After Testing, 3 Companies Cleared to Store Sensitive Data in the Cloud

Virgiliu Obada/

Amazon, CSRA and Microsoft all made the cut.

Three cloud service providers have achieved the first authority to operate at FedRAMP’s high-impact baseline and are now available to host some of the government’s most sensitive unclassified workloads.

After an 18-month process, Amazon Web Services GovCloud infrastructure-as-a-service, CSRA’s ARP-C IaaS and Microsoft Azure Government’s IaaS and Platform-as-a-Service offering can now be used by agencies for high-impact needs.

Demand for high-impact standards reached an “action point” in January 2015, according to FedRAMP Director Matt Goodrich. Significant potential cloud customers like the departments of Defense, Homeland Security and Veterans Affairs all sought options for hosting law enforcement, critical infrastructure, financial and health data.

The FedRAMP office released two versions of the draft standards for public comment over the past year and a half, and kicked off the pilot with actual vendors in September 2015. On top of the FedRAMP-moderate baseline, the pilots added an additional 96 controls.

“The last few months have been aligning assessments for vendors with the final baseline,” Goodrich said in an interview with Nextgov.

In addition, the FedRAMP team has taken time to ensure “good synergy” between the FedRAMP-high baseline and the Defense Department’s Impact Level 4 standards.

The standards are closely – though not perfectly – aligned, meaning a vendor that achieves the FedRAMP-high baseline has very few hoops to jump through to achieve compliance with DOD’s Impact Level 4 security requirements. That ought to reduce time to market for vendors and cut down on time to wait for DOD’s growing customer base.

DOD also makes up the largest percentage of FedRAMP-high data, at 33 percent. VA has 16 percent, DHS has 13 percent and the Justice Department rounds out the top four producers with 10 percent.

While more difficult to achieve from a security perspective, Goodrich said “there should only be a minimal impact to overall timeliness” in terms of getting through the FedRAMP pipeline. That bodes well for FedRAMP’s new emphasis on speed to market, although Goodrick added that vendors will probably need more time to prepare for the FedRAMP-high process itself.