Azure Government FedRAMP P-ATO Reduces Lead Time for Cloud Migrations

Federal government agencies want to move to the cloud, but they don’t know where to begin. There are many questions that need to be answered:

“Which cloud service provider should I choose?”

“How do I meet all of the cybersecurity requirements and ensure the safety of my workloads in the cloud?”

“What services are available for me when I move workloads to the cloud?”

All of these questions can be answered by Azure Government. Why? Azure Government is the leading government-centric cloud service provider–Azure was the first public cloud with infrastructure and platform services to receive a Provisional Authority To Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB).  Federal government agencies can leverage the Azure Government P-ATO to significantly reduce the lead time for their own cloud migrations.

FedRAMP Explained

As you may recall, the US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA), and to accelerate the adoption of secure cloud solutions by federal agencies.

The Office of Management and Budget now requires all executive federal agencies to use FedRAMP to validate the security of cloud services. (Other agencies have also adopted it, so it is useful in other areas of the public sector as well.) The National Institute of Standards and Technology (NIST) Special Publication Number 800-53 sets the standard, and FedRAMP is the program that certifies that a cloud service provider (CSP) meets that standard.

What is the Azure Government P-ATO?

Azure maintains a P-ATO at the Moderate Impact Level. (Azure was the first public cloud with infrastructure and platform services to receive a P-ATO.) The JAB has also granted Azure Government a P-ATO at the High Impact Level, the highest bar for FedRAMP accreditation, which authorizes the use of Azure Government to process highly sensitive data. The mandatory NIST 800-53 standards establish security categories of information systems—confidentiality, integrity, and availability—to assess the potential impact on an organization should its information and information systems be compromised. The FedRAMP audit of Azure and Azure Government included the Information Security Management System that encompasses infrastructure, development, operations, management, and support of in-scope services.

Once a P-ATO is granted, a CSP still requires an authorization—an ATO—from any government agency it works with. In the case of Azure, a government agency can leverage the Azure P-ATO in its own security authorization process, and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.

In other words, when an agency is ready to move to the cloud, they can not only user Azure Government as their cloud platform, they can also use the Azure Government P-ATO as a baseline for their own agency-level ATO.  This significantly reduces the amount of time that an agency needs to spend on the agency-level ATO process, since many of the agency-level security requirements can be inherited from the Azure Government P-ATO.

What Azure Government Services Have Been Granted A P-ATO?

Azure Government now offers 32 Infrastructure and Platform services our customers, all of which have been authorized for use with up to High Impact level data.

Covered services include:

Azure Active Directory, Application Gateway, Cloud Services, Key Vault, Multi-Factor Authentication, Load Balancer, SQL Database, Storage, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway

App Service: Web Apps, Application Gateway, Automation, Azure Active Directory*, Azure Government Portal, Azure Resource Manager, Backup, Batch, Cloud Services, Compute Resource Manager, Event Hubs, ExpressRoute, Key Vault, Load Balancer, Log Analytics, Media Services, Network Resource Provider, Notification Hubs, Power BI, Redis Cache, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, Storage Resource Provider, StorSimple, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway

*Note: The use of Azure Active Directory within Azure Government requires the use of components that are deployed outside of Azure Government on the Azure public cloud.

More Information

Want to learn more about the Azure Government P-ATO, or FedRAMP.  Contact us for a free consultation or a free proof of concept project to migrate your workloads to Azure Government!
Do you like this article? Click here to set up a free proof of concept project.