February 2021
Azure NetApp Files® meets U.S. FedRAMP criteria at the High and Moderate Impact Levels for Azure commercial cloud services and the High Impact Level for Azure Government cloud services.
Federal Risk and Authorizations Management Program (FedRAMP)
About FedRAMP
The Federal Risk and Authorizations Management Program (FedRAMP) is a U.S. government program that establishes a standardized approach to security risk assessment, authorization, and continuous monitoring for cloud products and services. The goal of the program is to promote the adoption of cloud services by the federal government in a reliable manner. In fact, the U.S. Office of Management and Budget requires all agencies “to protect any federal information that is collected, maintained, processed, disseminated, or disposed of by cloud service offerings, in accordance with FedRAMP requirements.”
The National Institute of Standards and Technology (NIST) SP 800-53 sets the standard and defines the security requirements that federal agencies must meet as part of FedRAMP. NIST SP 800-53 provides a catalog of security controls for the confidentiality, integrity, and availability of information systems that are designed to enable the assessment of information security at three impact levels. These levels of “low,” “moderate,” and “high” rank the impact that the compromise of confidentiality, integrity, or availability under each control could have on an organization.
Cloud service providers demonstrate FedRAMP compliance by submitting to an evaluation by a Third Party Assessment Organization (3PAO). The organization submits its assessment to a government agency or authorization board for provisional approval, which is referred to as a Provisional Authority to Operate (P-ATO).
Azure NetApp Files and FedRAMP
Through Microsoft Azure and Azure Government, Azure NetApp Files obtained a P-ATO from the Joint Authorization Board (JAB), the primary governance body for FedRAMP. Azure NetApp Files maintains a P-ATO at both High and Medium Impact Levels for Azure commercial cloud services and a High Impact Level for Azure Government cloud services. And, because NetApp multitenant cloud operations are built to the same exacting standards for every customer, entities outside the public sector have the assurance that Azure NetApp Files is designed to meet the controls of NIST SP 800-53.
Azure NetApp Files is also available in the Virginia data center of an Azure U.S. government region, with more regions coming soon. Azure Government regions are specifically designed to meet the security and regulatory compliance requirements of U.S. federal, state, and local agencies, and the Department of Defense. This means that U.S. public sector entities that require the attributes of Azure Government can take advantage of Azure NetApp Files for enterprise workloads such as virtualization, SAP, and high-performance analytics.
NetApp in-scope products and services
Azure NetApp Files
Audits, reports, and certificates
The ATO for Azure NetApp Files is held by Microsoft as part of the Azure® Commercial Cloud and Azure® Government FedRAMP authorizations and is listed on Azure services by FedRAMP audit scope for Azure public services and Azure Government services. Government customers can request access to the Azure FedRAMP packages on the FedRAMP Marketplace.
Note Azure is the registered trademark of Microsoft Corporation. Used with permission.
