Skip to main content
Microsoft 365
Subscribe

Office 365 receives FedRAMP Authority to Operate (ATO) from HHS OIG

Bill Birkholz is the principal program manager for the Office 365 Trust team and Vijay Kumar is the senior product manager for the Office 365 team.

We are pleased to announce that Microsoft Office 365 has been granted FedRAMP Authority to Operate (ATO) by the Department of Health and Human Services Office of the Inspector General (HHS OIG). Office 365 is a multi-tenant cloud that includes government specific instances of services such as Exchange Online, SharePoint Online and Lync Online.  Government-specific instances of Office 365 services are designated for use solely by U.S federal, tribal, state and local government customers, and Federally Funded Research and Development Centers (FFRDCs).

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program whose goal is to accelerate adoption of secure cloud solutions and provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Office 365 has completed testing against the stringent set of FedRAMP requirements, based on NIST 800-53, by Dynamic Research Corporation, a FedRAMP accredited Third Party Assessment Organization (3PAO).  The HHS OIG authorization further validates Office 365 security at the Moderate impact level to store, process and protect sensitive government data.

“Microsoft’s authorization with HHS OIG makes Office 365 the first cloud based email and collaboration service to obtain a FedRAMP authorization,” said Matt Goodrich, acting FedRAMP director at the General Services Administration. “Microsoft worked with the HHS OIG and the FedRAMP PMO to demonstrate Office 365’s adherence to the stringent FedRAMP security requirements that are critical for U.S. government adoption of cloud services.”

Security and compliance are important for all customers of Office 365 and are core to how we design and manage the service. As we rapidly innovate in productivity services with Office 365, we will continue to invest in making Office 365 a service that is highly secure and compliant with global as well as regional and industry specific standards and regulations.

Frequently asked questions

Q. What is FedRAMP?

A. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models.

Q. Why is FedRAMP important?

A. FedRAMP is based on the stringent security requirements defined by NIST 800-53 standard and provides a uniform approach to risk based management. Through this uniform approach, FedRAMP allows federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Q. What level of FedRAMP does Office 365 meet?

A.Office 365 has been assessed at a moderate level by a 3PAO (Third-party Assessment Organization) and awarded a FedRAMP ATO from HHS OIG.

Q. Which Office 365 plans or SKUs does FedRAMP ATO apply to?

A. FedRAMP ATO applies to Office 365 Government plans in the US – E1, E3, E4 and standalone plans like Exchange Online Plan 1, Exchange Online Plan 2 etc. Office 365 Government plans in the US are also referred to as the Government Community Cloud (GCC).

Q. How does FedRAMP ATO help Office 365 customers that use commercial plans or customers that are not US Government agencies?

A. Office 365 Government in the U.S. or ‘Government Community Cloud’ (GCC) as it is commonly known, is built on the same multi-tenant service as the commercial Office 365 plans. The majority of the processes and technology that help the Government Community Cloud meet the strict FedRAMP standards are identically implemented in the Office365 commercial plans.  This ATO signifies Microsoft’s commitment to ensuring Office 365 is highly secure and compliant with important industry and government standards and regulations.