Federal agencies will soon be able to host larger, more sensitive workloads in the cloud.
Microsoft Azure, CSRA, and Amazon Web Services, were selected for a pilot program that will establish a high-impact baseline for cloud-computing services under the Federal Risk and Authorization Management Program, known as FedRAMP. This essentially allows Federal agencies to move more sensitive data onto contracted cloud-computing services, enabling the sensitive data to operate on the more technically advanced level that is already possible for low-impact data.
“As we see Federal cloud adoption among the agencies, they started out with not-as-sensitive data, public-facing websites, public-facing data,” Susie Adams, Microsoft Federal’s chief technology officer, said in an interview with MeriTalk. Now that the more public data has been successful at driving down costs and enhancing security, agencies want to move their sensitive data into cloud services as well. But the movement of sensitive data requires a higher standard from cloud service providers.
“The creation of the FedRAMP high-security baseline is essential in allowing agencies to migrate more high-impact-level data to the cloud,” said Matt Goodrich, director for FedRAMP’s Program Management Office. “Selecting Microsoft Azure Government to participate in FedRAMP’s high-impact baseline pilot and its forthcoming Provisional Authority to Operate (P-ATO) from the FedRAMP [Joint Authorization Board] are testaments to Microsoft’s ability to meet the government’s rigorous security requirements.”
The security requirements include a comprehensive structuring of a cloud-based service around cybersecurity.
“When we think about cybersecurity in the cloud, it’s everything we do from the ground up. It’s how we look at securing that cloud infrastructure that we manage,” Adams said. “We look at it both from a code-based perspective in our security development and life cycle, where we build the code from the ground up with security in mind, all the way to how we run our operations in the data center with an assumed breach mentality.”
Microsoft is also undergoing certification for Department of Defense for level 4 and 5 data, which is sensitive but not classified. This process requires them to create a physically-isolated, Department of Defense specific data center.
Beyond secure development, cloud-service providers needs to provide Federal agencies with the ability to monitor their own data and security risks. While Microsoft provides its own monitoring, agencies will be able to gather the data and reports necessary to track potential breaches and security risks.
Azure will be among the first cloud services certified under this high-impact baseline, but many other providers will soon be likely to follow suit.
“All the major cloud vendors are very interested in it,” said Adams.
Microsoft has a leg up in this, as the FedRAMP process is often time-consuming and frustrating. Average cloud security packages are thousands of pages long, which can take a lot of time to review. On top of that, the concept of having everything on the cloud is unusual for systems and assessors who are used to traditional services. All of this can add up to months in limbo.
“We’ve been working with the FedRAMP PMO office since the beginning of time. We actually came to FISMA Moderate with Azure before the FedRAMP program even launched,” Adams said, revealing how Microsoft is able to be among the first cloud providers to go through the FedRAMP high-impact certification process.
“It’s been a learning experience, I think, for both the cloud-service providers, the assessors, as well as the FedRAMP PMO,” Adams said.