The General Services Administration has selected Microsoft Azure to be one of the platforms used to establish the High-Impact baseline for the Federal Risk and Authorization Management Program, better known as FedRAMP.
Since its inception, FedRAMP has authorized cloud vendors for low- and moderate-impact workloads. While this was helpful for many agencies to bring in cloud, it did not help agencies that manage data that, if leaked, could harm government operations.
“The creation of the FedRAMP High Security Baseline is essential in allowing agencies to migrate more high-impact level data to the cloud,” FedRAMP Director Matt Goodrich said. “Selecting Microsoft Azure Government to participate in FedRAMP’s High Impact baseline pilot and its forthcoming Provisional Authority to Operate (P-ATO) from the FedRAMP JAB are testaments to Microsoft’s ability to meet the government’s rigorous security requirements.”
Microsoft is on schedule to receive its P-ATO by the end of the month. Azure government is on track to achieve Defense Department Level 4 authorization shortly.
Protecting Sensitive Information
Impact Level 4 data refers to unclassified data that requires protection against unauthorized disclosure, as established by Executive Order 13556 or other mission-critical data, Microsoft said. That includes data that is subject to export control, such as official government use, or that is law enforcement sensitive or contains other information that should remain secure.
“By 2018, increased security will displace cost savings and agility as the primary driver for government agencies to move to public cloud within their jurisdictions,” wrote Matt Rathbun, Microsoft’s cloud security director for cloud health and security engineering, on the Microsoft blog. “At Microsoft, we are steadfast in our commitment and investments to deliver a Cloud for Government that meets those stringent requirements.”
Also of note from Microsoft’s announcement:
- Microsoft is establishing two new physically isolated regions within Azure government for the Department of Defense data, designed to meet DOD Impact Level 5. Availability is planned for this year.
- Two of Microsoft’s new cloud regions, Azure Canada and Azure Deutschland, a Microsoft cloud with a German data trustee, are now offering operational preview services to select customers and partners. The previews in Canada and Germany offer enterprise-grade reliability and performance combined with in-country data residency, including data replication in multiple locations for business continuity.
- With Azure government’s two new regions for U.S. Department of Defense data, Microsoft Azure has now announced 30 regions globally with 22 operational — more than two times the number of Amazon Web Services regions and eight times Google’s.
“When we think about cybersecurity in the cloud, it’s everything we do from the ground up. It’s how we look at securing that cloud infrastructure that we manage,” Susie Adams, Microsoft federal's chief technology officer, said in an interview with MeriTalk. “We look at it both from a code-based perspective in our security development and life cycle, where we build the code from the ground up with security in mind, all the way to how we run our operations in the data center with an assumed breach mentality.”