Blog archive

Did Amazon short-cut FedRAMP?

Teresa Carlson

The government is still trying to figure out the best ways to use cloud computing, says Teresa Carlson, vice president of worldwide public sector at Amazon Web Services. (FCW photo)

An FCW reader objected to our story on Amazon Web Services' gaining FedRAMP certification, writing: Amazon did not go through the ACTUAL FedRAMP certification process. They went through an Agency ATO (Authority to Operate) process using the FedRAMP controls as a guideline. And it speaks volumes of both the tech press and federal leadership's preference for firms perceived as new-age/glamorous that neither you nor them has taken the time to correct this misconception. (Rather than shamelessly spread it.)

Executive Editor Troy K. Schneider responds: The second sentence of our story states that the authorization came via the Department of Health and Human Services, rather than the FedRAMP Joint Authorization Board. The General Services Administration's FedRAMP team has been similarly clear about the path to approval, as was Amazon itself.

But an agency-provided authority to operate is no less "real" than a JAB-certified ATO. Scott Renda, the Office of Management and Budget's cloud computing and Federal Data Center Consolidation Initiative portfolio manager, spoke to this at the FOSE conference a week before Amazon's announcement.

"We never intended the JAB to authorize every system in government," Renda said. "That's a myth. And it would slow things down." What the FedRAMP team wants, he stressed, "is to implement a government-wide standard."

Posted by Troy K. Schneider on May 29, 2013 at 12:10 PM

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Mon, Jun 3, 2013

What people are missing here is that there IS a difference between an Agency sponsored FedRAMP ATO and a JAB P-ATO. The biggest two are risk review and continuous monitoring. A JAB P-ATO CSP will be monitored by the JAB, and is therefore a true "do once, use many". An Agency ATO leaves continuous monitoring to the Agency, certainly NOT a "do once, use many". AWS had to get this out there because they stand to lose business because they are not FedRAMP compliant. they chose the quickest route on purpose, and will reap the rewards because of it. Shame on the Agency who doesn't insist on a JAB P-ATO.

Mon, Jun 3, 2013

So If this is a GSA based process and HHS comes in an gets Amazon approved what does this mean for other agencies. I'd be hard pressed to think that the same risks across the board will apply. Does Amazon plan to use their HHS approved Cloud for any other agencies?

Fri, May 31, 2013

It's easy to understand why there would be such confusion. The FedRAMP CONOPS would appear to indicate that JAB approval is the final step in FedRAMP authorization: "A CSP [Cloud service provider] follows the process for a provisional authorization under FedRAMP and uses a 3PAO [third-party assessor] to assess and review their security control implementations. "CSPs THEN [emphasis added] provide documentation of the test results in a completed assessment package to the FedRAMP PMO. "The security package is THEN [emphasis added] reviewed by the JAB and if a CSP system presents an acceptable level of risk, a provisional Authorization is granted. "Agencies can THEN [emphasis added] leverage the Provisional ATO and grant their own ATO without conducting duplicative assessments." A single paragraph in the 47-page CONOPS (4.1.2. Initiating Assessments with FedRAMP) is all that would seem to validate Mr. Renda's contention that "We never intended the JAB to authorize every system in government." The rest of the document focuses heavily on the process of a CSP working its way up to JAB provisional ATO. And that's really the part of the FedRAMP process that has gotten the most publicity. The FedRAMP office needs to do a better job of publicizing the fact that an individual agency can grant a FedRAMP ATO as long as they follow the FedRAMP process. Though as one commenter here asks, "If the point of FedRAMP is that you get an ATO once and repeatedly use it across government, isn't having an agency-level ATO kind of a strange premise?" And it almost makes you wonder what's the point of having a JAB -- why not just "outsource" the whole ATO process to individual agencies that want to use a cloud service?

Fri, May 31, 2013 Laura T.

The process that Amazon used has always been available to all CSPs.

Fri, May 31, 2013 OccupyIT

My guess is GSA is spitting mad that someone is challenging their monopoly. We'll see if all it takes to be acknowledged as FedRamp'ed is to have an ATO with FedRamp controls. If that's the case Amazon was certainly not the third to acheive this... My guess is they're more like 43rd... Let's see how long it takes for a clarification that an ATO, no matter the controls, does not meet their club members-only rules...

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group