FedRAMP compliance means federal agencies can now access Amazon Web Services almost immediately, without spending months on their own cloud-security assessments.

John Foley, Editor, InformationWeek

May 21, 2013

3 Min Read

Amazon Web Services has passed the federal government's FedRAMP cloud security assessment, making it one of the first commercial cloud providers to be certified for no-fuss adoption across government.

Amazon announced Tuesday that it has received "authority to operate," essentially a green light to offer its services, under the Federal Risk and Authorization Management Program, or FedRAMP. Uncle Sam launched FedRAMP in 2010 to streamline the process of determining whether cloud services meet federal security requirements. In December 2012, Autonomic Resources LLC became the first cloud vendor to be approved under the program.

FedRAMP was created through a joint effort by the General Services Administration, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget and the federal CIO Council. Cloud service providers must be sponsored by a federal agency to considered for FedRAMP.

The U.S. Department of Health and Human Services served as the sponsoring agency for AWS. Kevin Charest, HHS's chief information security officer, said in a statement that that all HHS operating divisions can now use AWS with minimal duplication in vetting Amazon's cloud security.

[ Here's what you can learn from the feds about cloud security. Read Follow Feds To The Cloud. ]

Amazon VP Teresa Carlson said in an interview that cloud security authorization for federal agencies, which had been a months-long process, is now a check-box exercise for them. "Now they don't have to go through all of those evaluations on their own," she said.

Amazon launched a version of its cloud services for government agencies, called GovCloud, in 2011. It's one of nine AWS regions, or "availability zones." GovCloud meets the requirements of the International Traffic in Arms Regulations (ITAR), which govern the export and import of defense-related information and services. In keeping with those rules, GovCloud servers are housed in the U.S. and can only be accessed by U.S. citizens or permanent residents.

Cloud service adoption is growing rapidly in government, fueled by a policy from the White House's Office of Management and Budget that encourages agencies to steer toward IT services in lieu of on-premises hardware and software where possible. More than 500 government agencies around the world, including about 300 in the U.S., now use AWS. They include NASA's Jet Propulsion Laboratory and the departments of Agriculture, State and Treasury.

Carlson said that U.S. intelligence agencies are among Amazon's federal customers, but she declined to confirm reports earlier this year that Amazon had reached a deal to provide a private cloud to the CIA.

Amazon's FedRAMP approval applies to "moderate impact" data, as defined by the Federal Information Security Management Act (FISMA). Carlson said about 80% of government workloads fall into the low or moderate FISMA categories.

Federal, state and local government agencies can access most of the same cloud services on GovCloud -- Elastic Compute Cloud, Simple Storage Service, Virtual Private Cloud and others -- as businesses do in Amazon's other cloud zones. That includes using Amazon's spot instances capability, which lets agencies bid on unused virtual resources that are put up for auction by other customers.

Mark Ryland, chief solutions architect for Amazon's public sector team, said that agencies save, on average, 86% using spot instances, compared to Amazon's standard pricing. A typical usage scenario for spot instances is large-scale parallel processing.

Uncle Sam's taken the lead on secure use of cloud services. Here's how FedRAMP can change your experience, too. Also in the new, all-digital Follow The Feds issue of InformationWeek: Candid career advice for women in IT includes calling work-life balance a myth. (Free registration required.)

About the Author(s)

John Foley

Editor, InformationWeek

John Foley is director, strategic communications, for Oracle Corp. and a former editor of InformationWeek Government.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights