How a Compliant PaaS Launches and Propels SaaS Providers through their FedRAMP Journey

October 4th, 2023 | by Sarah Hensley, VP of Product

While it has been the de facto standard since its inception in 2012, the signing of H.R. 7776 codified FedRAMP compliance into the official government cloud-security law of the land. The fact is, software vendors have been migrating to cloud solution offerings and facing the unique challenges of securing those cloud solutions for years. Regardless of any risks, cloud solutions are the future of enterprise software. This is great news for federal agencies seeking to retire legacy, on-prem applications in favor of cloud services to modernize IT, reduce security risk, and increase operational efficiencies. Yet even as federal agencies face increased pressure from the new FedRAMP law (as well as the Executive Order on Cybersecurity) to accelerate cloud adoption, some of the most beneficial cloud services remain out of reach as they lack FedRAMP Authorization to Operate (ATO).

The federal government is one of the largest buyers of cloud technology. In recent years, however, we have seen cloud service providers (CSPs) shy away from approaching the federal market. With the ability to pursue a $200 billion public-sector IT market, it begs the question, “Why?”

The FedRAMP Conundrum: A Necessary Burden

The short answer is that while FedRAMP compliance is necessary to secure government data in the cloud, obtaining FedRAMP authorization required to sell to and serve government consumers is another matter entirely. It brings with it a large learning curve and a significant impact on operations that CSPs need to consider before embarking on the journey to FedRAMP authorization. For example, CSPs may:

  • Be willing to obtain FedRAMP authorization but lack the know-how to navigate the compliance requirements. For most SaaS companies, navigating the complexities of the FedRAMP authorization process and addressing all of the newly adopted 323 Rev. 5 moderate baseline controls can be complex, time-consuming, and expensive.
  • Need to focus on building out their SaaS solution. Achieving FedRAMP ATO is a multifaceted undertaking that can distract from product development efforts.
  • Want to minimize disruption to the existing commercial offering. There are unique rules governing FedRAMP-compliant software that don’t necessarily apply to commercial offerings.
  • Be inexperienced in, and lack the staff to support, the management of ongoing compliance activities. Once ATO is granted, continuous monitoring is required. Demonstrating compliance is a rigorous process requiring significant time, personnel, and financial resources.


Enter Constellation GovCloud, a PaaS + Managed Services Solution

Constellation GovCloud (CGC) is a Platform-as-a-Service (PaaS) built on AWS GovCloud, combined with managed services to handle the compliance burden of Cloud Service Providers (CSPs) wishing to achieve a FedRAMP ATO. Constellation is designed to be a foundation onto which CSPs can operate, accelerating and greatly simplifying their path to FedRAMP compliance. By reducing the technical, operational and management resources required of CSPs to meet FedRAMP baselines as well as helping CSPs navigate the government’s complex compliance and software procurement processes, CGC is positioned to increase the breadth and depth of SaaS solutions available to federal agencies. This makes it a force multiplier in the government’s adoption of cloud solutions – and a business enabler for CSPs.

2 Ways to Leverage CGC

CGC can be consumed and leveraged in two ways by our partner and customer SaaS providers. In the first approach, what we refer to as our CSP partners function as members of the broader CGC team – deploying and operating their SaaS solutions within CGC’s existing authorization boundary and functioning as a part of CGC’s broader offering.  Partners will follow all existing CGC policies and procedures and their SaaS-specific implementation statements will be included in the CGC System Security Plan. Once deployed and hardened, partners will only be fully authorized once their SaaS solution completes a significant change assessment by a 3PAO and is approved by the Joint Authorization Board for government consumption. In this scenario, partner SaaS offerings become consumable services for government agencies without needing their own unique government sponsor.

In the second approach, those we refer to as CSP customers are able to leverage the CGC PaaS as well as the managed services as a reach-back general support system to their SaaS solution – offloading responsibility for a significant portion of PaaS-level cybersecurity controls to the CGC team just as in the first model. The biggest difference between CSP customer  model and the previously mentioned CGC partner model is that CSP customers have their own government sponsor, their own policies, procedures, and system security plan, and must go through a full 3PAO assessment in the pursuit of their own ATO. While the CGC team will likely generate these documents as part of the services offering (assuming they are following CGC’s standard contract), the SaaS-specific documents will be fully vetted and assessed. In this case, the CGC PaaS is considered a dependent system for the SaaS – meaning the SaaS depends on the CGC PaaS to satisfy a large subset of controls.

CGC was Built to Meet the Needs of our CSP Partners and Customers

CGC was created to meet the clear needs of CSPs whose offerings address core missions and objectives of federal agencies – but are unable to serve those federal agencies due to the lack of FedRAMP authorized versions of their solutions. As noted in the previous section, the solution supports SaaS offerings across a couple different models. Regardless of the model, CGC builds a bridge into the federal software acquisition space. As a go-to-market partner to software providers for 25 years, Merlin excels at identifying best-of-breed software solutions and helping them enter and succeed in the federal market. The CGC PaaS contains the core software components needed for FedRAMP ConMon and reporting, including Identity and Access Management (IAM), vulnerability scanners, ticketing systems, log aggregation, POA&M management and report generation, and OSCAL-enabled report outputs. A compliant landing zone is then leveraged to quickly onboard CSPs and help them achieve FedRAMP compliance. While authorized CGC-supported solutions are available to be consumed by government customers, Constellation takes on a lion’s share of the responsibly for ensuring compliance and reporting to the government. As a result, government sponsors can expect consistent reporting across all CGC tenants and will have a single interface to work with for questions on any CGC-operated CSP environments. CGC might be compared to a brick and mortar shopping mall, where a retail mall (CGC) is built in a gated community (AWS GovCloud) and houses tenants (SaaS CSPs) who benefit from the mall’s common services.

Figure 1 – CGC Service-Equipped PaaS Bridges the Gap for CSPs Serving Government Agencies

The “CGC mall” model provides a certain amount of security, operational guidelines, shared services and resources, and shared policies and procedures, which benefit all tenants while also reducing the burden on each.

CGC Covers 80% of FedRAMP Moderate Controls, and is IL 4/5 Ready

CGC allows CSPs to offload a bulk of their compliance burden to the CGC team and instead focus on developing and running their SaaS application. While there remains a subset of application-specific controls that CGC must ensure tenants (partners and customers) comply with (for instance, scanning of SaaS source code and encrypting traffic within and across application containers), this approach reduces the number of controls that CGC-supported CSPs must account for, with CGC having responsibility for the majority.

Figure 2 – CGC’s Coverage of FedRAMP Moderate Controls Reduces the Burden on the CSP

CGC PaaS + Managed Services is Good for CSPs, and Good for the Government

CGC was architected specifically to bring best-of-breed CSOs to the government on a reusable, compliant PaaS run as a managed service – reducing the burden on the CSP, government sponsor and Authorizing Officials (AOs), and the government consumers. The approach also increases the speed and efficiency with which the federal government can acquire commercial cloud software while limiting risk associated with that software. In short, CGC offers the following benefits to our CSP partners and customers:

  1. Simplifies and Standardizes – For both customers and partners, the platform/managed services approach can be used across both federal civilian and DoD agencies as it can be configured to meet the requirements of FedRAMP moderate and up to the additional requirements associated with DoD ILs 4/5.
  2. Increased Speed to Compliance – For both customers and partners, CGC satisfies, out of the box, nearly 80% of all FedRAMP Moderate Rev. 5 baseline controls. By leveraging the FedRAMP-compliant IaaS and PaaS capabilities, months if not years of time is saved. It also means CSPs won’t need to research, acquire, configure, harden, and operate a fully-equipped cybersecurity SOC just to meet the baseline requirements for compliance.
  3. Increases Speed to Federal Customers – The software industry has been built, much like other industries, to solve problems and serve customers. Using a solution like Constellation GovCloud means a shorter wait time to get those solutions into the hands of those federal agencies who need them.
  4. CGC helps reduce government dependence on legacy, on-prem solutions which saddle them with aging technologies that are less likely to be supported or feature-expanded moving into the future.
  5. CGC for CSP partners solves the issue of sponsorship – removing the need for CSPs to find their own sponsor. In this model, CGC is the single point of contact for the government for CSP ConMon reporting and issue resolution.
  6. CSP partners are able to fully leverage CGC’s existing and compliant policies/procedures, reducing the amount of highly redundant and voluminous documentation must be created and reviewed for a novel ATO package.
  7. CGC is one of a small number of platforms that have already incorporated OSCAL capabilities into its core offering, making it ready for future government applications that will be capable of accepting OSCAL packages and leveraging the automations OSCAL will afford.
  8. CGC’s model directly supports government alignment with the Cloud Smart directive and Cybersecurity EO 14028, reducing risks by limiting the amount of controls that must be addressed anew for SaaS products.

Want to learn more about Constellation GovCloud®?