The U.S. Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing continues to be a major catalyst in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS' utility-based cloud services to process, store, and transmit federal government data.


The U.S. Federal Risk and Authorization Management Program (FedRAMPsm) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” model to ensure cloud based services have adequate information security, eliminate duplication of effort, reduce risk management costs, and accelerate government-wide cloud adoption. FedRAMP conforms to the National Institute of Science & Technology (NIST) 800 Series Special Publications to verify that all authorizations are compliant with Federal Information Security Management Act (FISMA).


The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP program office has outlined five requirements for FedRAMP compliance:
1. The cloud service provider (CSP) has been granted an Authority to Operate (ATO) by a Federal Agency
2. The CSP addresses the FedRAMP security control requirements that are aligned to the NIST 800-53, Rev. 4 security control baseline for moderate impact levels.
3. All system security packages must use the required FedRAMP templates.
4. The CSP was assessed by an independent auditor.
5. The completed security assessment package is posted in the FedRAMP secure repository.

There are three paths for CSPs to be FedRAMP Compliant:

1. JAB Provisional Authorizations (JAB P-ATOs) Path

CSPs with a FedRAMP P-ATO path are reviewed by the FedRAMP PMO, assessed by a FedRAMP accredited 3PAO, and received an P-ATO from DHS, DOD, and GSA CIOs.

2. Agency FedRAMP Authorizations (A-ATOs) Path

CSPs with an Agency Authorization path are reviewed by a customer Agency CIO or Delegated Authorizing Official(s) to achieve a FedRAMP compliant ATO that has been verified by the FedRAMP PMO.

3. CSP Supplied Packages Path

CSP with a CSP Supplied Package have submitted to the FedRAMP PMO a completed Security Assessment Package that has been assessed by a FedRAMP accredited 3PAO.


Yes. AWS is a FedRAMP compliant CSP. AWS was assessed by the Veris Group, LLC. an accredited FedRAMP 3PAO and has been granted two Agency FedRAMP Authorizations by the US Department of Health and Human Services (HHS) after demonstrating compliance with the FedRAMP security requirements. The HHS authorization confirms AWS’s security posture meets the rigorous requirements of FedRAMP enabling customers to save both time and resources required for an agency level ATO. Many federal customers have already leveraged AWS infrastructure and security controls documented in the ATO, allowing them to simply focus on architecting a solution that meets their agency’s requirements.

For a complete list of current AWS Agency Authorizing Officials, please visit AWS FedRAMP security package is posted in the FedRAMP repository.

Two separate FedRAMP Agency ATOs have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.


No, there is no increase in service costs for any region as a result of AWS’s FedRAMP compliance.


The following services are in the accreditation boundary for the regions stated above:

  • Amazon Redshift. Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools [currently only in AWS US East/West Regions].
  • Amazon Elastic Compute Cloud (Amazon EC2). Amazon EC2 provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.
  • Amazon Simple Storage Service (S3). Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
  • Amazon Virtual Private Cloud (VPC). Amazon VPC provides the ability for you to provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
  • Amazon Elastic Block Store (EBS). Amazon EBS provides highly available, highly reliable, predictable storage volumes that can be attached to a running Amazon EC2 instance and exposed as a device within the instance.
  • AWS Identity and Access Management (IAM). IAM enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

Yes, customers can evaluate their workloads for suitability with other AWS services. Please contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.

Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, FedRAMP only applies to cloud computing systems at the FISMA low and moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls and we have developed the AWS FISMA-High workbook for our customers who are looking to expand on the NIST Moderate baseline to build FISMA-High applications and services to support their critical workloads. Please contact our AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.


AWS provides a wide range of security functionality that can be used by our customers to protect their data in accordance with federal and DoD security guidelines. We are continually iterating on the existing security tools we provide our customers, and regularly release enhancements to existing security functionality. For additional information and solutions for securing your data in the cloud, please reference the following AWS Security guidance:

AWS customers and prospective AWS customers can request the relevant agency or partner FedRAMP packages directly from AWS. Please reach out to your sales account manager or technical account manager to initiate the request, or submit a request through our Contact Us form. Please contact us at if you have any other questions or have no other contacts at AWS.

Additionally, agencies can request access to the AWS HHS ATO packages by submitting a FedRAMP Package Access Request Form through the FedRAMP PMO. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at


Federal customers can leverage our FedRAMP packages and authorizations in order to accelerate their Security Assessment and Authorization (SA&A) efforts.

In support of our federal customer base, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a federal hosting solution. In particular, we provide an SSP template based upon NIST 800-53 Rev. 4, which is prepopulated with applicable control baselines. The controls within the template are prepopulated where applicable from AWS, shared between AWS and the customer, or fully the responsibility of the customer.

To request access to AWS's security documentation as it pertains to federal customers, or contractors conducting business with the federal government, please contact AWS Sales and Business Development or send an email to

Using the security functionality provided by AWS and our ecosystem of vendors, you are able to control and monitor how you build available systems to that incorporate your agency’s security, privacy, and/or enterprise risk management policies.

Take it from our customers, partners, and system integrators - read about the value they have achieved with AWS:


Appian Cloud leverages Amazon Web Services' infrastructure and FedRAMP authorization [LINK].

AWS Case Studies

US Department of State

US Food and Drug Administration (FDA)

US Centers for Disease Control and Prevention (CDC)

NASA/JPL's Desert Research and Training Studies

NASA JPL and Amazon SWF

NASA/JPL's Mars Curiosity Mission

1000 Genomes Project




Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP Authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Federal agencies leveraging the FedRAMP continuous monitoring program, and the Authorizing Officials (AO) and their designated teams, will be responsible for reviewing the ongoing compliance of AWS. AOs and their designated teams will review artifacts provided through the AWS FedRAMP continuous monitoring process in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls on a continuous, ongoing basis. For additional information please refer to your agency’s information system security program or policy.

Need More Information Around FedRAMP Cloud Compliance?

Contact Form - Web Services Business Representative