Federal Risk and Authorizations Management Program (FedRAMP)

March 2023

Amazon FSx for NetApp ONTAP meets U.S. FedRAMP criteria at the High and Moderate Impact Levels for AWS US Regions and the High Impact Level for AWS GovCloud (US) Regions. Azure NetApp Files^® meets U.S. FedRAMP criteria at the High and Moderate Impact Levels for Azure commercial cloud services and the High Impact Level for Azure Government cloud services.

About FedRAMP

The Federal Risk and Authorizations Management Program (FedRAMP) is a U.S. government program that provides a standardized approach to security risk assessment, authorization, and continuous monitoring for cloud products and services. The goal of the program is to promote the adoption of cloud services by the federal government. In fact, the U.S. Office of Management and Budget requires all departments and agencies to “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services.”

The National Institute of Standards and Technology (NIST) SP 800-53 sets the standard and defines the security requirements that federal agencies must meet as part of FedRAMP. NIST SP 800-53 provides a catalog of security controls for the confidentiality, integrity, and availability of information systems, which is designed to enable the assessment of information security at three impact levels: High, Moderate, and Low. These levels categorize the potential impact that the compromise of confidentiality, integrity, or availability could have on an organization.

Cloud service providers demonstrate FedRAMP compliance by submitting to an evaluation by a Third Party Assessment Organization (3PAO). The organization then submits its assessment to the Joint Authorization Board (JAB), the primary governance body for FedRAMP, for provisional approval. This is referred to as a Provisional Authority to Operate (P-ATO). Once the JAB grants the P-ATO, the cloud service provider must then obtain an authorization (ATO) from a government agency.

NetApp and FedRAMP

Both Amazon FSx for NetApp ONTAP and Azure NetApp Files meet FedRAMP criteria.

Amazon FSx for NetApp ONTAP

Through Amazon Web Services (AWS), Amazon FSx for NetApp ONTAP obtained a P-ATO from the JAB. The FedRAMP authorization by the JAB covers both Moderate and High impact levels. This means that it can be used to meet the most critical data privacy and security requirements, including the U.S. Department of Defense and healthcare organizations.

Amazon FSx for NetApp ONTAP has FedRAMP High and Moderate authorizations in US East (N. Virginia), US East (Ohio), US West (N. California), and US West (Oregon), and FedRAMP High authorization in AWS GovCloud (US) Regions. This assures government agencies that FSx for ONTAP meets rigorous FedRAMP standards for security and risk assessments.

Azure NetApp Files

Through Microsoft Azure and Microsoft Azure Government, Azure NetApp Files obtained a P-ATO from the JAB. Azure NetApp Files maintains a P-ATO at both High and Medium Impact Levels for Azure commercial cloud services and a High Impact Level for Azure Government cloud services.

Azure Government regions are specifically designed to meet the security and regulatory compliance requirements of U.S. federal, state, and local agencies, and the Department of Defense. With multitenant cloud operations built to the same exacting standards for every customer, this means that U.S. public sector organizations and those outside the public sector can take advantage of Azure NetApp Files for enterprise workloads such as virtualization, SAP, and high-performance analytics.

Note Azure is the registered trademark of Microsoft Corporation. Used with permission.

NetApp in-scope products and services

Amazon FSx for NetApp ONTAP
Azure NetApp Files

Audits, reports, and certificates

The ATO for Amazon FSx for NetApp ONTAP is held by Amazon Web Services as part of the AWS Commercial Cloud and AWS GovCloud FedRAMP authorizations and is listed in AWS Services in Scope by Compliance Program (FedRAMP).

The ATO for Azure NetApp Files is held by Microsoft as part of the Azure^®️ Commercial Cloud and Azure^®️ Government FedRAMP authorizations and is listed on Azure services by FedRAMP audit scope. Government customers can request access to the AWS and Azure FedRAMP packages on the FedRAMP Marketplace.