FedRAMP Cloud Service Providers: Google Cloud Platform (GCP)
Google as FedRAMP Cloud Service Providers adopted its cloud infrastructure, Google Cloud Platform (GCP), to be compliant with FedRAMP. GCP earned a FedRAMP High authorization to operate (ATO) for several cloud products in a handful of locations and has uplifted the current FedRAMP Moderate services to more products and locations. Government agencies can now work with the highest level of classified information using GCP.
The FedRAMP Cloud Service Providers, GCP already maintains an authorization at the Moderate level, but achieving a High level signifies that there is broader access to technology for Federal organizations handling highly sensitive information. To upgrade from Moderate to a High-level ATO, there is no additional cost for more secure, highly authorized infrastructure, or a change in services. Moreover, this High authorization for GCP means you’re deploying a cloud solution infrastructure that has been validated, trusted, and has tested security already in effect.
If you’re in government IT, you’ll be able to deploy a cloud platform that gives your organization better scalability, elasticity, and collaboration, not to mention redundancy and high availability of business services.
Google as FedRAMP Cloud Service Providers provides a complete list of the 17 High and 64 Moderate Authorization level services covered under FedRAMP.
For GCP High Authorization Services, here is a list of the 5 approved cloud regions:
- Oregon (us-west1)
- Los Angeles (us-west2)
- Iowa (us-central1)
- South Carolina (us-east1)
- Northern Virginia (us-east4)
Google also lists the 17 regions for GCP Moderate Impact Authorization Services here.
Why adopt the Google Cloud Platform – FedRAMP authorization?
Is the GCP infrastructure implementation beneficial for Federal Agencies and Organizations? Yes! First, security has been reviewed against regulated benchmarks based on cloud security assessments by a third-party assessor. Because the FedRAMP Cloud Service Providers program handles these rigorous assessments, there are significant time and cost efficiencies and reasons for independent actions. Secondly, this authorization enables government agencies to implement upgraded, more secure solutions while ensuring a consistent application of previous integrations. Lastly, the program manages continuous sight of organizational authorizations, and Google Cloud will continue to undergo continuous monitoring. Essentially, all security controls for GCP will be maintained and updated for government users and agencies.
Microsoft Azure
The FedRAMP audit of Azure and Azure Government included the information security management system, which encompasses infrastructure, development, operations, management, and support of in-scope services. FedRAMP is a required certification to provide cloud services to the U.S. government.
Azure Government provides standards-compliant Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) that has now received a FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO). Additionally, Azure now maintains a P-ATO at the High Impact Level and was acknowledged as the first public cloud with IaaS and PaaS services to receive a JAB P-ATO.
“Microsoft is working closely with our stakeholders to simplify our approach to regulatory compliance for federal agencies so that our government customers can gain access to innovation more rapidly by reducing the time required to take a service from available to certified.”, posted by Lily Kim General Manager, Azure Global at Microsoft.
Key points to remember regarding Microsoft Azure and FedRAMP:
- Azure continues to support the most FedRAMP High Impact level services compared to other cloud service providers (CSPs).
- All Azure services are available to all public Azure regions in the United States.
- Azure Public Services has a total of 112 Moderate and High Services. These are the FedRAMP services, which list all services currently available in Azure Government to our FedRAMP Moderate Services.
- Azure Government Services has a total of 101 High Services. These are the FedRAMP services currently available in Azure Government.
- And while FedRAMP High in the Azure public cloud will meet the needs of many US government customers, agencies with more rigorous requirements will continue to rely on Azure Government.
Microsoft Azure government cloud services offer many services compliant with FedRAMP for detailed oversight and access to necessary resources, for example, the FedRAMP High Blueprint. This product assists customers in deploying a steady, secure foundation of policies for any Azure-deployed architecture, which requires the implementation of FedRAMP High controls.
Since gaining approval at the highest level within FedRAMP, Federal Agencies can now benefit from cost savings and complex security practices. Now, any Government agency can utilize the Azure P-ATO in its own security authorization process and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.
Microsoft continues to enhance Azure’s Cloud environment to provide commitment towards total Government compliance, particularly with FedRAMP. Azure provides more compliance offerings than any other Cloud Service Provider.
Amazon Web Services (AWS) Services
Like other types of cloud deployment models, Amazon Web Services (AWS) also offers cloud solutions that are FedRAMP compliant, and have been granted provisional Moderate and High Impact Authorizations for specific services.
AWS shows compliance for the FedRAMP security assessment framework requirements by:
- Addressing the FedRAMP security controls relating to NIST SP 800-53
- Implementing FedRAMP templates located in the FedRAMP repository
- Being assessed by a trusted independent third party assessor (3PAO) to ensure an independent validation of technical, management, and operational security controls against the FedRAMP NIST guidelines and regulations.
- Sustaining continuous monitoring requirements of FedRAMP
AWS GovCloud (US) is an AWS Region designed to allow US government agencies and customers to support the U.S. government to move more sensitive workloads, like CUI, PCI, PII, patient data, and financial records, into the cloud. AWS GovCloud (US-East) and (US-West) Regions are operated by employees who are U.S. citizens on U.S. soil.
The services in the scope of the AWS GovCloud (US) boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program.
AWS US East-West, an AWS public region designed for Commercial (and even Government), has been granted a JAB P-ATO and an A-ATO for moderate impact level. The services in the scope of the AWS US East-West JAB P-ATO boundary at Moderate baseline security categorization can be found within AWS Services in Scope by Compliance Program.