CAMBRIDGE, Md.— The FedRAMP cloud cybersecurity process is building steam toward full operational capability later this year. The program achieved a major milestone late last week with the first agency-approved cloud service provider. The Department of Health and Human Services determined Amazon Web Services (AWS) had met the security controls under Federal Risk Authorization Management Program (FedRAMP) and granted them the authority to operate on its networks at the moderate level of the Federal Information Security Management Act (FISMA).
Teresa Carlson, Amazon’s vice president of the worldwide public sector division, said the company received two certifications: one authorization for its U.S. GovCloud and one for all the other U.S. regions where their cloud infrastructure resides.
“It’s for all AWS commercial cloud services that we have,” Carlson said in an interview with Federal News Radio at the Management of Change conference sponsored by ACT-IAC. “It includes the EC2, the compute, storage and database services. Those are the three core services.”
Third CSP under FedRAMP
Amazon becomes the third vendor to meet the security requirements detailed by FedRAMP.
Autonomic Resources and CGI Federal received approval by going through the process overseen by the Joint Authorization Board, which is made up of chief information officers of the departments of Defense and Homeland Security and the General Services Administration.
Amazon becomes the first cloud service provider to receive approval from an agency and have its documents available through the FedRAMP repository for all other agencies to review for possible use.
“AWS has gone through the FedRAMP process, used the FedRAMP template going against the FedRAMP controls and used a third-party assessment organization, which is also extremely important, because if they want to get a JAB authorization that’s the kind of independent assessment that’s requirement,” said Dave McClure, GSA’s associate administrator in the Office of Citizen Services and Innovative Technologies, which runs the FedRAMP program management office. “This is how most products will actually go through FedRAMP, through agency certifications. Their packages are all in our repository and available to information security officers around the government. I can tell you within an hour of this being posted there were already agencies requesting the documentation.”
Apps ready to go to the cloud
McClure said the reason why agencies will take up the bulk of the FedRAMP process is because departments will want to get their mission-specific cloud instances approved. He said it makes sense that some cloud services, such as e-mail or infrastructure-as-a-service, have governmentwide approval. “It’s a business decision on the part of the company which path to invest in. If they have a client who is ready to go with your service or product versus an authorization that can be leveraged governmentwide,” he said. “You really have to know what the circumstances are when a company picks one path or another. An agency also says they want to do it through us and not the JAB process.”
That is exactly what HHS did.
Carlson said the agency already was using Amazon Web Services for several commodity and mission areas, and wanted to take several other applications into full production and out of test and development.
“It was a push-pull kind of thing. They said ‘We really need to get going,'” she said. “They said they would be the sponsor and work with the third-party assessment organization.”
Carlson said Amazon mapped every security control under FedRAMP and that’s most important to HHS against its Web services.
“Now every group within HHS can move out not just on websites or sitting there on test and development, but they can move out on large applications that they can develop without going through this certification process, which can takes months and months,” she said. “This is a heavy lifting kind of process. I tell everyone it’s not for the faint of heart. It’s days in a room. It’s reviewing and diving super deep, and asking a lot of questions and answering how it’s set up. We’ve been talking about cloud computing for a long time, but it’s still fairly new in terms of how agencies are using it in their design and architecture.”
Pushing toward FOC
While Amazon is just the third vendor to meet the FedRAMP requirements, McClure said the program is moving at the expected pace.
“We have to clarify, FedRAMP has been in initial operating capability, almost a pilot. We didn’t open FedRAMP up for all cloud products and services,” McClure said. “There is a queue of products and services that have been submitted by cloud providers. We prioritized them using criteria the JAB came up with. We always knew during the first 8-to-9-to-12 months this would be a narrow funnel because this is a brand new program, and we are doing brand new processes.”
Earlier this year, more than 75 products and services were waiting to go through the FedRAMP process. That number only has increased as vendors and agencies view cloud services in a more positive way.
“I think once we get over the hump of the next few through, it will be large and small, we will begin seeing acceleration in the turnover [of companies getting approved],” McClure said. “One thing that will not change is this is a rigorous process. It does take months to go through it. We didn’t claim we were designing a streamline to security. If anything, you are passing a more rigorous test than in the past.”
Carlson said Amazon also is receiving interest from commercial clients who want the same security requirements as called for under FedRAMP.
McClure said the JAB will continually update the FedRAMP security requirements, including bringing the latest requirements from the National Institute of Standards and Technology’s Special Publication 800-53, revision 4, and DHS’ efforts around continuous monitoring.