Did Amazon short-cut FedRAMP?
A reader argues that Amazon Web Services did not go through 'the actual FedRAMP certification process.' Is that a fair criticism?
The government is still trying to figure out the best ways to use cloud computing, says Teresa Carlson, vice president of worldwide public sector at Amazon Web Services. (FCW photo)
An FCW reader objected to our story on Amazon Web Services' gaining FedRAMP certification, writing: Amazon did not go through the ACTUAL FedRAMP certification process. They went through an Agency ATO (Authority to Operate) process using the FedRAMP controls as a guideline. And it speaks volumes of both the tech press and federal leadership's preference for firms perceived as new-age/glamorous that neither you nor them has taken the time to correct this misconception. (Rather than shamelessly spread it.)
Executive Editor Troy K. Schneider responds: The second sentence of our story states that the authorization came via the Department of Health and Human Services, rather than the FedRAMP Joint Authorization Board. The General Services Administration's FedRAMP team has been similarly clear about the path to approval, as was Amazon itself.
But an agency-provided authority to operate is no less "real" than a JAB-certified ATO. Scott Renda, the Office of Management and Budget's cloud computing and Federal Data Center Consolidation Initiative portfolio manager, spoke to this at the FOSE conference a week before Amazon's announcement.
"We never intended the JAB to authorize every system in government," Renda said. "That's a myth. And it would slow things down." What the FedRAMP team wants, he stressed, "is to implement a government-wide standard."