Three cloud service providers will be the first to achieve a high impact rating under the Federal Risk and Authorization Management Program (FedRAMP), with the final baseline set to be released in a few weeks.
The three companies — Microsoft Azure, CSRA and Amazon Web Services — participated in a pilot program to determine just how difficult it will be for CSPs to upgrade their systems to the high baseline and, in the process, attained the necessary certification.
FedRAMP Director Matt Goodrich told Federal Times the high baseline is being finalized now and should be released for any and all interested CSPs in April.
The pilot was the last step in a year-long effort to develop the high baseline, which will give agencies assurance that CSPs can securely handle and store sensitive information in the cloud.
"There's a very big difference between the governance of those services at a high system versus a moderate system," Goodrich said in January. "At that point you are talking life-and-limb or financial ruin, so the difference in oversight of that is what we're trying to get to."
Matt Rathbun, cloud security director for Microsoft Azure, said the company expects to have a provisional authority to operate (P-ATO) by the end of March.
"Up until this point, federal agencies could only migrate low and moderate impact workloads," he said in a blog post announcing the impending P-ATO. "Now, Azure Government has controls in place to securely process high-impact level data — that is, data that, if leaked or improperly protected, could have a severe adverse effect on organizational operations or assets or individuals."
CSRA — the first company to make it through the FedRAMP process back in 2012 — was asked to join the pilot along with Microsoft and AWS last summer and all three began implementing approximately 100 additional controls above and beyond the moderate baseline.
"This was a coalition of the willing, if you will," said John Keese, CSRA director of cloud services. "It was challenging — very time consuming from our engineering and security team standpoint — but something that we obviously wanted to do."
Keese pointed out that CSRA wants to offer the most secure data center and cloud services possible, as a business model, making obtaining a high authorization a worthwhile move. He also noted the company still offers services at low and moderate for agencies that don't need to pay the premium for low-risk data and applications.
But incorporating the high baseline controls was no easy task.
"Those aren't trivial, especially when you're moving from moderate to high," Keese said, noting many CSPs struggle to meet the moderate baseline. "But when you move from moderate to high, it becomes a lot more particular, especially with the enhancements that are required on those security controls."
Those "enhancements" include integrating common access cards (CAC) and personal identity verification (PIV) cards to authenticate users accessing high systems, higher levels of encryption and special training for CSP personnel working on these systems.
Now that a few CSPs have made it through the process, many more are expected to follow in the coming months and years.
"The FedRAMP compliance programs are critical to U.S. government agencies being able to securely take advantage of cloud technology," Teresa Carlson, vice president of worldwide public sector for AWS, told Federal Times. "Cloud continues to be a major catalyst in how the government can achieve operational efficiencies, cost savings and innovation on-demand to advance their mission."