The public-cloud services offered by both Amazon and Microsoft have received new, higher levels of federal authorization to deal with sensitive data.
Microsoft’s Azure Government got a “provisional authorization” for DoD Impact Level 5 from the Defense Information Systems Agency (DISA), Microsoft said in a blog post today. The authorization will let Defense Department-affiliated organizations plan, assess, and authorize workloads involving unclassified national-security data.
The federal government has six levels of security for cloud data. Level 5 is second from the highest. Level 6 involves information classified as Secret.
Compliance with impact levels is supervised by DISA, which provides IT and communication support to the top members of the executive branch and to the military.
Microsoft has made a special effort to accommodate Azure to the federal government. It operates two logically and geographically distinct Azure Governmentregions (pairs or groups of data centers) exclusively for use by federal, state, or local governments. It also counts the U.S. Government among its biggest software customers, just last month signing a $927 million contract to provide technical support to DISA.
“Government wants to embrace the cloud, and we’re leading the way with that,” said Jason Zander, Azure’s corporate VP, in an interview. “We believe we have the most complete solution, with Azure, Office 365 and Dynamics 365 specifically designed for government. Office 365 is also certified at Level 5, and Dynamics 365 Level 5 certification is “in progress,” he said.
About 7,000 agencies at the federal, state and local level use one or more of those three government-cloud offerings, Zander said.
For its part, Amazon Web Services’ CloudWatch Logs — a service to monitor, store, and access log files from Amazon Elastic Compute Cloud (EC2) instances and other sources — has received provisional authority to operate at the FedRAMP High baseline within the AWS specially dedicated GovCloud (U.S.) region. This authority lets government customers use CloudWatch Logs to process the government’s most sensitive unclassified data.
GovCloud (US) holds provisional authorizations at Impact Levels 2 and 4 but not 5.
Full details on federal cloud security can be found here. A shorter explanation is here.
Amazon Web Services is the most popular provider of computing and storage services over the internet. Azure is number two by most measures.
Amazon Web Services and Microsoft both said today that parts of their respective cloud offerings have won federal certification as being secure, allowing the government to use them for sensitive patient records, financial data, law-enforcement data and other controlled but unclassified information.
The AWS GovCloud (US), an isolated portion of Amazon’s cloud launched in 2011 and designed to host sensitive workloads, got a provisional authority to operate from the federal Joint Authorization Board under the newly created Federal Risk and Authorization Management Program (FedRAMP) high baseline, AWS said. That baseline is a standardized set of more than 400 security requirements based on controls outlined by the National Institute of Standards and Technology. Data is classified as “high” if its compromise would severely affect an organization’s operations, assets or individuals.
“We’re excited . . . to recognize AWS as having achieved the most rigorous FedRAMP level to date,” said Matthew Goodrich, FedRAMP director, in a prepared statement. Meeting the baseline gives agencies “a simplified path to moving their highly sensitive workloads to AWS,” said Teresa Carlson, vice president of AWS’s worldwide public sector, in the same statement. More than 2,300 government customers worldwide are already using AWS Cloud, and this certification can extend their uses, she said.
The AWS GovCloud (US) Region offers services including Elastic Cloud Compute, Virtual Private Cloud, Simple Storage Service, Identity and Access Management and Elastic Block Store, AWS said. In addition to FedRAMP, it adheres to U.S. International Traffic in Arms Regulations (ITAR) and Criminal Justice Information Services requirements, as well as Levels 2 and 4 for DoD systems.
Microsoft’s Azure Government won the same FedRAMP provisional authority, which Goodrich in a statement called “a testament to Microsoft’s ability to meet the government’s rigorous security requirements.” The company successfully completeda FedRAMP high pilot in March.
Azure has also won provisional authorization to deal with Level 4 DoD data and with ITAR, Microsoft said. Details on its secure cloud are available here.