AWS Public Sector Blog

Helping more than 100 partners achieve FedRAMP Authority to Operate (ATO)

city skylines looking up

Government agencies have accelerated their transition to the cloud over the last few years, and COVID-19 has accelerated the urgency and pace of that move. A benefit of moving to the cloud is increased security. But to realize this, new infrastructure must be implemented and managed correctly, using best practices and the right technologies.

Fortunately, regulated industries have compliance frameworks to help solution providers know what they need to do to meet the highest security standards, and to be sure that those solutions will be reviewed in a consistent manner. Once the solutions have been documented, reviewed, and audited to ensure they meet the standards defined in a security framework, they can be certified or authorized for use. For instance, the U.S. federal government has a process called the Federal Risk and Authorization Management Program (FedRAMP) and solutions that pass FedRAMP audits are granted Provisional Authority to Operate (P-ATO) that can be leveraged or “reused” by agencies in their internal authorization processes.

Many technical solutions were not originally built with an expectation of having to meet these authorization requirements and may need to be re-engineered to provide necessary security and audit functionality. On top of that, securing solutions in the cloud may require different skills, processes, and tools than what many use for on-premises solutions today—and such expertise may not be readily available.

Therefore, pursuing an ATO can potentially be a time-consuming and expensive task. In some cases, the required time and cost can delay, or even prevent, the availability of solutions that would be valuable to government customers.

So, how can AWS help?

Under the AWS Shared Responsibility Model, many of the requirements for meeting and maintaining a secure environment and obtaining an ATO can be met by using AWS, which can simplify and reduce costs of the process. AWS implements and operates the security “of the cloud” and our customers and AWS Partner Network partners (Partners) implement and operate the security “in the cloud,” including content and applications. All of our commercial AWS Regions are authorized at FedRAMP Moderate and AWS GovCloud (US) Regions are authorized at FedRAMP High.

However, our customers and partners still need to meet compliance on their end as part of our Shared Responsibility Model, and this work can be burdensome if not done correctly. To help, AWS offers the ATO on AWS program. ATO on AWS is comprised of a community of validated AWS Partner Network (APN) Consulting Partners and solutions from APN Technology Partners as well as verified resources, templates, tools, and guidance that help simplify the development of compliant infrastructure for solution providers seeking assistance with regulatory compliance initiatives.

Working with our partners, AWS has helped dozens of solutions accelerate their FedRAMP authorizations. There are more than 100 FedRAMP-authorized solutions running on AWS including those from providers such as Blackboard, Crowdstrike, New Relic, Appian, FireEye, TalaTek, and Smartsheet.

FedRAMP is one of many security compliance frameworks important to our partners and customers. Through ATO on AWS, we also support solution providers and customers in their goal to meet compliance requirements for frameworks such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPPA), and Health Information Trust Alliance (HiTRUST), Payment Card Industry (PCI) standards, and DoD Security Requirements Guide (SRG). Even customers who are not actively seeking a compliance authorization but who need to have a secure, manageable environment can benefit from these resources.

Check out the solutions that we offer on the Getting Started with Authority to Operate on AWS website. With the more than 100 solutions, our partners have more pathways to achieving their FedRAMP designation than before. The ATO on AWS website also identifies the partners who specialize in building and managing environments to meet compliance requirements.

Organizations who are looking for support in their pursuit of a compliance authorization can find out more by visiting our site or by emailing ATOonAWS@amazon.com. Similarly, AWS Partners who have expertise in or solutions for security and compliance who are interested in becoming an ATO on AWS Partner or already have a FedRAMP authorized solution on AWS that we can feature on our page, send an email to ATOonAWS@amazon.com.

 

Read other articles by Sandy Carter.