AWS becomes first agency-sponsored FedRAMP provider

Amazon Web Services Vice President of Worldwide Public Sector Teresa Carlson (Photo: David Stegon/FedScoop) Amazon Web Services Vice President of Worldwide Public Sector Teresa Carlson (Photo: David Stegon/FedScoop)

Amazon Web Services became the first vendor to receive agency authority to operate under the Federal Risk and Authorization Management Program when the Health and Human Services Department granted the company two ATOs.

The authorizations will allow all federal agencies to leverage the company’s approved ATO packages stored in the FedRAMP repository, the company said May 21.


“We feel like this is a tipping point for government agencies where they can begin to take advantage of a large commercial providers like AWS,” Teresa Carlson, vice president of worldwide public sector for AWS, said in an interview with FedScoop. “We’re here. We’re ready to go, and we’re open for business.”

Two vendors – CGI and Atomic Resources – have previously received ATOs, but both did it through FedRAMP’s Joint Advisory Board. FedRAMP officials have said the agency authorization model will become more of the standard as the FedRAMP model matures.

One of the ATOs covers the GovCloud region of the company’s infrastructure while the other the U.S. East/West regions of the cloud infrastructure.

Within those boundaries, agencies can use Amazon’s EC2 compute cloud, Simple Storage Service and Elastic Block Store, as well as its Virtual Private Cloud.

With this distinction, AWS has demonstrated it can meet the FedRAMP security requirements and as a result, an even wider range of government customers can leverage AWS’s secure environment to store, process and protect a diverse array of sensitive government data.


“The FedRAMP requirements raise the security bar for the agencies, results in uniform evaluations, and will provide government entities with immediate benefits of using the AWS Cloud,” said Stephen Schmidt, AWS chief information security officer.

The Veris Group served as the independent third-party assessment organization for the authorization.

“HHS worked closely with the FedRAMP program office and AWS to achieve FedRAMP compliance,” said Kevin Charest, HHS chief information security officer, in a prepared statement. “Utilizing the FedRAMP templates, HHS was able to maintain security requirements while achieving economies of scale.”

He continued, “HHS is pleased to be one of the first federal agencies to go through the FedRAMP process, and to issue an agency FedRAMP ATO. Our collaborative approach allowed all of HHS operating divisions to leverage that ATO and thereby reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes.”

Federal agencies who want to review and leverage the authorization package, can complete the form located here and email it to with the subject title “Leverage Authorization.”


According to AWS, more than 300 government agencies and 1,500 educational institutions now use the company’s services.

Latest Podcasts