Skip to main content
Skip to main content
Microsoft 365

Office 365 receives FedRAMP Authority to Operate (ATO) from HHS OIG

Bill Birkholz is the principal program manager for the Office 365 Trust team and Vijay Kumar is the senior product manager for the Office 365 team.

We are pleased to announce that Microsoft Office 365 has been granted FedRAMP Authority to Operate (ATO) by the Department of Health and Human Services Office of the Inspector General (HHS OIG). Office 365 is a multi-tenant cloud that includes government specific instances of services such as Exchange Online, SharePoint Online and Lync Online.  Government-specific instances of Office 365 services are designated for use solely by U.S federal, tribal, state and local government customers, and Federally Funded Research and Development Centers (FFRDCs).

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program whose goal is to accelerate adoption of secure cloud solutions and provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. You can read more about FedRAMP here.

Office 365 has completed testing against the stringent set of FedRAMP requirements, based on NIST 800-53, by Dynamic Research Corporation, a FedRAMP accredited Third Party Assessment Organization (3PAO).  The HHS OIG authorization further validates Office 365 security at the Moderate impact level to store, process and protect sensitive government data.

“Microsoft’s authorization with HHS OIG makes Office 365 the first cloud based email and collaboration service to obtain a FedRAMP authorization,” said Matt Goodrich, acting FedRAMP director at the General Services Administration. “Microsoft worked with the HHS OIG and the FedRAMP PMO to demonstrate Office 365’s adherence to the stringent FedRAMP security requirements that are critical for U.S. government adoption of cloud services.”

You can read more about this news on the government website.

Security and compliance are important for all customers of Office 365 and are core to how we design and manage the service. As we rapidly innovate in productivity services with Office 365, we will continue to invest in making Office 365 a service that is highly secure and compliant with global as well as regional and industry specific standards and regulations.  You can learn more about security and compliance in Office 365 by visiting the Office 365 Trust Center.

Frequently asked questions

Q. What is FedRAMP?

A. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models. Additional information on FedRAMP, including the FedRAMP Security Assessment Framework (SAF) and Guide to Understanding FedRAMP, can be found at:

Q. Why is FedRAMP important?

A. FedRAMP is based on the stringent security requirements defined by NIST 800-53 standard and provides a uniform approach to risk based management. Through this uniform approach, FedRAMP allows federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Q. What level of FedRAMP does Office 365 meet?

A.Office 365 has been assessed at a moderate level by a 3PAO (Third-party Assessment Organization) and awarded a FedRAMP ATO from HHS OIG.

Q. Which Office 365 plans or SKUs does FedRAMP ATO apply to?

A. FedRAMP ATO applies to Office 365 Government plans in the US – E1, E3, E4 and standalone plans like Exchange Online Plan 1, Exchange Online Plan 2 etc. Office 365 Government plans in the US are also referred to as the Government Community Cloud (GCC).

Q. How does FedRAMP ATO help Office 365 customers that use commercial plans or customers that are not US Government agencies?

A. Office 365 Government in the U.S. or ‘Government Community Cloud’ (GCC) as it is commonly known, is built on the same multi-tenant service as the commercial Office 365 plans. The majority of the processes and technology that help the Government Community Cloud meet the strict FedRAMP standards are identically implemented in the Office365 commercial plans.  This ATO signifies Microsoft’s commitment to ensuring Office 365 is highly secure and compliant with important industry and government standards and regulations.

You may also like these articles

Image for: Customer using a mobile device to make a secure coffee shop purchase.
• 1 min read

A special offer for small businesses using Google’s legacy G Suite

Now through July 2023, small businesses like yours can get a 60 percent discount on a 12-month Microsoft 365 Business Basic, Business Standard, or Business Premium subscription.

Image for: Logo for the "Rise of the IT leader" infographic, with an arrow pointing upward.
• <1 min read

The rise of the IT leader

Gain insights to help you become an IT leader.

Image for: Featured image displays two employees holding documents, engaged in a meeting.
• 1 min read

Collaboration hacks from real-life teams

Download the new eBook, “Collaboration hacks from real-life teams,” to learn how companies have reinvented their workplace culture to compete in an information-intensive, interconnected world, where innovation happens in real-time, around the clock and across time zones and geographies.