How Does a FedRAMP P-ATO Reduce The Lead Time For A Cloud Migration?
Federal government agencies want to move to the cloud, but they don’t know where to begin. There are many questions around that need to be answered:
- “Which cloud service provider should I choose?”
- “How do I meet all of the cybersecurity requirements and ensure the safety of my workloads in the cloud?”
- “What services are available for me when I move workloads to the cloud?”
All of these questions can be answered by Azure Government. Why? Azure Government is the leading government-centric cloud service provider–Azure was the first public cloud with infrastructure and platform services to receive a Provisional Authority To Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). Federal government agencies can leverage the Azure Government P-ATO to significantly reduce the lead time for their own cloud migrations.
In summary, this article describes the Azure Government FedRAMP P-ATO and other related topics, including:
– What is the Azure Government P-ATO?
– What Azure Government Services Have Been Granted A P-ATO?
FedRAMP Explained
As you may recall, the US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA), and to accelerate the adoption of secure cloud solutions by federal agencies.
The Office of Management and Budget now requires all executive federal agencies to use FedRAMP to validate the security of cloud services. (Other agencies have also adopted it, so it is useful in other areas of the public sector as well.) The National Institute of Standards and Technology (NIST) Special Publication Number 800-53 sets the standard, and FedRAMP is the program that certifies that a cloud service provider (CSP) meets that standard.
What is the Azure Government P-ATO?
Azure maintains a P-ATO at the Moderate Impact Level. (Azure was the first public cloud with infrastructure and platform services to receive a P-ATO.) The JAB has also granted Azure Government a P-ATO at the High Impact Level, the highest bar for FedRAMP accreditation, which authorizes the use of Azure Government to process highly sensitive data. The mandatory NIST 800-53 standards establish security categories of information systems—confidentiality, integrity, and availability—to assess the potential impact on an organization should its information and information systems be compromised. The FedRAMP audit of Azure and Azure Government included the Information Security Management System that encompasses infrastructure, development, operations, management, and support of in-scope services.
Once a P-ATO is granted, a CSP still requires an authorization—an ATO—from any government agency it works with. In the case of Azure, a government agency can leverage the Azure FedRAMP P-ATO in its own security authorization process, and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.
In other words, when an agency is ready to move to the cloud, they can not only user Azure Government as their cloud platform, they can also use the Azure Government FedRAMP P-ATO as a baseline for their own agency-level ATO. This significantly reduces the amount of time that an agency needs to spend on the agency-level ATO process, since many of the agency-level security requirements can be inherited from the Azure Government P-ATO.
What Azure Government Services Have Been Granted A P-ATO?
Azure Government now offers 32 Infrastructure and Platform services our customers, all of which have been authorized for use with up to High Impact level data. Covered services include: