FedRAMP compliance means federal agencies can now access Amazon Web Services almost immediately, without spending months on their own cloud-security assessments.
Amazon Web Services has passed the federal government's FedRAMP cloud security assessment, making it one of the first commercial cloud providers to be certified for no-fuss adoption across government.
Amazon announced Tuesday that it has received "authority to operate," essentially a green light to offer its services, under the Federal Risk and Authorization Management Program, or FedRAMP. Uncle Sam launched FedRAMP in 2010 to streamline the process of determining whether cloud services meet federal security requirements. In December 2012, Autonomic Resources LLC became the first cloud vendor to be approved under the program.
FedRAMP was created through a joint effort by the General Services Administration, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget and the federal CIO Council. Cloud service providers must be sponsored by a federal agency to considered for FedRAMP.
The U.S. Department of Health and Human Services served as the sponsoring agency for AWS. Kevin Charest, HHS's chief information security officer, said in a statement that that all HHS operating divisions can now use AWS with minimal duplication in vetting Amazon's cloud security.
Amazon VP Teresa Carlson said in an interview that cloud security authorization for federal agencies, which had been a months-long process, is now a check-box exercise for them. "Now they don't have to go through all of those evaluations on their own," she said.
Amazon launched a version of its cloud services for government agencies, called GovCloud, in 2011. It's one of nine AWS regions, or "availability zones." GovCloud meets the requirements of the International Traffic in Arms Regulations (ITAR), which govern the export and import of defense-related information and services. In keeping with those rules, GovCloud servers are housed in the U.S. and can only be accessed by U.S. citizens or permanent residents.
Cloud service adoption is growing rapidly in government, fueled by a policy from the White House's Office of Management and Budget that encourages agencies to steer toward IT services in lieu of on-premises hardware and software where possible. More than 500 government agencies around the world, including about 300 in the U.S., now use AWS. They include NASA's Jet Propulsion Laboratory and the departments of Agriculture, State and Treasury.
Carlson said that U.S. intelligence agencies are among Amazon's federal customers, but she declined to confirm reports earlier this year that Amazon had reached a deal to provide a private cloud to the CIA.
Amazon's FedRAMP approval applies to "moderate impact" data, as defined by the Federal Information Security Management Act (FISMA). Carlson said about 80% of government workloads fall into the low or moderate FISMA categories.
Federal, state and local government agencies can access most of the same cloud services on GovCloud -- Elastic Compute Cloud, Simple Storage Service, Virtual Private Cloud and others -- as businesses do in Amazon's other cloud zones. That includes using Amazon's spot instances capability, which lets agencies bid on unused virtual resources that are put up for auction by other customers.
Mark Ryland, chief solutions architect for Amazon's public sector team, said that agencies save, on average, 86% using spot instances, compared to Amazon's standard pricing. A typical usage scenario for spot instances is large-scale parallel processing.
Uncle Sam's taken the lead on secure use of cloud services. Here's how FedRAMP can change your experience, too. Also in the new, all-digital Follow The Feds issue of InformationWeek: Candid career advice for women in IT includes calling work-life balance a myth. (Free registration required.)
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.