How Does Amazon’s FedRAMP Authorization Affect Cloud Providers?

Contributed by BrightLine Principal, Doug Barbin

A couple weeks ago, the GSA announced that Amazon Web Services (AWS) was granted a FedRAMP authority to operate (ATO) from the Department of Health and Human Services.  Make no mistake – this is a great achievement and AWS deserves significant praise for achieving this milestone.  The fact is – Amazon’s dedication to compliance has yet to be matched.  In addition to FedRAMP, AWS undergoes all three SOC examinations (SOC 1 , SOC 2, and SOC 3) , PCI validation, ISO 27001 certification, and more.

AWS’ ATO was the first Agency ATO granted under FedRAMP and while government agencies can leverage this ATO to grant their own authorizations – what about the AWS ecosystem of CSPs that utilize the AWS platform to provide their SaaS offerings?  The answer is complicated and may bring about challenges for CSP tenants of AWS trying to obtain their own authorization. 

The FedRAMP program was created to accelerate the adoption of secure cloud solutions by federal agencies through reuse of assessments and authorizations.  Federal agencies are required to procure services only from CSPs that have obtained an ATO.  Come June of next year, this will be a hard requirement for agencies.

There are two paths for FedRAMP authorization – a Provisional Authorization or Provisional ATO from the Joint Authorization Board (JAB) or an Agency Authorization. A “FedRAMP ATO” requires an independent 3PAO assessment and use of the FedRAMP program generated reporting templates.  The difference comes down to who the authorizing body is and how it can be leveraged.

Below we have listed some of the benefits and challenges of going with the JAB Provisional ATO versus an Agency ATO.

JAB Provisional ATO Benefits

  • A JAB Provisional ATO is designed to be government-wide.
  • The ATO can be leveraged by all federal agencies.  Once a CSP obtains the ATO, agencies may review the CSP’s security package and determine if the CSP’s system meets agency needs.
  • A Provisional ATO can also be leveraged by the CSP’s cloud provider tenants (or partners) that are seeking to obtain their own ATO.  For example, a SaaS provider that hosts within a FedRAMP authorized IaaS provider could “carve out” that IaaS provider’s controls in their own assessment.

JAP Provisional ATO Challenges

  • Really only one:  length of time.  At this time, there are over 100 CSPs in the queue for FedRAMP authorization.  It has been reported that more than half are going the JAB Provisional ATO route.  This has created a backlog of CSPs and the JAB has limited resources.

Agency ATO Benefits

  • CSP that currently serve agencies have the benefit of that agency being knowledgeable about the CSP and may have undergone FISMA assessment and ATO related activities in the past.  As such, the review process may be more efficient.
  • Agencies will inevitably have less ATOs to process than the JAB, increasing the likelihood of getting through the ATO process faster.
  • The agency ATO still appears on the GSA listing of FedRAMP compliant CSPs.
  • Certain aspects of a CSP’s agency ATO may be leveraged by other agencies.  Specifically, a second agency may leverage the CSPs independent assessment – performed by a 3PAO – in the process to assess the CSP to grant its own ATO to the CSP.

Agency ATO Challenges:

  • An agency ATO is only applicable to one agency.
  • While federal agencies can leverage other agency ATOs, other CSPs cannot.  For a CSP to obtain a JAB Provisional ATO, all aspects of the CSPs system must be included in the FedAMP assessment for JAB approval.   If a CSP utilizes a third party service such as an IaaS to house its system, the CSP cannot obtain a Provisional Authorization unless the third party’s IaaS system is also authorized by the JAB.

So while the AWS announcement is exciting and opens the door to government agencies, AWS tenants that offer their own cloud services will have to find either their own agency sponsor or a sponsor who is willing to accept the HHS ATO along with the SaaS provider’s authorization package.  Alternatively, the CSP may have to wait for Amazon to “upgrade” to the JAB Provisional ATO route or if the PMO changes their stance and allows the HHS authorization to be leveraged.  BrightLine is working with several CSPs who are going the Agency ATO route first and then moving to JAB Provisional ATO, so this path is not foreign.

Ultimately – embedded service provider relationships are complicated.  How the authorizations are combined adds another layer of complexity.

#####

How do you think Amazon’s FedRAMP authorization will affect cloud providers? Post your comments below. Today’s post pic is from Thinkalytic.com.

3 comments for “How Does Amazon’s FedRAMP Authorization Affect Cloud Providers?

  1. Mike Nelson
    August 19, 2013 at 2:37 pm

    The HHS ATO was granted in the context of HHS data types and risk tolerance, naturally. Any agency that leverages that ATO would, as a function of good risk due diligence, re-review the 3PAO results in the context of their own data characteristics and risk tolerance, coming to their own conclusions. The HHS conclusions are an important, but only one data point in that analysis. Such a review effort is not an insignificant amount of work by appropriate SMEs. Agencies who think they can take the HHS ATO and simply start using AWS for their own applications and data types could be in for a surprise.

    Also, without the JAB in the picture, the mechanics of the CSP’s annual self-attestation, the quarterly POA&M reporting, the significant change notification & management, the incident management processes, etc., are more problematic. You can be assured that HHS isn’t going to step in to perform those JAB functions for the entire federal government, which implies that any agency leveraging the HHS ATO would have to establish their own interface with AWS directly for these functions. If nothing else, I would think this would motivate AWS to move quickly towards a full JAB PATO.

  2. James Bowman
    August 20, 2013 at 5:14 pm

    Very nice run down of the AWS ATO and the differences between a JAB issued provisional ATO and an agency compliant ATO. A couple of notes:

    For JAB Provisional ATO Benefits – “A Provisional ATO can also be leveraged by the CSP’s cloud provider tenants” We refer to this as “inheriting” the underlying ATO.

    For JAB Provisional ATO Challenges – I would add here that although there are more then 100 CSPs in queue, this is simply the number of FedRAMP applications received. Anyone can submit an application on the FedRAMP site. The number of CSPs who are serious, understand the process, are prepared, and queued up is far less. It’s my understanding that if a CSP is prepared and can demonstrate this, they will move into processing fairly quickly. For anyone considering or already doing business with multiple agencies, I always recommend the JAB provisional ATO route based on the JAB’s reputation on risk tolerance and ease of leveraging by multiple agencies.

    For Agency ATO Chalenges – Great points listed here. The JAB will not accept an agency ATO for the underlying IaaS for SaaS applications without a full review of the entire solution stack. This is due to the JAB’s very low tolerance for risk, where individual agencies may accept additional risk depending on the agency and the system.

    Also worth mentioning again is that continuous monitoring for JAB issued ATOs is handled by the FedRAMP ISSO team. Agencies are responsible for continuous monitoring for agency issued FedRAMP compliant ATOs.

    And just throwing this out there:
    “Alternatively, the CSP may have to wait for Amazon to “upgrade” to the JAB Provisional ATO route” Are you certain AWS didn’t start the JAB provisional ATO route initially, then rerouted based on the JAB’s low risk tolerance? And does any provider tenanted within AWS have a shot at a JAB provisional ATO?

  3. August 20, 2013 at 7:12 pm

    Thank you for the comments. To be clear – BrightLine was not the AWS 3PAO and I have no idea what actually lead them to go the agency route. Given everything else they have achieved, I certainly do not question their seriousness in this space.

    Our perspective comes from working with several AWS tenant SaaS providers. The PMO has specifically stated that they will not allow the AWS IaaS controls to be inherited with an agency ATO.

    We also have other clients going the agency route and there is certainly value there. From what I have seen, it is less about a difference in risk tolerance and more about familiarity with the provider and service and how that allows an Agency to more efficiently review the required documents and artifacts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.