What does a compliant PaaS + managed service mean for your FedRAMP journey? Everything!

As more software vendors migrate to cloud-only solutions, there’s little doubt that cloud is the future of enterprise software. Great news for federal agencies seeking to retire legacy, on-prem applications in favor of cloud services to modernize IT, reduce security risk, and increase operational efficiencies. Yet even as federal agencies face increased pressure from the Executive Order on Cybersecurity to accelerate cloud adoption, some of the most beneficial cloud services remain out of reach as they lack FedRAMP Authorization to Operate (ATO).

The federal government is one of the largest buyers of cloud technology. In recent years, however, we have seen cloud service providers (CSPs) shy away from approaching the federal market. With the ability to pursue a $200 billion public-sector IT market, it begs the question, “Why?”

The short answer is that while FedRAMP is necessary to secure government data in the cloud, obtaining FedRAMP authorization to sell into the government is another matter entirely. It brings with it a large learning curve and a significant impact on operations that CSPs need to consider before embarking on the journey to FedRAMP authorization. For example, CSPs may:

  • Be willing to obtain FedRAMP authorization but lack the know-how to navigate the compliance requirements. For most SaaS companies, navigating the complexities of the FedRAMP authorization process and addressing all 325 moderate baseline controls can be complex, time-consuming, and expensive.
  • Need to focus on building out their SaaS solution. Achieving FedRAMP ATO is a multifaceted undertaking that can distract from product development efforts.
  • Want to minimize disruption to the existing commercial offering. There are unique rules governing FedRAMP-compliant software that don’t necessarily apply to commercial offerings.
  • Be inexperienced in, and lack the staff to support, the management of ongoing compliance activities. Once ATO is granted, continuous monitoring is required. Demonstrating compliance is a rigorous process requiring significant time, personnel, and financial resources.

Constellation GovCloudTM (CGC) was created to meet the clear need of CSPs looking to bring innovative cloud solutions to federal agencies. Just as FedRAMP serves as a bridge between the federal government and industry by providing a standardized approach to the security assessment, authorization, and continuous monitoring of cloud service offerings (CSOs), CGC serves as a bridge into the federal software acquisition space by accelerating and greatly simplifying the path to FedRAMP compliance.

CGC is a Platform-as-a-Service (PaaS) built on AWS GovCloud combined with a managed service to quickly onboard CSPs and help them achieve compliance. By absorbing the bulk of the technical, operational, and management burden and helping CSPs navigate the compliance and software procurement processes, CGC reduces barriers to entry and accelerates time to market, enabling CSPs to be included in a broadened government software catalog.

The deployment model of CGC might be compared to a brick-and-mortar shopping mall, where a mall (CGC) is built in a contained and managed mall property (AWS GovCloud) and houses tenants (SaaS CSPs) who benefit from the mall’s common services.

CGC Enables Tenant CSPs with Platform Capabilities and Managed Services


Similar to the way in which CGC covers up to 80% of FedRAMP moderate controls, the mall provides a level of security, operational guidelines, shared services and resources, and shared policies and procedures, which benefit all tenants.

Because CGC provides a compliant PaaS platform that accommodates many CSPs, CGC differs from most other managed service models, which in this scenario, would only oversee the building of a stand-alone SaaS store and potentially agree to provide some of its maintenance and upkeep. Beyond the operational burden on the CSP, this model places a burden on the government by requiring the ongoing maintenance of individual ATO sponsorships.

CGC’s key differentiator is its approach to handling boundaries. While each CSP has its own agency sponsor, CGC itself is the owner of record of each ATO and is responsible for ensuring compliance and reporting to the government. Because of the shopping mall model of the CGC managed service, CSPs can offload the bulk of the compliance burden (up to 80%) while focusing on developing and running their software. In addition to easing the burden on CSPs, CGC simplifies government management of SaaS ATO sponsorships, acting as a single point of contact for the management of CSP solutions.


Constellation GovCloud™ is backed by Merlin’s 25-plus years of experience in the public sector and serves as our commitment to powering digital transformation across government. If you have a cloud solution that would be beneficial to the federal government, you need FedRAMP authorization. Learn more about how Constellation can be your partner for the entire journey.

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

Share This