Below is a list of frequently asked questions about FedRAMP.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov .
The Cloud First policy mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo , OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
Yes, AWS is a FedRAMP Compliant Cloud Service Provider (CSP) with authorization packages that can be leveraged by any federal, state and local government. AWS has completed the testing performed by a FedRAMP-accredited Third Party Assessment Organization (3PAO) and has been granted two initial Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements. AWS’ compliance with FedRAMP requirements was achieved based on testing performed against the stringent set of FedRAMP requirements (NIST 800-53 Rev. 3 – Moderate baseline requirements, plus additional FedRAMP security controls). The AWS security assessment was performed by a FedRAMP-accredited 3PAO, Veris Group, LLC. The HHS authorization validates AWS’ security posture at the Moderate impact level to store, process, and protect a diverse array of sensitive government data. The assessment and associated ATOs have been registered in the FedRAMP repository and allow government agencies to evalute AWS’ security and the opportunity to store, process, and maintain a diverse array of sensitive government data within the AWS cloud. Subsequent to the initial Agency ATOs provided by HHS, additional agencies have granted AWS ATOs based on the documentation stored in the FedRAMP repository.
Yes, customers can evaluate the suitability of AWS for their High-impact workloads. Currently, FedRAMP only applies to cloud computing systems up to the Moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
AWS has two separate FedRAMP Agency ATOs in the FedRAMP Repository; one ATO applicable to the AWS US East/West regions, and the other applicable to the AWS GovCloud (US) Region.
AWS US East/West is a multi-tenant public cloud for federal, state, and local government customers, as well as enterprise customers, and is designed to meet a wide range of regulatory requirements, including government compliance and security requirements.
AWS GovCloud (US) is an AWS Region designed to allow US government agencies, contractors and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements, such as ITAR, which governs how organizations manage and store defense-related data. Additional information is available at http://aws.amazon.com/govcloud-us/
The following services are in the accreditation boundary for the regions stated above:
AWS plans to onboard other AWS services in the future.
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
No. The AWS FedRAMP program follows the U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. AWS was formally assessed by a FedRAMP certified third party assessor (3PAO) against the FedRAMP control baseline that all CSPs must be assessed against to be considered FedRAMP compliant. Regardless of whether a customer agency leverages a CSP’s Agency ATO or JAB P-ATO, each agency must still make their own accreditation determination based on the FedRAMP standardized assessment.
No, there is no increase in service costs for any region as a result of AWS’ FedRAMP compliance.
Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today.
Yes. With the award of these ATOs, AWS has demonstrated it can meet the extensive FedRAMP security requirements and as a result, an even wider range of federal, state, and local government customers can leverage AWS’s secure environment to store, process, and protect a diverse array of sensitive government data. All AWS customers using the public cloud infrastructure, even those not subject to FedRAMP requirements, benefit from the added security measures implemented as a part of the AWS FedRAMP compliance program.
Agencies and federal contractors can immediately request access to the AWS HHS ATO packages by submitting a FedRAMP Package Access Request Form and begin to moving through the authorization process to achieve an ATO using AWS. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov .
The Joint Authorization Board (JAB) authorizes a system on behalf of the entire federal government by issuing a Provisional Authority to Operate (P-ATO). An agency authorizes a system on behalf of their agency by issuing an Agency ATO. The 3PAO assessment process and supporting artifacts is similar regardless of which authorization method is used. Both the FedRAMP JAB P-ATO and Agency ATO meet FedRAMP requirements, and allow customers to leverage AWS as an Infrastructure as a Service (IaaS) and run government workloads in the cloud.
Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been granted, the Cloud Service Provider’s (CSP’s) security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP Provisional Authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. AWS is in the process of outlining and updating the continuous monitoring program based on the FedRAMP program management office DRAFT program outline. AWS will update the FAQ with more specific elements as they are implemented.
To request more information related to AWS FedRAMP, DIACAP and/or FISMA compliance please contact AWS Sales and Business Development.