meeting the applicable FedRAMP requirements. This involves evaluating the ISV’s product and procedures against the applicable FedRAMP controls, assisting with remediation where the ISV is not meeting the developer-related controls, and attesting to the ISV’s compliance or non-compliance with the applicable FedRAMP requirements. This results in a deliverable that can be handed to your agency customer to ensure they understand the risk of using an ISV’s product prior to deploying it in their cloud environment. It is ultimately up to the ISV’s agency customer to accept the risk of utilizing the ISV-developed software as well as any risks associated with their PaaS/IaaS provider.

If you are an ISV partnering with a FedRAMP-authorized IaaS provider and are exploring FedRAMP compliance so you can sell your product to the U.S. federal government, please contact for more information on how we can help.