This article is an excerpt from GovLoop’s recent guide, “Your Guide to Cloud Security in Government Today: Making the Most of FedRAMP.” Download the full guide here.
There was a time when most agencies shied away from putting their data in the cloud. Skeptics questioned whether cloud-based systems could meet government requirements and how they could verify those claims, especially if they couldn’t see or touch physical hardware.
But efforts such as FedRAMP have helped to ease those concerns by providing baseline requirements for securing cloud products and services in a standard way. Using FedRAMP as a guide, agencies still must determine which cloud systems best support their mission. GovLoop and AWS partnered to highlight what secure cloud vendors like AWS have to offer agencies that want to take a thoughtful, mission-focused approach to cloud adoption.
For agencies, security classification has been one of the biggest barriers in moving to the cloud.
Security requirements for data, applications and workloads greatly dictate where those things may reside and run. In June 2016, AWS became the first cloud service provider to receive authorization to support FedRAMP High workloads. The “High” designation means that any loss of confidentiality, integrity or availability of the data in that system could be expected to have a severe or catastrophic effect on organizational operations, assets or individuals.
Companies that meet the FedRAMP High baseline are deemed secure enough to host Personal Identifiable Information, sensitive patient records, financial data and other Controlled Unclassified Information in the cloud. “The cloud on its weakest day is more secure than a client-server solution,” said Sean Roche, Associate Deputy Director of Digital Innovation, CIA. “It’s been nothing short of transformational. It has transformed our ability to build new capabilities.”
The creation of FedRAMP requirements to secure high-impact systems was a major milestone not only for cloud service providers like AWS but also for government agencies. The reason? Federal agencies wanted to take advantage of the benefits of secure commercial cloud — even for mission-critical systems. They wanted the ability to quickly adapt to varying workloads and to only pay for the IT services they use.
Offerings like AWS GovCloud (US) provide agencies compliance without compromise by delivering a secure environment to run sensitive government workloads. Currently, agencies are using AWS GovCloud to power various innovative projects, including analyzing data on social media to collect information on adverse drug effects and collecting images from Mars.
For agencies that aren’t quite ready to put high-impact systems in the cloud, AWS is also authorized to secure moderate-impact systems. Moderate-impact systems account for nearly 80 percent of cloud applications that receive FedRAMP authorization, according to FedRAMP.gov. For agencies, this means they can tailor the appropriate level of security to each system, based on its classification. Both agencies and vendors can save time and money by taking advantage of an existing AWS provisional authority to operate (P-ATO) from FedRAMP’s Joint Authorization Board.
As agencies move more workloads into the cloud, investing in offerings that further their mission in a secure, cost-effective way is key.