• FedRAMP Expert

FedRAMP Cloud Service Providers and Services

Updated: Jun 11, 2020

Google Cloud Platform (GCP)

Google has also adopted its cloud infrastructure, otherwise known as Google Cloud Platform (GCP), to be compliant with FedRAMP. GCP has received FedRAMP High authorization to operate (ATO) for several cloud products in a handful of locations and has uplifted the current FedRAMP Moderate services to more products and locations. These new products and locations are referred to later. This means that Government agencies are now able to be compliant working with the highest level of classified information using GCP.

The GCP already maintains an authorization at the Moderate level, but achieving this at a High level signifies that there is broader access to technology for Federal organizations handling highly sensitive information. To upgrade from Moderate to High level of ATO, there is no additional cost for more secure, highly authorized infrastructure or a change in services. Moreover, this High authorization for GCP means you’re deploying a cloud solution infrastructure that has validated, trusted, and tested security already in effect.

"If you’re in government IT, you’ll be able to deploy a cloud platform that gives your organization better scalability, elasticity and collaboration, not to mention redundancy and high availability of business services."

Google provides a complete list of the 17 High and 64 Moderate Authorization level services covered under FedRAMP.

For GCP High Authorization Services, here is a list of the 5 approved cloud regions:

  1. Oregon (us-west1)

  2. Los Angeles (us-west2)

  3. Iowa (us-central1)

  4. South Carolina (us-east1)

  5. Northern Virginia (us-east4)

Google also lists the 17 regions for GCP Moderate Impact Authorization Services here.

Why adopt the Google Cloud Platform - FedRAMP authorization?

There is a handful of key points as to why the GCP infrastructure implementation is beneficial for Federal Agencies and Organizations. First, security has been reviewed against regulated benchmarks based on cloud security assessments by a third-party assessor. Because the FedRAMP program handles these rigorous assessments, there are significant time and cost efficiencies and reasons for independent actions.

This authorization enables government agencies to implement upgraded, more secure solutions while ensuring a consistent application of previous integrations.

The program manages continuous sight of organizational authorizations, and Google Cloud will continue to undergo continuous monitoring. Essentially, all security controls for GCP will be maintained and updated for government users and agencies.

Microsoft Azure

The FedRAMP audit of Azure and Azure Government included the information security management system, which encompasses infrastructure, development, operations, management, and support of in-scope services. As we are aware, FedRAMP is a required certification for meeting requirements to provide cloud services to the US Federal Government.

Azure Government provides standards-compliant Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) that has now received a FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO). Additionally, Azure now maintains a P-ATO at the High Impact Level and was acknowledged as the first public cloud with IaaS and PaaS services to receive a JAB P-ATO.

"Microsoft is working closely with our stakeholders to simplify our approach to regulatory compliance for federal agencies, so that our government customers can gain access to innovation more rapidly by reducing the time required to take a service from available to certified."

Key points to remember regarding Microsoft Azure and FedRAMP:

  • Azure continues to support the most FedRAMP High Impact level services compared to other CSPs

  • All Azure services are available to all public Azure regions in the United States.

  • Azure Public Services has a total of 112 Moderate and High Services. These are the FedRAMP services, which lists all services currently available in Azure Government to our FedRAMP Moderate Services.

  • Azure Government Services has a total of 101 High Services. These are the FedRAMP services currently available in Azure Government.

  • And while FedRAMP High in the Azure public cloud will meet the needs of many US government customers, agencies with more rigorous requirements will continue to rely on Azure Government.

Microsoft Azure government cloud services offer many services compliant with FedRAMP for detailed oversight and access to necessary resources, for example, the FedRAMP High Blueprint. This assists customers in deploying a steady, secure foundation of policies for any Azure-deployed architecture, which requires the implementation of FedRAMP High controls.

Since approved at the highest level within FedRAMP, Federal Agencies benefit with cost savings and complex, utmost security practices. Now, any Government agency can now utilize the Azure P-ATO in its own security authorization process and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.

As we see, Microsoft continues to enhance Azure's Cloud environment to provide commitment towards total Government compliance, particularly with FedRAMP. Azure provides more compliance offerings than any other Cloud Service Provider.

Amazon Web Services (AWS) Services

Like other types of cloud deployment models, Amazon Web Services (AWS) also offers cloud solutions that are FedRAMP compliant, and have been provisioned Moderate and High Impact Authorizations for specific services.

AWS shows compliance for the FedRAMP security assessment framework requirements by:

  1. Addressing the FedRAMP security controls relating to NIST SP 800-53

  2. Implementing FedRAMP templates located in the FedRAMP repository

  3. Being assessed by a trusted independent third party assessor (3PAO) to ensure an independent validation of technical, management, and operational security controls against the FedRAMP NIST guidelines and regulations.

  4. Sustaining continuous monitoring requirements of FedRAMP

AWS GovCloud (US) is an AWS Region designed to allow US government agencies and customers to support the US government to move more sensitive workloads, like CUI, PCI, PII, patient data, and financial records, into the cloud. AWS GovCloud (US-East) and (US-West) Regions are operated by employees who are U.S. citizens on U.S. soil.

The services in the scope of the AWS GovCloud (US) boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program.

AWS US East-West, an AWS public region designed for Commercial (and even Government), has been granted a JAB P-ATO and an A-ATO for moderate impact level. The services in the scope of the AWS US East-West JAB P-ATO boundary at Moderate baseline security categorization can be found within AWS Services in Scope by Compliance Program.

The services in the scope of the AWS GovCloud (US) boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program.

12 views0 comments

Recent Posts

See All