Microsoft’s Global Foundation Services and Windows Azure Receive FedRAMP JAB P-ATO

Mark Estberg, Senior Director
Online Services Security & Compliance

I am pleased to announce that after a rigorous review process, Microsoft's Global Foundation Services (GFS) organization, in conjunction with Microsoft's Windows Azure cloud platform, has been granted  Provisional Authority to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). The press release is available here. 

Two separate P-ATOs were granted - one for Windows Azure and one for GFS, which manages Microsoft's datacenters. The GFS General Support System P-ATO covers shared services in nine Microsoft datacenters located in the United States, including California, Illinois, Iowa, Texas, Virginia, and Washington.

The JAB process provides a rigorous review of cloud service providers which allows other agencies to leverage JAB authorizations. JAB members include representatives from the U.S. General Services Administration, Department of Defense, and Department of Homeland Security. The benefits of a P-ATO by the JAB include reuse by agencies, time and cost savings, as well as a consistent high bar of security evaluation. Additional information about FedRAMP and the JAB is available at the FedRAMP web site.

Microsoft approached the FedRAMP process by submitting separate Major Application and General Support System packages. This approach will assist government agencies in their future review of Microsoft's online and cloud services and reduce redundant reviews. Other Microsoft services, such as Office 365, will rely on the same GFS P-ATO and will be able to reuse the GFS evaluation and only the new components of the service will need to be reviewed by the JAB. The ability to build upon these proven components saves the acquiring agency effort and increases trust in Microsoft's cloud services by applying a well understood and transparent evaluation process. 

The benefits of the P-ATO extend beyond U.S. government agencies. The FedRAMP security assessment process uses a standardized set of requirements in accordance with FISMA with a baseline of NIST Special Publication 800-53 Revision 3 controls to grant security authorizations.  Microsoft has applied these requirements across GFS.

Operationally, we have included FedRAMP requirements into our security program. This increases the consistency and rigor of the security capabilities that GFS provides for Microsoft's 200+ online and cloud services which run on Microsoft's global portfolio of datacenters and networks.  These online services are used by 1 billion customers, and 20 million businesses in over 88 markets worldwide. We have integrated FedRAMP requirements into our GFS infrastructure security program, which already includes capabilities such as ISO/IEC 27001:2005 certification; SOC 1 (SSAE 16 and ISAE 3402) Type II, AT 101 SOC 2 Type II and SOC 3 attestations; HIPAA/HITECH capabilities; PCI Data Security Standard compliance; previous FISMA Certifications and Accreditations as well as additional capabilities. This benefits all of Microsoft's online and cloud customers. 

GFS, along with Microsoft's cloud services teams, look forward to building on the early successes of the FedRAMP program. U.S. agencies will be able to reduce their costs, cloud providers and evaluators will have effective and efficient criteria and processes, and, most importantly, the cloud industry will continue to move towards improved trust and transparency. Work remains and I am grateful for programs such as FedRAMP to continue the momentum. More to come later. 

- Mark Estberg, Senior Director, Online Services Security & Compliance