recommended reading

One Year After Launch, Cloud Security Initiative Has Its First Taker

Maksim Kabakou/

The Federal Risk and Authorization Management Program, which began operating in early June 2012 and is aimed at simplifying the purchase of online software, has attracted its first buyer: the Health and Human Services Department. Now, FedRAMP has another 12 months to prove to all agencies and vendors how easy and cost-effective it is to reuse other agencies’ security assessments -- in this first case, HHS’s evaluation of cloud provider Amazon Web Services. 

Government and industry have always described the program as “a crawl, walk, run” exercise.

By June 2014, all cloud suppliers that want to sell to the government, including Google, Salesforce and Microsoft, are required to demonstrate they have met a standard set of security controls defined by FedRAMP. But just once. Currently, most agencies perform their own tests for each service, forcing vendors to undergo multiple assessments. 

Federal officials, on Tuesday, announced that Amazon's US-based data centers meet FedRAMP’s one-size-fits-all specifications for data storage, processing and protection. Now, any agency inside or outside Health and Human Services, from the Centers for Disease Control and Prevention to the Defense Department, can, for example, host a website in the Amazon cloud. 

The approach holds the promise of saving federal employees time and saving taxpayers up to $200,000 per service. The expectation is that all agencies will trust a Web service’s reliability after reading that single assessment. Meanwhile, authorized providers -- as of now only Amazon, Autonomic Resources and CGI Federal -- benefit by becoming immediately eligible to install services at any agency. Vendors can obtain a FedRAMP seal of approval even if they don't have a prospective federal customer by working through the General Services Administration, which manages the program. 

HHS is testing the waters for other cabinet-level departments and federal organizations. And that's the whole point. Once one agency uses a FedRAMP authorized cloud service, any agency can piggyback off the same security assessment and even contracting language. 

The department and Amazon were able to create a recyclable assessment within six months, said Jennifer Gray, HHS information security specialist, because of "the collaborative nature" of working with the provider and agencies departmentwide. As is required of all applicants, Amazon's facilities and operations also were scrutinized by an independent accredited auditor. 

Aspiring suppliers who are not working with an agency might need between nine and 15 months to complete an authorization, because GSA has fewer resources to commit to each vendor, FedRAMP program manager Matthew Goodrich said. "Agencies have a much better ability to get them through the process," he said. 

FedRAMP, in general, has limited bandwidth. GSA in March said the government would stop recruiting auditors until the fall, while shifting the responsibility for vetting inspectors to a private accreditation board. To date, 19 auditors have been approved. More than 100 vendors are interested in earning a FedRAMP endorsement, but only three have done so.

On Tuesday, HHS officials said they coordinated closely with GSA and Amazon to apply the requisite security controls. The approach allowed all HHS components to reuse the authorization "and thereby reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes," HHS Chief Information Security Officer Kevin Charest said in a statement. 

Amazon officials said their service’s security documentation is immediately available for other agencies to review. "With this FedRAMP certification, agencies can now utilize a streamlined process from [Amazon] when moving applications to the cloud to meet their unique business and mission requirements,” Teresa Carlson, Amazon Web Services vice president for the worldwide public sector, said in a statement.

Gray and Goodrich will discuss this first case study further on Thursday at a breakfast hosted by Nextgov

(Image via Maksim Kabakou/

Threatwatch Alert

Accidentally leaked credentials

U.K. Cellphone Company Leaks Customer Data to Other Customers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.