Amazon Web Services has been granted a designation that certifies the security of its government offerings under the Federal Risk and Authorization Management Program.
FedRAMP is a U.S. government-wide program providing a standardized approach for the assessment of security, authorization and continuous monitoring of cloud products and services. Although the newly awarded AWS "Authority to Operate" comes from the Department of Health and Human Services, the designation is expected to have far-reaching effects for the company's government contracts, in general, and particularly those that involve the storage and processing of sensitive government data.
"Amazon has been working with various government agencies, including the GSA [General Services Administration], for a long time," said Max Peterson, director of partners, capture and contracts at AWS. "The Department of Health and Human Services, working with GSA and the FedRAMP program, has certified that AWS is compliant with all of FedRAMP controls, which helps HHS and other agencies move to the cloud in a fast and secure fashion."
Peterson went on to explain that the standard adds additional parameters to the NIST 800.53 standard, which is a basic foundation for most cloud security standards. Applicants need to go through extensive testing in order to ensure they meet those standards and demonstrate a plan for continuously monitoring and ongoing data security.
"This can now be leveraged by other agencies that want to do move to the cloud," he added. "All the basic security information for Amazon has now been tested, validated and filed with the government. A lot of our partners are working with federal agencies to migrate applications to the cloud, and they'll be able to leverage the same compliance and package to be able to help agencies speed up their adoption of the cloud."
AWS claims a substantial federal client list with more than 300 agencies, including the U.S. Navy, the U.S. Department of the Treasury and NASA, as well as the HHS.
"This certainly gives AWS a stronger opportunity to do managed services for the government, particularly in situations where there is sensitive data involved," said Dave Gilden senior vice president at Tampa, Fla.-based Fishnet Security. "It's a pretty intense process to get the third-party validation, so they have overcome a major hurdle to doing business with federal agencies."
PUBLISHED MAY 22, 2013