Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mobile Device Management
- The Modern Federal Threat Landscape
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
FedRAMP achieves another cloud security milestone
Wednesday - 5/22/2013, 5:15am EDT
Teresa Carlson, vice president of the worldwide public sector division, Amazon
Teresa Carlson, Amazon's vice president of the worldwide public sector division, said the company received two certifications: one authorization for its U.S. GovCloud and one for all the other U.S. regions where their cloud infrastructure resides.
"It's for all AWS commercial cloud services that we have," Carlson said in an interview with Federal News Radio at the Management of Change conference sponsored by ACT-IAC. "It includes the EC2, the compute, storage and database services. Those are the three core services."
Third CSP under FedRAMP
Amazon becomes the third vendor to meet the security requirements detailed by FedRAMP.
Autonomic Resources and CGI Federal received approval by going through the process overseen by the Joint Authorization Board, which is made up of chief information officers of the departments of Defense and Homeland Security and the General Services Administration.
Amazon becomes the first cloud service provider to receive approval from an agency and have its documents available through the FedRAMP repository for all other agencies to review for possible use.
"AWS has gone through the FedRAMP process, used the FedRAMP template going against the FedRAMP controls and used a third-party assessment organization, which is also extremely important, because if they want to get a JAB authorization that's the kind of independent assessment that's requirement," said Dave McClure, GSA's associate administrator in the Office of Citizen Services and Innovative Technologies, which runs the FedRAMP program management office. "This is how most products will actually go through FedRAMP, through agency certifications. Their packages are all in our repository and available to information security officers around the government. I can tell you within an hour of this being posted there were already agencies requesting the documentation."
Apps ready to go to the cloud
McClure said the reason why agencies will take up the bulk of the FedRAMP process is because departments will want to get their mission-specific cloud instances approved. He said it makes sense that some cloud services, such as e-mail or infrastructure-as-a-service, have governmentwide approval.
Dave McClure, associate administrator, Office of Citizen Services and Innovative Technologies, GSA
That is exactly what HHS did.
Carlson said the agency already was using Amazon Web Services for several commodity and mission areas, and wanted to take several other applications into full production and out of test and development.
"It was a push-pull kind of thing. They said 'We really need to get going,'" she said. "They said they would be the sponsor and work with the third-party assessment organization."
Carlson said Amazon mapped every security control under FedRAMP and that's most important to HHS against its Web services.
"Now every group within HHS can move out not just on websites or sitting there on test and development, but they can move out on large applications that they can develop without going through this certification process, which can takes months and months," she said. "This is a heavy lifting kind of process. I tell everyone it's not for the faint of heart. It's days in a room. It's reviewing and diving super deep, and asking a lot of questions and answering how it's set up. We've been talking about cloud computing for a long time, but it's still fairly new in terms of how agencies are using it in their design and architecture."
Pushing toward FOC
While Amazon is just the third vendor to meet the FedRAMP requirements, McClure said the program is moving at the expected pace.
"We have to clarify, FedRAMP has been in initial operating capability, almost a pilot. We didn't open FedRAMP up for all cloud products and services," McClure said. "There is a queue of products and services that have been submitted by cloud providers. We prioritized them using criteria the JAB came up with. We always knew during the first 8-to-9-to-12 months this would be a narrow funnel because this is a brand new program, and we are doing brand new processes."
Earlier this year, more than 75 products and services were waiting to go through the FedRAMP process. That number only has increased as vendors and agencies view cloud services in a more positive way.
"I think once we get over the hump of the next few through, it will be large and small, we will begin seeing acceleration in the turnover [of companies getting approved]," McClure said. "One thing that will not change is this is a rigorous process. It does take months to go through it. We didn't claim we were designing a streamline to security. If anything, you are passing a more rigorous test than in the past."
Carlson said Amazon also is receiving interest from commercial clients who want the same security requirements as called for under FedRAMP.
McClure said the JAB will continually update the FedRAMP security requirements, including bringing the latest requirements from the National Institute of Standards and Technology's Special Publication 800-53, revision 4, and DHS' efforts around continuous monitoring.