Hi all, hopefully someone can help me learn a little bit more about some of these compliance standards and what we might actually need.

For some background. My company sells a cloud hosted software solution that we host in Azure. We have a commercial Azure tenant where the majority of our customers applications are hosted. The commercial cloud platform is SOC2 certified.

We were able to get access to a GCC High Azure Gov Cloud Tenant since we had several customers refusing to go hosted unless we were in Gov Cloud. We have met that requirement but are now continually being asked about Fedramp Compliance and or/ CMMC.

Truthfully I am not sure which one we would need, if we can even afford the compliance certification process, or if I could feasibly even get this set up. We are a small company, and I am basically it when it comes to IT. I have all of my normal duties on top of getting controls put in place for one of these compliance standards.

We are not a gov entity. We just sell an application that is appealing for several of our customers who do contract out w/ the gov or have a product that ends up in the defense pipeline.