News

Microsoft, Amazon Clouds Get Highest-Level Gov't Approval

• By Jeffrey Schwartz
• June 27, 2016

The Microsoft Azure and Amazon Web Services (AWS) public clouds are now certified to run highly sensitive workloads from government agencies.

The two companies each announced last week that they have been accredited with the highest level of compliance by the Federal Risk and Authorization Management Program (FedRAMP). CSRA, a provider that offers IT services specifically to government agencies, also reached the long-awaited FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) clearance.

The approvals, which were long-expected, pave the way for federal agencies to host the most sensitive, high-impact workloads on the three companies' public clouds, including personally identifiable information, financial data, law enforcement information and other forms of unclassified content. In all, the certification covers 400 different security controls.

Azure and AWS have been FedRAMP-compliant for several years, but only for low-level or moderate workloads. The upgraded FedRAMP status certifies that the approved cloud platforms have "controls in place to securely process high-impact level data -- that is, data that, if leaked or improperly protected, could have a severe adverse effect on organizational operations, assets, or individuals," said Susie Adams, chief technology officer of Microsoft Federal, in a blog post.

Teresa Carlson, public sector vice president of AWS, noted that more than 2,300 government customers worldwide use the AWS cloud. "By demonstrating the security of the AWS Cloud with the FedRAMP High baseline, agencies can confidently use our services for an even broader set of critical mission applications and innovations," Carlson said in a statement.

That baseline, according to AWS, "is mapped to National Institute of Standards and Technology (NIST) security controls, which classify data as 'High' if a compromise would severely impact an organization's operations, assets or individuals."

For Microsoft, the FedRAMP High accreditation covers 13 customer-facing services, including Azure Key Vault, Express Route and Web Apps, "representing a significantly more agile pace of accreditation to the benefit of Federal customers," Adams noted.

For AWS, it covers the "AWS GovCloud (US) region, including Amazon Elastic Cloud Compute (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), Amazon Identity and Access Management (IAM), and Amazon Elastic Block Store (EBS)," according to the company.