News

AWS, Microsoft Receive Highest-Level FedRAMP Approval

• By Jeffrey Schwartz
• 06/23/2016

Government agencies can now run workloads with their most sensitive data on the Amazon Web Services (AWS) and Microsoft Azure public clouds.

The two companies each announced on Thursday that they have been accredited with the highest level of compliance by the Federal Risk and Authorization Management Program (FedRAMP). CSRA, a provider that offers IT services specifically to government agencies, also reached the long-awaited FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) clearance.

The approvals, which were long-expected, pave the way for federal agencies to host the most sensitive, high-impact workloads on the three companies' public clouds, including personally identifiable information, financial data, law enforcement information and other forms of unclassified content. In all, the certification covers 400 different security controls.

AWS and Microsoft Azure have been FedRAMP-compliant for several years, but only for low-level or moderate workloads. The upgraded FedRAMP status certifies that the approved cloud platforms have "controls in place to securely process high-impact level data -- that is, data that, if leaked or improperly protected, could have a severe adverse effect on organizational operations, assets, or individuals," said Susie Adams, chief technology officer of Microsoft Federal, in a blog post.

Teresa Carlson, public sector vice president of AWS, noted that more than 2,300 government customers worldwide use the AWS cloud. "By demonstrating the security of the AWS Cloud with the FedRAMP High baseline, agencies can confidently use our services for an even broader set of critical mission applications and innovations," Carlson said in a statement.

That baseline, according to AWS, "is mapped to National Institute of Standards and Technology (NIST) security controls, which classify data as 'High' if a compromise would severely impact an organization's operations, assets or individuals."

For AWS, the FedRAMP High accreditation covers the "AWS GovCloud (US) region, including Amazon Elastic Cloud Compute (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), Amazon Identity and Access Management (IAM), and Amazon Elastic Block Store (EBS)," according to the company.

For Microsoft, it covers 13 customer-facing services, including Azure Key Vault, Express Route and Web Apps, "representing a significantly more agile pace of accreditation to the benefit of Federal customers," Adams noted.