secure cloud

FedRAMP authorizes three CSPs for high impact systems

Federal agencies can now store high impact data in the cloud, thanks to the Federal Risk and Authorization Management Program’s release of “high” baseline requirements and an initial trio of vendor authorizations.

The security requirements will protect high impact data -- the government’s most sensitive unclassified data -- in the cloud, according to FedRAMP.

Provisional Authority to Operate  at the high baseline has been issued to Microsoft’s Azure GovCloud, Amazon Web Services GovCloud and CSRA’s Autonomic Resources Cloud Platform. The "FedRAMP High" requirements were being piloted with these vendors by the Joint Authorization Board before the release.

Previously, FedRAMP’s authorization process only covered low- and moderate-impact systems and data. With the high baseline requirements, more federal agencies can move to the cloud and leverage the authorized vendors’ security packages, according to GSA.

The National Institute of Standards and Technology classifies data as high impact if a breach would severely impact an organization’s operations, assets or individuals. This includes personally identifiable information, sensitive patient records, financial data, law enforcement data and controlled unclassified information (CUI). 

Launched in 2011, the AWS GovCloud is an isolated region designed to host sensitive workloads in the cloud. In addition to FedRAMP compliance, AWS GovCloud adheres to U.S. International Traffic in Arms Regulations and Criminal Justice Information Services requirements, as well as Levels 2 and 4 for Defense Department systems, the company said.

Microsoft’s Azure GovCloud authorization covers 13 services, including Azure Key Vault, Express Route and additional customer-facing and internal web applications. Microsoft also announced reaching Information Impact Level 4 DOD Provisional Authorization by the Defense Information System Agency and ITAR readiness, which will allow the DOD and its mission partners to use Azure for CUI. In 2014 Microsoft announced Azure Government’s ability to meet CJIS requirements for federal, state and local governments.

Agencies are already using the high baseline service and are migrating high-impact data to the cloud with authorized vendors, FedRAMP Director Matt Goodrich told FCW, a sister site to GCN. The high baseline could also pave way for more cloud procurement for federal agencies because low and moderate security systems were only addressing about half of the $80 billion federal IT spend, Goodrich said.  Now, all security baseline needs short of classified can be met with cloud services.  

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected