FedRAMP High Agency Authority to Operate on VMware Cloud on AWS GovCloud (US): What it Means for the Public Sector

Washington Monument skyline at night

FedRAMP High Agency Authority to Operate on VMware Cloud on AWS GovCloud (US): What it Means for the Public Sector

VMware recently announced its VMware Cloud on AWS GovCloud (US) achieved FedRAMP Agency Authority to Operate (ATO) at the High Impact Level. High Impact is the most secure authorization level a cloud service provider can achieve through FedRAMP, the Federal Risk and Authorization Management Program.

VMware Cloud on AWS gives public sector IT teams an on-demand, scalable hybrid cloud service, enabling those teams to seamlessly extend, migrate and protect their infrastructure in the cloud.

This announcement has big implications for the public sector, especially for the organizations already using VMware in some capacity — which is a majority of agencies. 

What the FedRAMP High Agency ATO means for government agencies

Within the industry, FedRAMP and FISMA (Federal Information Security Management Act) are often spoken about interchangeably. While both are based on NIST 800-53 and have an end goal of ensuring government data is protected, here’s a quick overview of the distinction: 

  • FISMA offers guidelines to government agencies through a series of controls on how to protect systems and data, in transit or at rest – providing the baseline controls an agency must achieve for a workload whereas the workload is not already accredited by FedRAMP
  • FedRAMP is more stringent and provides an accreditation, controls, documentation, and instructions which can be inherited in an agency ATO

FedRAMP approval means a third party has reviewed a software offering and confirmed it meets FISMA control specifications if deployed per the FedRAMP approved process, which can save agencies a tremendous amount of time and reduce the strain on agency engineering teams. 

NIST 800-53 prescribes controls for systems that have been categorized using the guidance found in FIPS-199 concerning confidentiality, integrity, and availability of data. Workloads that have not been categorized and had the proper controls deployed for the appropriate FISMA classification are not ready for production data.

With the achievement of FedRAMP ATO, government agencies within the public sector can now experience the benefits of VMware Cloud on AWS more rapidly. 

Absent an ATO, the agency is often limited to testing workloads using sample data in development or test environments. FedRAMP inheritance provides an agency the fastest path to deploying a workload into production and achieving an agency ATO. 

With the achievement of FedRAMP ATO, government agencies within the public sector can now experience the benefits of VMware Cloud on AWS more rapidly. For example, an agency can deploy VMware Cloud on AWS GovCloud (US) with the FedRAMP package and inherit all the security controls available within the FedRAMP assessment. 

Data center migration to VMware Cloud on AWS GovCloud (US)

Many organizations have time-limited data center leases. When the next data center lease renewal is on the horizon, the decision to stay in a physical data center or vacate to the cloud is likely part of the overall financial analysis.

Planning to vacate a physical data center can quickly become stressful. Do you need new contracts in place? More engineers? What kind of resources are required? What technical debt is incurred by the decision to vacate?

Agencies are rapidly consolidating and moving away from the physical data center model. Renewing data center leases because “our agency couldn’t get out in time” becomes a less than desirable option. However, the alternative agencies frequently turn to is to try and accelerate modernization — often while misjudging their true technical debt. This often leads to missed timelines, last minute data center lease extensions and a re-baselining of the overall project with new unplanned funding.  

Most agencies are not running physical data center operations on bare metal. Many already have VMware in place, today. An agency with VMWare wants to migrate their applications, workloads, and data to the cloud, quickly — they don’t want to take the time to refactor everything to cloud native infrastructure.

By moving to VMware Cloud on AWS GovCloud (US), agencies can implement a more expedient option: Inherit the FedRAMP ATO and then rapidly and safely move each workload to the cloud while assured the workloads and data remain secure and compliant. In doing so, they can also continue to use standard tools, training, skills, and capabilities on which their staff is already trained.

By moving to VMware Cloud on AWS GovCloud (US), agencies can implement a more expedient option: Inherit the FedRAMP ATO and then rapidly and safely move each workload to the cloud while assured the workloads and data remain secure and compliant.

With this approach, agencies can approach cloud modernization as a marathon, versus a sprint thereby avoiding hasty decisions that could lead to greater problems down the road.

Benefits of VMware Cloud on AWS GovCloud (US)

FedRAMP provides a “do it once, use it many times” framework for government agencies. The benefits of migrating to VMware Cloud on AWS GovCloud (US) can be significant. Consider the following key advantages:

  • Minimal disruption to operations
    The public expects our government to protect data and maintain continuity of operation, especially during times of national emergency. Moreover, the public expects the government to modernize Information Technology investments. VMware Cloud on AWS empowers agencies to continue normal operations during a migration, and allows for a “sandbox” of sorts — empowering development teams to run tests in virtualized environments without risking the foundational integrity of the production workloads. 
  • Substantial time savings during migration
    VMware Cloud on AWS is the fastest way for agencies to move workloads that are currently virtualized to the cloud. Many government agencies tend to shy away from services that haven’t achieved FedRAMP accreditation because of the additional investment in time and money required to meet FISMA requirements using non-FedRAMP’ed tools. A FedRAMP ATO helps streamline the entire process. 
  • Access to AWS innovation 
    Once agencies have made the migration from on-premises to VMware Cloud on AWS, they have a far broader set of options for modernization, including powerful AWS cloud native services and features.  
  • Smaller learning curves
    The FedRAMP ATO provides government agencies with accreditation, controls, documentation, and instructions they need to protect their data. Agencies can move virtual machines (VMs), workloads, and data to AWS inside VCenter without significant investment in learning AWS native tools and services. 
  • Reduced cost for VMware users
    For organizations vacating an on-premises data center and using VMware currently, migration costs will be reduced. It is seamless to migrate all workloads via VCenter and move the VMs from the on-premises data center onto AWS.

This FedRAMP ATO achievement for VMware Cloud on AWS GovCloud (US) highlights the value government agencies can realize from migrating to the cloud. We’re already seeing a mindset shift in government agencies, as more organizations start realizing what the cloud can do for them. The FedRAMP ATO at the High Impact Level will only accelerate the capabilities of these agencies.  

Want to see additional ways the cloud can help innovation within the public sector? Click here for more.

Michael Bryant is Vice President, Public Sector Strategy at Effectual, Inc.