Blog archive

Did Amazon short-cut FedRAMP?

Teresa Carlson

The government is still trying to figure out the best ways to use cloud computing, says Teresa Carlson, vice president of worldwide public sector at Amazon Web Services. (FCW photo)

An FCW reader objected to our story on Amazon Web Services' gaining FedRAMP certification, writing: Amazon did not go through the ACTUAL FedRAMP certification process. They went through an Agency ATO (Authority to Operate) process using the FedRAMP controls as a guideline. And it speaks volumes of both the tech press and federal leadership's preference for firms perceived as new-age/glamorous that neither you nor them has taken the time to correct this misconception. (Rather than shamelessly spread it.)

Executive Editor Troy K. Schneider responds: The second sentence of our story states that the authorization came via the Department of Health and Human Services, rather than the FedRAMP Joint Authorization Board. The General Services Administration's FedRAMP team has been similarly clear about the path to approval, as was Amazon itself.

But an agency-provided authority to operate is no less "real" than a JAB-certified ATO. Scott Renda, the Office of Management and Budget's cloud computing and Federal Data Center Consolidation Initiative portfolio manager, spoke to this at the FOSE conference a week before Amazon's announcement.

"We never intended the JAB to authorize every system in government," Renda said. "That's a myth. And it would slow things down." What the FedRAMP team wants, he stressed, "is to implement a government-wide standard."

Posted by Troy K. Schneider on May 29, 2013 at 12:10 PM

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Mon, Jun 3, 2013

What people are missing here is that there IS a difference between an Agency sponsored FedRAMP ATO and a JAB P-ATO. The biggest two are risk review and continuous monitoring. A JAB P-ATO CSP will be monitored by the JAB, and is therefore a true "do once, use many". An Agency ATO leaves continuous monitoring to the Agency, certainly NOT a "do once, use many". AWS had to get this out there because they stand to lose business because they are not FedRAMP compliant. they chose the quickest route on purpose, and will reap the rewards because of it. Shame on the Agency who doesn't insist on a JAB P-ATO.

Mon, Jun 3, 2013

So If this is a GSA based process and HHS comes in an gets Amazon approved what does this mean for other agencies. I'd be hard pressed to think that the same risks across the board will apply. Does Amazon plan to use their HHS approved Cloud for any other agencies?

Fri, May 31, 2013

It's easy to understand why there would be such confusion. The FedRAMP CONOPS would appear to indicate that JAB approval is the final step in FedRAMP authorization: "A CSP [Cloud service provider] follows the process for a provisional authorization under FedRAMP and uses a 3PAO [third-party assessor] to assess and review their security control implementations. "CSPs THEN [emphasis added] provide documentation of the test results in a completed assessment package to the FedRAMP PMO. "The security package is THEN [emphasis added] reviewed by the JAB and if a CSP system presents an acceptable level of risk, a provisional Authorization is granted. "Agencies can THEN [emphasis added] leverage the Provisional ATO and grant their own ATO without conducting duplicative assessments." A single paragraph in the 47-page CONOPS (4.1.2. Initiating Assessments with FedRAMP) is all that would seem to validate Mr. Renda's contention that "We never intended the JAB to authorize every system in government." The rest of the document focuses heavily on the process of a CSP working its way up to JAB provisional ATO. And that's really the part of the FedRAMP process that has gotten the most publicity. The FedRAMP office needs to do a better job of publicizing the fact that an individual agency can grant a FedRAMP ATO as long as they follow the FedRAMP process. Though as one commenter here asks, "If the point of FedRAMP is that you get an ATO once and repeatedly use it across government, isn't having an agency-level ATO kind of a strange premise?" And it almost makes you wonder what's the point of having a JAB -- why not just "outsource" the whole ATO process to individual agencies that want to use a cloud service?

Fri, May 31, 2013 Laura T.

The process that Amazon used has always been available to all CSPs.

Fri, May 31, 2013 OccupyIT

My guess is GSA is spitting mad that someone is challenging their monopoly. We'll see if all it takes to be acknowledged as FedRamp'ed is to have an ATO with FedRamp controls. If that's the case Amazon was certainly not the third to acheive this... My guess is they're more like 43rd... Let's see how long it takes for a clarification that an ATO, no matter the controls, does not meet their club members-only rules...

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group