FedRAMP authorizes three CSPs for high impact systems
- By Amanda Ziadeh
- Jun 24, 2016
Federal agencies can now store high impact data in the cloud, thanks to the Federal Risk and Authorization Management Program’s release of “high” baseline requirements and an initial trio of vendor authorizations.
The security requirements will protect high impact data -- the government’s most sensitive unclassified data -- in the cloud, according to FedRAMP.
Provisional Authority to Operate at the high baseline has been issued to Microsoft’s Azure GovCloud, Amazon Web Services GovCloud and CSRA’s Autonomic Resources Cloud Platform. The "FedRAMP High" requirements were being piloted with these vendors by the Joint Authorization Board before the release.
Previously, FedRAMP’s authorization process only covered low- and moderate-impact systems and data. With the high baseline requirements, more federal agencies can move to the cloud and leverage the authorized vendors’ security packages, according to GSA.
The National Institute of Standards and Technology classifies data as high impact if a breach would severely impact an organization’s operations, assets or individuals. This includes personally identifiable information, sensitive patient records, financial data, law enforcement data and controlled unclassified information (CUI).
Launched in 2011, the AWS GovCloud is an isolated region designed to host sensitive workloads in the cloud. In addition to FedRAMP compliance, AWS GovCloud adheres to U.S. International Traffic in Arms Regulations and Criminal Justice Information Services requirements, as well as Levels 2 and 4 for Defense Department systems, the company said.
Microsoft’s Azure GovCloud authorization covers 13 services, including Azure Key Vault, Express Route and additional customer-facing and internal web applications. Microsoft also announced reaching Information Impact Level 4 DOD Provisional Authorization by the Defense Information System Agency and ITAR readiness, which will allow the DOD and its mission partners to use Azure for CUI. In 2014 Microsoft announced Azure Government’s ability to meet CJIS requirements for federal, state and local governments.
Agencies are already using the high baseline service and are migrating high-impact data to the cloud with authorized vendors, FedRAMP Director Matt Goodrich told FCW, a sister site to GCN. The high baseline could also pave way for more cloud procurement for federal agencies because low and moderate security systems were only addressing about half of the $80 billion federal IT spend, Goodrich said. Now, all security baseline needs short of classified can be met with cloud services.
Amanda Ziadeh is a former reporter/producer for GCN.