AWS and FedRAMP

I have a potential project building a web app for a federal contractor with the requirement that the app run on FedRAMP (with are the federal security requirements) certified AWS server (which AWS takes care of). I know XOJO web apps will run on AWS, but I don’t know if the FedRAMP stuff will affect it any.

Soooooo… before I read a couple billion pages of FedRAMP on AWS that I probably won’t understand anyways, i was hoping someone here knows anything about it.

I have links to the documentation and info on the likely web server config if it would help.

TIA,
Cliff

So i guess I’m going to be the first.

I have some experience setting up Xojo Web on Linux servers, but I couldn’t find a simple list of what is and isn’t available in FedRAMP.

If you ELI5 what FedRAMP consists of or can set me up with an instance to play with I could help.

Thanks for the offer, Tim. I think it will still be a week or two before my client gets their instance running, but I will probably hit you up when they do. I have never run a web app anywhere but on XOJO Cloud, so I could use the help.

Also, i have no idea what ELI5 means :frowning:

ELI5: „Explain Like I‘ m 5“ ;-).

I read your question, but as European I know to little about FedRAMP, but I have experience with similar governmental programs in Europe. The challange is probably two-fold. Xojo Web App can run on AWS, and AWS is as IaaS and PaaS service provider certificated and approved for FedRamp. So you probably “only” need to use as special AWS instance, in case Amazon only has some special AWS tenants which are certified. So I am very positive that this won’t be a big issue, especially with Tim’s helping hand.

But if this initiative runs like those over here, your customer will need to get your solution certified as well, as is it will be considered as an own SaaS solution, which of course needs to run ´on a certified IaaS/PaaS platform and not your own server, In this list you can see which services got already a certification for their SaaS solutions and you can see that some are only offering IaaS/PaaS but some have their whole SaaS offering certified:

The reasoning for certifying your solution is usually that IaaS and PaaS alone are not enough, they are one prerequisite of many. Otherwise you could use FedRAMP approved infrastructure solutions but still do things the governments doesn’t want you to do via Xojo and your code: sending copies of data to a database in Iran for instance …

These are good news for you I think. Such programs usually imply regular reviews and reviews for every change you make, so it can be a guaranteed regular income stream. However, I have seen clients in Europe, who stopped themselves “their” idea to continue on their plan, once they realised how much work and cost it will imply.
My advise would be to clarify this with the federal contractor first. Last but not least you can run in Europe into the trap that the solution you are using for development needs itself a certification as a government might not trust closed and compiled code per se, etc.

1 Like

Thanks for the ELI5 decoder :slight_smile: - I have never run across that one before.

1 Like

I think that started on reddit. All those acronyms are a nightmare for non native speakers ;-).

Sorry :grimacing:

As long as you’re able to install all the required components it should work. The question is if the security will be in the way of installing them.

1 Like

My gut says the FedRAMP stuff won’t get in the way. All the web app will be doing is pulling data from CISCO and SalesForce APIs, transforming the data, and then pushing the transformed data back up to Salesforce.

1 Like

Yes, sounds like that. Don’t forget that Germany (and Europe) is paranoid on security stuff ;-). This article seems to support your gut feeling, and you seem to even need less “functionality” via APIs.

The approach you can take to authorize the use of Native Apps is to assess a subset of controls associated with the required framework (see example section below) which mostly focus on the operations of the ISV (e.g., SDLC, personnel hiring, training, documentation, etc.), along with custom code and bug remediation. These controls may be assessed by individual customers themselves on a case-by-case basis, or the ISV may engage a Third-Party Assessment Organization (3PAO) to perform this “mini” assessment. A subset of ISVs are familiar with this process and are prepared to share relevant documentation with U.S. Government organizations.

Unfortunately something like a mini assessment doesn’t exist in Europe. If you are dealing for instance with certifications in the health care sector you are either on the bus or off the bus. You either go through the complex processes or you just skip the idea. I love the reasonable approach in the US.

1 Like