Below is a list of frequently asked questions about AWS FedRAMP compliance.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov.
The Cloud First policy mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo , OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
Yes, AWS is a FedRAMP Compliant Cloud Service Provider (CSP). AWS has completed the testing performed by a FedRAMP-accredited Third Party Assessment Organization (3PAO) and has been granted two Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements. AWS’ compliance with FedRAMP requirements was achieved based on testing performed against the stringent set of FedRAMP requirements (NIST 800-53 Rev. 3 – Moderate baseline requirements, plus additional FedRAMP security controls). The AWS security assessment was performed by a FedRAMP-accredited 3PAO, Veris Group, LLC. The HHS authorization validates AWS’ security posture at the Moderate impact level to store, process, and protect a diverse array of sensitive government data. The assessment and associated ATOs have been registered in the FedRAMP repository and allow government agencies to evalute AWS’ security and the opportunity to store, process, and maintain a diverse array of sensitive government data within the AWS cloud.
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, FedRAMP only applies to cloud computing systems at the FISMA low and moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Two separate FedRAMP Agency ATOs have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.
The following services are in the accreditation boundary for the regions stated above:
- Amazon Elastic Compute Cloud (Amazon EC2). Amazon EC2 provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.
- Amazon Simple Storage Service (Amazon S3). Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
- Amazon Virtual Private Cloud (Amazon VPC). Amazon VPC provides the ability for you to provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
- Amazon Elastic Block Store (Amazon EBS). Amazon EBS provides highly available, highly reliable, predictable storage volumes that can be attached to a running Amazon EC2 instance and exposed as a device within the instance.
- AWS Identity and Access Management (IAM). IAM enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.
AWS plans to onboard other AWS services in the future.
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
No, there is no increase in service costs for any region as a result of AWS’s FedRAMP compliance.
Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today.
Agencies and federal contractors can immediately request access to the AWS HHS ATO packages by submitting a FedRAMP Package Access Request Form and begin to moving through the authorization process to achieve an ATO using AWS. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov.
The Joint Advisory Board (JAB) authorizes a system on behalf of the entire federal government by issuing a Provisional Authority to Operate (P-ATO). An agency authorizes a system on behalf of their agency by issuing an Agency ATO. The 3PAO assessment process and supporting artifacts is similar regardless of which authorization method is used. Both the FedRAMP JAB P-ATO and Agency ATO meet FedRAMP requirements, and allow customers to leverage AWS as an Infrastructure as a Service (IaaS) and run government workloads in the cloud.
Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been granted, the Cloud Service Provider’s (CSP’s) security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP Provisional Authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. AWS is in the process of outlining and updating the continuous monitoring program based on the FedRAMP program management office DRAFT program outline. AWS will update the FAQ with more specific elements as they are implemented.
To request more information related to AWS FedRAMP, DIACAP and/or FISMA compliance please contact AWS Sales and Business Development.