Amazon gets FedRAMP OK for cloud services
- By Paul McCloskey
- May 21, 2013
Editor's note: This story has been edited to clarify further that Amazon received "authority to operate" cloud services meeting FedRAMP requirements from the Health and Human Services Department, not the FedRAMP program office.
Amazon Web Services got a green light May 20 to offer cloud services meeting terms of the FedRAMP program, a milestone the company expects will speed government adoption of cloud services and make it easier for agencies to test and develop cloud applications.
The Federal Risk and Authorization Management Program sets standards agencies can use to assess the security risks of cloud services. The program uses a, "do once, use many times," system to cut down on redundant cloud security assessments.
AWS was given authority to operate (ATO) by the Department of Health and Human Services after documenting compliance with FedRAMP security controls in several HHS projects. Those included Biosense 2.0, a program to make data related to bio-terrorism accessible to law enforcement nationwide via the cloud.
Meeting FedRAMP’s "moderate impact" cloud security requirements for HHS will smooth the way for other agencies to evaluate and adopt AWS services for their projects, AWS said.
More than 300 U.S. government agencies already use AWS for some services, but the accreditation is important because FedRAMP requirements will become mandatory in 2014. Currently only two other cloud vendors have been authorized to offer cloud services under the program: CGI Federal Inc., which was granted FedRAMP approval in February, and Autonomic Resources Inc., a cloud provider focused on the federal government market. But more than a dozen other companies are in line for certification.
"All other federal agencies can come in and take advantage of our FedRAMP documentation," said Teresa Carlson, AWS vice president of worldwide public sector. "They do not have to re-do the compliance, accreditation and certification programming. That will save the government a lot of money, time and resources."
Carlson called FedRAMP a vast improvement over the previous compliance process, whereby services had to be approved independently by each agency.
"It’s a lot of heavy lifting — as it should be — and a lot of documentation. And now they don’t have to do that. This should really expedite getting going, save costs, drive scale using commercial cloud. This really streamlines the entire process."
The new regulatory scheme also makes it easier for agencies to test, develop and experiment with new cloud applications, Carlson said.
"What this means is that agencies can start moving more rapidly in developing pilots," she said. "They don’t have to waste money developing in three different environments when they can do it once, and scale it out rapidly.
"Cloud is so also scalable that once you do a test and dev, you can center your development in a particular area," she added." If they fail, with an application they can recover fast."
Paul McCloskey is senior editor of GCN. A former editor-in-chief of both GCN and FCW, McCloskey was part of Federal Computer Week's founding editorial staff.