FedRAMP Picks Three for High-Impact Pilot Program

microsoftazure

Federal agencies will soon be able to host larger, more sensitive workloads in the cloud.

Microsoft Azure, CSRA, and Amazon Web Services, were selected for a pilot program that will establish a high-impact baseline for cloud-computing services under the Federal Risk and Authorization Management Program, known as FedRAMP. This essentially allows Federal agencies to move more sensitive data onto contracted cloud-computing services, enabling the sensitive data to operate on the more technically advanced level that is already possible for low-impact data.

“As we see Federal cloud adoption among the agencies, they started out with not-as-sensitive data, public-facing websites, public-facing data,” Susie Adams, Microsoft Federal’s chief technology officer, said in an interview with MeriTalk. Now that the more public data has been successful at driving down costs and enhancing security, agencies want to move their sensitive data into cloud services as well. But the movement of sensitive data requires a higher standard from cloud service providers.

“The creation of the FedRAMP  high-security baseline is essential in allowing agencies to migrate more high-impact-level data to the cloud,” said Matt Goodrich, director for FedRAMP’s Program Management Office. “Selecting Microsoft Azure Government to participate in FedRAMP’s high-impact baseline pilot and its forthcoming Provisional Authority to Operate (P-ATO) from the FedRAMP [Joint Authorization Board] are testaments to Microsoft’s ability to meet the government’s rigorous security requirements.”

The security requirements include a comprehensive structuring of a cloud-based service around cybersecurity.

“When we think about cybersecurity in the cloud, it’s everything we do from the ground up. It’s how we look at securing that cloud infrastructure that we manage,” Adams said. “We look at it both from a code-based perspective in our security development and life cycle, where we build the code from the ground up with security in mind, all the way to how we run our operations in the data center with an assumed breach mentality.”

Microsoft is also undergoing certification for Department of Defense for level 4 and 5 data, which is sensitive but not classified. This process requires them to create a physically-isolated, Department of Defense specific data center.

Beyond secure development, cloud-service providers needs to provide Federal agencies with the ability to monitor their own data and security risks. While Microsoft provides its own monitoring, agencies will be able to gather the data and reports necessary to track potential breaches and security risks.

Azure will be among the first cloud services certified under this high-impact baseline, but many other providers will soon be likely to follow suit.

“All the major cloud vendors are very interested in it,” said Adams.

Microsoft has a leg up in this, as the FedRAMP process is often time-consuming and frustrating. Average cloud security packages are thousands of pages long, which can take a lot of time to review. On top of that, the concept of having everything on the cloud is unusual for systems and assessors who are used to traditional services. All of this can add up to months in limbo.

“We’ve been working with the FedRAMP PMO office since the beginning of time. We actually came to FISMA Moderate with Azure before the FedRAMP program even launched,” Adams said, revealing how Microsoft is able to be among the first cloud providers to go through the FedRAMP high-impact certification process.

“It’s been a learning experience, I think, for both the cloud-service providers, the assessors, as well as the FedRAMP PMO,” Adams said.

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
6 Comments
  1. Anonymous | - Reply
    Susie? Are you not aware that both AWS and ARC-P have been in the pilot since the start with Microsoft? Has Goodrich said your ATO will be first as opposed to the plan that he will release ATOs for the 3 at the same time? Seems either you are misinformed and/or disingenuous. You pick
  2. Anonymous | - Reply
    Don't let facts get in the way of marketing. With all this talk, you would think Azure already have Level 4 provisional authorization, NOT yet. Lean back on those ski's a bit.
  3. Anonymous | - Reply
    Is Azure working towards authorization or some forked off version(s) that is out of alignment with their commercial cloud? Does a cage of gear equal "cloud"?
  4. Anonymous | - Reply
    Level 4/5 does not require a physically separated data center for DoD. You are allowed to share with other federal government data stores, and even then, the data center itself does not need to be separated. You are allowed to have a separate physical segment within an existing commercial data center, as long as you meet the connectivity, CND, and DR/COOP requirements.
  5. Anonymous | - Reply
    To the Azure question ... yes, that is how all of these product offerings work in DoD. The big challenges are the BCAP connectivity requirements, which simply can't realistically be extended to multiple facilities, and the fact that you're not allowed to share facilities with commercial service offerings at these impact levels.
  6. Anonymous | - Reply
    TO ANONYMOUS 3/22 8:32AM: don't get off the elevator on the wrong floor at certain DCs, you may unfortunately find out how correct that statement is in reality.

Leave a Reply


Popular

Recent