Microsoft Azure Cloud receives FedRAMP provisional authorization

On September 30, Microsoft received a provisional authorization to operate (ATO) for its Windows Azure Public Cloud from the Joint Authorization Board (JAB) of the Federal Risk and Authorization Management Program (FedRAMP). Windows Azure offers infrastructure-as-a-service (IaaS), platform-as-as-service (PaaS), and data storage and management services to commercial and public sector clients. In order to meet FedRAMP requirements, Microsoft has designated multiple U.S.-based data centers with corresponding network and hardware infrastructure and application services, supported by U.S. personnel and protected by security measures that adhere to federal security policies, standards, and other requirements.

For its FedRAMP authorization, Microsoft chose to follow a process under which its security was assessed by SecureInfo, one of several third-party assessment organizations (3PAO) authorized by the JAB to help cloud service providers meet FedRAMP requirements and to perform FedRAMP evaluations and make recommendations to the JAB on the extent to which each provider complies with FedRAMP. The provisional authorization (P-ATO) granted by the JAB to Microsoft is not tied to any specific use of Azure services or to any individual federal agencies. Agencies may choose to evaluate projects or solutions leveraging Windows Azure to make their own authorization decisions or opt to accept the P-ATO as sufficient evidence that appropriate security requirements are being met. Vendors or solution providers looking to serve federal customers may find it valuable to use Azure to satisfy policies in place at many agencies that external service providers comply with federal security standards.