The AWS GovCloud framework and all U.S. AWS regions have received FedRAMP certification, according to Seattle-based Amazon.com.
The Authority to Operate (ATO) under the Federal Risk and Authorization Management Program (FedRAMP) was requested by the U.S. Department of Health and Human Services (HHS), which already uses cloud services from Amazon Web Services (AWS) through the U.S. Centers for Disease Control and Prevention (CDC).
Though HHS initiated the AWS FedRAMP certification process, Teresa Carlson, AWS vice president of worldwide public sector, said in a press release that other federal government agencies can "utilize a streamlined process" when seeking approval to move applications to Amazon's cloud offering. By submitting what's called a FedRAMP Package Access Request Form to the General Services Administration, other agencies can more easily request authorization to use AWS.
FedRAMP is intended to standardize the security requirements that cloud providers must meet to be eligible for contracts issued by the U.S. government. The program cuts down on redundant cloud authorization requests across agencies, with the goal being significant time and cost savings for government agencies. However, the certification process is initiated by the agencies themselves, not providers.
To become compliant, a cloud provider must implement FedRAMP's security requirements -- based on NIST 800-53 -- and hire an approved third-party assessment organization to perform an independent audit of the cloud provider.
Prior to AWS, only two other cloud providers had received FedRAMP certification: North Carolina-based Autonomic Resources and Virginia-based CGI Federal. AWS is the largest cloud provider so far to receive the FedRAMP seal of approval, though more providers are expected to join the ranks of the certified before FedRAMP requirements become mandatory in 2014.
Even though the FedRAMP approval signals a base level of security in the AWS environment, Ken Ammon, chief strategy officer for Herndon, Va.-based network security vendor Xceedium, was quick to remind government agencies they still have security obligations that must be met before they can offload applications to Amazon's cloud, including putting sufficient identity and access management controls in place for sensitive accounts and privileged users.
"The shared security glass is now half full," Ammon said in a press release. "AWS took care of its half of the 'shared responsibility' security model, proving that their data centers are secure and that they can control and audit privileged access to their own infrastructure. But, in order for federal customers to receive security approval to launch their cloud-based applications, they must address their half of the shared security model."