The U.S. Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing continues to be a major catalyst in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS' utility-based cloud services to process, store, and transmit federal government data.
The U.S. Federal Risk and Authorization Management Program (FedRAMPsm) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” model to ensure cloud based services have adequate information security, eliminate duplication of effort, reduce risk management costs, and accelerate government-wide cloud adoption. FedRAMP conforms to the National Institute of Science & Technology (NIST) 800 Series Special Publications to verify that all authorizations are compliant with Federal Information Security Management Act (FISMA).
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP program office has outlined five requirements for FedRAMP compliance:
1. The cloud service provider (CSP) has been granted an Authority to Operate (ATO) by a Federal Agency
2. The CSP addresses the FedRAMP security control requirements that are aligned to the NIST 800-53, Rev. 4 security control baseline for moderate impact levels.
3. All system security packages must use the required FedRAMP templates.
4. The CSP was assessed by an independent auditor.
5. The completed security assessment package is posted in the FedRAMP secure repository.
There are three paths for CSPs to be FedRAMP Compliant:
1. JAB Provisional Authorizations (JAB P-ATOs) Path
CSPs with a FedRAMP P-ATO path are reviewed by the FedRAMP PMO, assessed by a FedRAMP accredited 3PAO, and received an P-ATO from DHS, DOD, and GSA CIOs.
2. Agency FedRAMP Authorizations (A-ATOs) Path
CSPs with an Agency Authorization path are reviewed by a customer Agency CIO or Delegated Authorizing Official(s) to achieve a FedRAMP compliant ATO that has been verified by the FedRAMP PMO.
3. CSP Supplied Packages Path
CSP with a CSP Supplied Package have submitted to the FedRAMP PMO a completed Security Assessment Package that has been assessed by a FedRAMP accredited 3PAO.
Yes. AWS is a FedRAMP compliant CSP. AWS was assessed by the Veris Group, LLC. an accredited FedRAMP 3PAO and has been granted two Agency FedRAMP Authorizations by the US Department of Health and Human Services (HHS) after demonstrating compliance with the FedRAMP security requirements. The HHS authorization confirms AWS’s security posture meets the rigorous requirements of FedRAMP enabling customers to save both time and resources required for an agency level ATO. Many federal customers have already leveraged AWS infrastructure and security controls documented in the ATO, allowing them to simply focus on architecting a solution that meets their agency’s requirements.
The following services are in the accreditation boundary for the regions stated above:
Yes, customers can evaluate their workloads for suitability with other AWS services. Please contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, FedRAMP only applies to cloud computing systems at the FISMA low and moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls and we have developed the AWS FISMA-High workbook for our customers who are looking to expand on the NIST Moderate baseline to build FISMA-High applications and services to support their critical workloads. Please contact our AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
AWS provides a wide range of security functionality that can be used by our customers to protect their data in accordance with federal and DoD security guidelines. We are continually iterating on the existing security tools we provide our customers, and regularly release enhancements to existing security functionality. For additional information and solutions for securing your data in the cloud, please reference the following AWS Security guidance:
AWS customers and prospective AWS customers can request the relevant agency or partner FedRAMP packages directly from AWS. Please reach out to your sales account manager or technical account manager to initiate the request, or submit a request through our Contact Us form. Please contact us at firstname.lastname@example.org if you have any other questions or have no other contacts at AWS.
Additionally, agencies can request access to the AWS HHS ATO packages by submitting a FedRAMP Package Access Request Form through the FedRAMP PMO. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov.
Federal customers can leverage our FedRAMP packages and authorizations in order to accelerate their Security Assessment and Authorization (SA&A) efforts.
In support of our federal customer base, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a federal hosting solution. In particular, we provide an SSP template based upon NIST 800-53 Rev. 4, which is prepopulated with applicable control baselines. The controls within the template are prepopulated where applicable from AWS, shared between AWS and the customer, or fully the responsibility of the customer.
To request access to AWS's security documentation as it pertains to federal customers, or contractors conducting business with the federal government, please contact AWS Sales and Business Development or send an email to email@example.com
Using the security functionality provided by AWS and our ecosystem of vendors, you are able to control and monitor how you build available systems to that incorporate your agency’s security, privacy, and/or enterprise risk management policies.
Take it from our customers, partners, and system integrators - read about the value they have achieved with AWS:
AWS Case Studies
Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP Authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Federal agencies leveraging the FedRAMP continuous monitoring program, and the Authorizing Officials (AO) and their designated teams, will be responsible for reviewing the ongoing compliance of AWS. AOs and their designated teams will review artifacts provided through the AWS FedRAMP continuous monitoring process in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls on a continuous, ongoing basis. For additional information please refer to your agency’s information system security program or policy.