While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The General Services Administration has selected Microsoft Azure to be one of the platforms used to establish the High-Impact baseline for the Federal Risk and Authorization Management Program, better known as FedRAMP.
Since its inception, FedRAMP has authorized cloud vendors for low- and moderate-impact workloads. While this was helpful for many agencies to bring in cloud, it did not help agencies that manage data that, if leaked, could harm government operations.
“The creation of the FedRAMP High Security Baseline is essential in allowing agencies to migrate more high-impact level data to the cloud,” FedRAMP Director Matt Goodrich said. “Selecting Microsoft Azure Government to participate in FedRAMP’s High Impact baseline pilot and its forthcoming Provisional Authority to Operate (P-ATO) from the FedRAMP JAB are testaments to Microsoft’s ability to meet the government’s rigorous security requirements.”
Microsoft is on schedule to receive its P-ATO by the end of the month. Azure government is on track to achieve Defense Department Level 4 authorization shortly.
Impact Level 4 data refers to unclassified data that requires protection against unauthorized disclosure, as established by Executive Order 13556 or other mission-critical data, Microsoft said. That includes data that is subject to export control, such as official government use, or that is law enforcement sensitive or contains other information that should remain secure.
“By 2018, increased security will displace cost savings and agility as the primary driver for government agencies to move to public cloud within their jurisdictions,” wrote Matt Rathbun, Microsoft’s cloud security director for cloud health and security engineering, on the Microsoft blog. “At Microsoft, we are steadfast in our commitment and investments to deliver a Cloud for Government that meets those stringent requirements.”
Also of note from Microsoft’s announcement:
“When we think about cybersecurity in the cloud, it’s everything we do from the ground up. It’s how we look at securing that cloud infrastructure that we manage,” Susie Adams, Microsoft federal's chief technology officer, said in an interview with MeriTalk. “We look at it both from a code-based perspective in our security development and life cycle, where we build the code from the ground up with security in mind, all the way to how we run our operations in the data center with an assumed breach mentality.”