Amazon Web Services (AWS), one of the largest cloud computing service providers, announced on May 20 that it had met a set of federal standards proving its security for government applications. The Department of Health and Human Services (HHS) deemed AWS authorized at the moderate impact level through the Federal Risk and Authorization Management Program (FedRAMP).
According to FCW, cloud providers CGI Federal and Autonomic Resources are already FedRAMP certified, but Amazon calls itself the first major cloud provider to secure the authorization. On June 6, the General Services Administration announced that HP and Lockheed Martin also achieved FedRAMP compliance.
The main impact of the announcement from Amazon, according to Teresa Carlson, vice president of worldwide public sector at AWS, is the reduced cost to government organizations looking for a cloud services provider.
This stamp of approval from the federal government, she said, will allow organizations to streamline their process of vetting their services for security. “This is part of our strategy to support the federal government and our government customers by being able to meet and exceed the bar that they’ve set for security and compliance for a cloud provider,” she said.
Security was and has always been a big priority for AWS, she said, but being able to offer this next level of compliance could be the deciding factor in helping some organizations choose Amazon over their competitors. This should speed up the vendor authorization process, she said. “Just as we’ve announced this, we’ve had numerous state governments, cities and local governments contact us and want to get more information.”
This authorization could prove especially valuable for smaller organizations looking for a provider that may not have the resources to meet the rigorous standards required by federal law, Carlson said.
Gartner Research Vice President Jay Heiser thinks the AWS announcement will likely have some impact on government, but it may not be what Amazon hopes for. “The glow of FedRAMP bathes Amazon in a sort of cloudy governmental approval, but that isn’t necessarily a good thing,” he told Government Technology in an email.
“It’s nice to know that some 3PAO (Independent Third Party Assessment Organization) has decided that Amazon’s federal-specific facility is suitable for federal use, but why should any non-federal entity presume that they would get the same form of service?” The federal government is using its buying power to pressure service providers into creating federal clouds, Heiser said, which leaves local and state government using the same clouds as everyone else.
What’s more, over the last five years, Heiser said he’s noticed a consistent pattern in the cloud computing industry. “Some providers will exaggerate the significance of their evaluations,” he said. “We’ve seen a string of cloud service providers (CSPs) misleadingly claim that they are ‘federally certified’ because an individual federal agency has undergone their own internal C&A (certification and accreditation) process."
According to Heiser, many cloud service providers have oversold certain auditing evaluations they have undergone, for example, which in reality, are not official certifications and have little to do with security. He calls this kind of misrepresentation a "shame, because it will only dilute the true value of the thing."
"Hopefully, something will come out of FedRAMP that will be useful beyond the federal government," Heiser concluded, although he expressed doubts about whether that would happen. "Certainly FedRAMP is a noble experiment, addressing a problem that the entire globe, commercial and government, is struggling with.”
Editor's Note: Since this article was first published, Government Technology has been informed that AWS’ FedRAMP approval applies not to just federal government, but to state and local government as well.
Photo from Shutterstock.
Colin wrote for Government Technology from 2010 through most of 2016.