Observations from the FedRAMP Certification Process

On September 30, Microsoft announced that our public cloud platform, Windows Azure, had been granted Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). The FedRAMP Program Management Office also announced recently that federal agencies can now leverage the P-ATO to support their own agency-specific cloud migration efforts. FedRAMP is a government-wide program administered by the General Services Administration (GSA) that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. Agencies are required by the Office of Management and Budget to use FedRAMP to adopt cloud services.

By achieving this level of federal compliance, Windows Azure enables customers to use cloud computing services that adhere to security requirements, meet federal compliance regulations, and support government computing initiatives.

We are encouraged by the development of FedRAMP and, after completing the certification process, we can offer some observations and have some suggestions:

  • FedRAMP’s “certify once, use many times” approach offers significant benefits, such as increasing consistency in the evaluation of the security requirements, minimizing costs for service providers and consumers, and streamlining often duplicative processes.
  • FedRAMP is committed to a flexible approach which gives assessors a fair range of discretion to determine compliance for a given control. To build greater consistency and repeatability across the review process, the community would benefit from FedRAMP continuing to institutionalize risk-based adjudication criteria and practices to align with the initial publication of the FedRAMP capabilities checklist for CSPs. In order for a certification regime such as FedRAMP to be more effective, there must be clear criteria for evaluation and agreement on issues such as what constitutes an acceptable artifact for satisfying control requirements. We urge working with cloud service providers and assessor communities to collaboratively determine these risk-based measures.
  • As FedRAMP certifies more cloud services, it will continue to confront cloud service providers that implement alternative approaches to meet a specific security objective. These alternatives are a result of the inherent variability in the architecture of cloud-based systems that are designed to be scalable, on-demand, and continuously updated, while addressing evolving security concerns for customers of all sizes and sophistication across a variety of use case scenarios.  As FedRAMP matures, we encourage developing a systematic approach for integrating alternative methods that achieve the same security outcome as acceptable practices. In many instances, the ability to rely on the existing standards and practices of cloud service providers can provide sufficient if not higher security beyond customer requirements. Integrating these practices can facilitate the assessment process across multiple reviewers, ensure that the most effective measures against the latest security threats are in place, and ultimately deliver real security value.

Microsoft appreciates GSA’s leadership and continued efforts to advance the efficiency and effectiveness of this critical program. Launching a centralized cloud security assessment capability for the federal government is no small undertaking, and we look forward to continuing to help evolve and optimize FedRAMP.

About the Author
Scott Charney

Corporate Vice President, Trustworthy Computing

Scott Charney is Corporate Vice President for Microsoft’s Trustworthy Computing Group. Mr. Charney is responsible for a range of corporate programs that influence the security, privacy, and reliability of Microsoft’s products, services, and internal networks. He also manages the Engineering Read more »