Open in app

Sign in

Write

Sign in

4 Things Every ISV Partner Should Know About the Salesforce Government Cloud & FedRAMP

Michael Epstein
AppExchange and the Salesforce Ecosystem
Published in
6 min readDec 8, 2017

Updated May 19, 2022

If you’re thinking, “We don’t sell to federal government customers, so this post isn’t for me,” hold on, you might be missing out on public sector deals without even realizing it! I’ll show you how to remedy that without any extra sales or marketing investment.

And if you are selling to federal or state agencies, or want to win more public sector customers, then this post is definitely for you. The market is huge: the federal government alone spent $83 billion on information technology in FY2016, not even including classified projects. That’s more than the entire GDP of most countries!

A Little Background

The Government Cloud is a special Salesforce instance reserved for federal, state and local government agencies, and those who work with them, like defense contractors and federally funded research and development centers (FFRDCs). The Government Cloud is designed to meet their strict security and regulatory requirements, with infrastructure that is physically isolated from other instances and managed by US citizens.

If you’re familiar with the acronyms for prestigious compliance certifications, then you’ll appreciate that the Salesforce Government Cloud has earned DoD IL4 provisional authorization, PCI DSS Level 1, ISO 27001/27018, SOC1/SSAE16/ISAE3402, SOC2, and SOC3, and FedRAMP Moderate Agency ATO.

Summer 2020 update: Salesforce Announces Government Cloud Plus

Government Cloud Plus is authorized at the FedRAMP High Impact Level, the highest level of FedRAMP compliance. It’s built on AWS GovCloud (US), and is designed to address the stringent, unclassified data security and compliance requirements of the U.S. government. Government Cloud Plus combines the power of Salesforce’s offerings in a single solution, curated for government customers that need to comply with FedRAMP High Baseline requirements or DoD Information Impact Level 2 (IL2).

For more about the differences between Government Cloud and Government Cloud Plus see: https://sfdc.co/GovVsGovPlus

FedRAMP is an acronym for the “federal risk and authorization management program,” a government-wide, repeatable process for evaluating, authorizing and monitoring the cloud services and apps that federal agencies use. In 2014, Salesforce became the first cloud service provider to attain FedRAMP Authority to Operate (ATO) for both software-as-a-service (SaaS) and platform-as-a-service (PaaS) running on the Government Cloud.

With that in mind, let’s look at the four things every partner should know about the Government Cloud and FedRAMP — and then I’ll tell you how to get your app ready for your many new public sector customers.

1. You might be losing public sector deals, and not even know it.

If you haven’t tested your app on the Government Cloud and verified that it works with the Government Cloud’s extra security controls, Salesforce account executives will skip right over it when setting up a deal for their public sector customers — Boom! You just lost a deal, a new customer, maybe even a foothold in an entirely new market, and you never even knew it.

2. Federal government customers will buy only FedRAMP-authorized apps.

Aside from very few exceptions, you can safely assume that every US federal government customer will require that your app have FedRAMP authorization. And increasingly state governments also require FedRAMP, as do federal contractors and suppliers. If the public sector is an important market for you, then it’s clear that FedRAMP authorization will be a key milestone in your product roadmap.

3. Salesforce’s FedRAMP authorization does not cover your app.

The Government Cloud’s FedRAMP authorization does not cover any ISV app, even if that app runs entirely on the Salesforce Platform. Salesforce doesn’t require that your app have FedRAMP authorization in order to be installed in a Government Cloud org, but your customer might, and you’d have to pursue your own FedRAMP authorization to meet that requirement.

May 19, 2022 update re. apps that run entirely on the Salesforce platform (“native” apps):

“Native apps are built on the Salesforce platform and inherit Salesforce Government Cloud and Government Cloud Plus controls (we encourage you to review the Control Implementation Summary for each environment to understand the controls implemented), but Native Apps themselves are not included within the Salesforce Government Cloud and Government Cloud Plus authorization boundaries

Source: “AppExchange Apps: Government Cloud / Government Cloud Plus and Compliance

4. FedRAMP authorization could be easier than you think — and more valuable.

FedRAMP authorization could be a long, complicated and expensive process for your company — or maybe not. There’s a new, streamlined program, FedRAMP Tailored, for “low impact software-as-a-service (LI-SaaS)” that may be right for you.

And when you’re evaluating the return on investment of going through FedRAMP, keep in mind that there’s a significant “halo” effect beyond the public sector. FedRAMP authorization can give you a major competitive advantage in industries where trust, security and regulatory compliance are important, such as financial services, healthcare and non-profits.

You may find unexpected organizational benefits, too, as you adapt your internal processes to comply with FedRAMP requirements. In summing up SpringCM’s experience with FedRAMP, CEO Greg Buchholz said, “It made us an even better company.” (You can hear more from Greg and fellow Dreamforce panelists USDA CIO Gary Washington and Gary Guercio of Coalfire in the recording of Government Cloud & FedRAMP for Salesforce ISVs.)

Do this next…

Now that you’re armed with the four things every ISV partner needs to know about the Government Cloud and FedRAMP, how can you make sure your app stands out in the market and is ready for your new public sector customers?

Test your app on the Government Cloud

  1. Read “Is Your App Ready for the Government Cloud?
    This one page document highlights the extra security controls in the Government Cloud, and how they may affect the functionality of your ISV app, and your sales and service processes.
  2. Get a trial Government Cloud org, install and test your app.
    Open a case in the Partner Community to get a Government Cloud trial org. Install your app, and test its features in light of the Government Cloud’s extra security controls. Fix any issues that you discover, and publish a new version of your managed package, if necessary. You should also plan on re-testing your app on the Government Cloud with each Salesforce seasonal release, and with each new version of your app.
  3. Tell us your app is ready for the Government Cloud.
    When you’ve finished testing your app on the Government Cloud — and corrected any issues that came to light during testing — fill out this short form: https://sfdc.co/WeAreGovCloudReady. We’ll add you to the list of ISV apps that have been successfully tested on the Government Cloud, and which Salesforce account executives reference when they’re putting together deals for public sector customers. Soon the AppExchange will gain a new listing filter which will highlight apps that have been tested on the Government Cloud, and everyone will see that your app is Government Cloud ready.

Find out if FedRAMP is right for you

We’ve arranged free FedRAMP consultations for our ISV partners with Coalfire. They are the leading FedRAMP assessment and advisory firm, and have lots of experience helping Salesforce partners navigate the FedRAMP process. You can sign up here. (If you prefer, you could also consult with another advisory firm listed on the FedRAMP website.)

Coalfire can help you answer questions like: How long will FedRAMP authorization take? How much would it cost? How much can we leverage or “inherit” from the Salesforce Government Cloud’s FedRAMP authorization? Is the streamlined FedRAMP Tailored program right for us?

Resources

Salesforce
Fedramp
Government
SaaS
Partnerships

--

--

Michael Epstein
AppExchange and the Salesforce Ecosystem

Written by Michael Epstein

132 Followers
Writer for

Technical architect @salesforce | @mike4aday

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams