Frank Konkel | Nextgov | June 23, 2016 | 0 Comments

After Testing, 3 Companies Cleared to Store Sensitive Data in the Cloud

Virgiliu Obada/

Three cloud service providers have achieved the first authority to operate at FedRAMP’s high-impact baseline and are now available to host some of the government’s most sensitive unclassified workloads.

After an 18-month process, Amazon Web Services GovCloud infrastructure-as-a-service, CSRA’s ARP-C IaaS and Microsoft Azure Government’s IaaS and Platform-as-a-Service offering can now be used by agencies for high-impact needs.

Demand for high-impact standards reached an “action point” in January 2015, according to FedRAMP Director Matt Goodrich. Significant potential cloud customers like the departments of Defense, Homeland Security and Veterans Affairs all sought options for hosting law enforcement, critical infrastructure, financial and health data.

The FedRAMP office released two versions of the draft standards for public comment over the past year and a half, and kicked off the pilot with actual vendors in September 2015. On top of the FedRAMP-moderate baseline, the pilots added an additional 96 controls.

“The last few months have been aligning assessments for vendors with the final baseline,” Goodrich said in an interview with Nextgov.

In addition, the FedRAMP team has taken time to ensure “good synergy” between the FedRAMP-high baseline and the Defense Department’s Impact Level 4 standards.

The standards are closely – though not perfectly – aligned, meaning a vendor that achieves the FedRAMP-high baseline has very few hoops to jump through to achieve compliance with DOD’s Impact Level 4 security requirements. That ought to reduce time to market for vendors and cut down on time to wait for DOD’s growing customer base.

DOD also makes up the largest percentage of FedRAMP-high data, at 33 percent. VA has 16 percent, DHS has 13 percent and the Justice Department rounds out the top four producers with 10 percent.

While more difficult to achieve from a security perspective, Goodrich said “there should only be a minimal impact to overall timeliness” in terms of getting through the FedRAMP pipeline. That bodes well for FedRAMP’s new emphasis on speed to market, although Goodrick added that vendors will probably need more time to prepare for the FedRAMP-high process itself.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.