Microsoft cloud on the cusp of high-impact provisional ATO

Azure Government may receive the new FedRAMP accreditation within the month, Microsoft said.

Azure Government, Microsoft’s federal cloud services platform, announced it is on the cusp of receiving the Federal Risk and Authorization Management Program’s high-impact provisional authority to operate — a new accreditation that would allow it to store highly sensitive government data in the cloud.

If it succeeds, Azure would be one of the first cloud providers to receive a FedRAMP high-impact P-ATO. To date, Azure and other cloud providers, like Amazon Web Services, have achieved only a “moderate impact” certification, limiting the sensitivity of data they can store in their cloud services. 

FedRAMP first released its high-impact baseline for cloud security to the public in January. In a blog post, Microsoft Cloud Security Director Matt Rathbun said Azure Government participated in a FedRAMP pilot to help test out the benchmarks cloud providers must reach to store the highest tiers of secured data. After completing the pilot, Azure Government submitted for a high-impact P-ATO. 

Rathbun said that FedRAMP could sign off on the P-ATO certification within a month. 


“The creation of the FedRAMP High Security Baseline is essential in allowing agencies to migrate more high-impact level data to the cloud,” Matt Goodrich, director for FedRAMP’s Program Management Office at the General Services Administration, said in the post. “Selecting Microsoft Azure Government to participate in FedRAMP’s High Impact baseline pilot and its forthcoming Provisional Authority to Operate (P-ATO) from the FedRAMP JAB are testaments to Microsoft’s ability to meet the government’s rigorous security requirements.”

Microsoft also announced that Azure finalized a security assessment report that will qualify it for Defense Information Systems Agency Impact Level 4 authorization, allowing it to handle Department of Defense data marked as “for official use only,” “law enforcement sensitive” or “sensitive security information.”

In a bid to achieve DISA Level 5 authorization — the second highest level — Microsoft will also establish two new physically isolated regions, designated U.S. DOD East and U.S. DOD West, catered specifically to the Defense Department’s stringent security standards. It is projected to be operational by 2017.

Latest Podcasts