AWS Public Sector Blog

Support FedRAMP and CMMC compliance with the Landing Zone Accelerator on AWS

Support FedRAMP and CMMC compliance with the Landing Zone Accelerator on AWS

Some US federal agencies and those who collaborate with them must support an automated, secure, and scalable multi-account cloud environment that meets Federal Risk and Authorization Management Program (FedRAMP) and Cybersecurity Maturity Model Certification (CMMC) standards.

To support these needs, Amazon Web Services (AWS) customers and partners can deploy the Landing Zone Accelerator (LZA) on AWS . The LZA solution deploys a cloud foundation that is architected to align with AWS best practices and multiple global compliance frameworks. With this solution, customers with highly-regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. When used in coordination with other AWS services, it provides a comprehensive low-code solution across more than 35 AWS services.

Recently, AWS worked with Coalfire, a FedRAMP-approved third-party assessment organization (3PAO) and AWS Partner, to assess and verify the LZA solution. Learn more about the process to assess the LZA and create a verified reference architecture (VRA) that supports FedRAMP and CMMC 2.0 standards.

Using the LZA verified architecture to reduce time to compliance

The Coalfire assessment and resulting artifacts for the LZA can help customers and partners reduce the time and effort for deploying their environment with the artifacts they need to support a security assessment.

Customers that need to align with CMMC 2.0 can map their requirements to the tested FedRAMP controls. For example, CMMC 2.0 Level 2 aligns with NIST SP 800-171r2. The CMMC Audit and Accountability (AU) domain requires retention of logs, which maps to NIST SP 800-171, and that ultimately maps to FedRAMP.

The AWS Landing Zone Accelerator Verified Reference Architecture Whitepaper is available for customer download in AWS Artifact, a go-to, central resource for compliance-related information, in both the AWS Standard and the AWS GovCloud (US) Regions.

Assessing the LZA for FedRAMP and CMMC controls

Coalfire used a verified reference architecture (VRA) methodology to assess the environment created by the LZA to simulate the compliance assessment of an expert compliance assessor or auditor – in this case, to verify that the environment meets FedRAMP High baseline.

In the assessment, Coalfire used the LZA solution to build a simulated  environment in AWS GovCloud (US) to align with FedRAMP controls. The LZA deployed a cloud foundation that supports multi-account architecture, tenant account creation and management, identity and access management, governance, data security, network design, and logging. The LZA uses AWS services that are in scope of FedRAMP compliance.

Figure 1. Landing Zone Accelerator on AWS architecture in AWS GovCloud (US) Regions.

Figure 1. Landing Zone Accelerator on AWS architecture in AWS GovCloud (US) Regions.

 In this VRA, a Coalfire team of experts conducted this review of LZA on AWS via architecture reviews, collection of inventory, diagrams, and narratives. They requested artifacts and compared them against controls, subject matter expert (SME) interviews, and confirmed Infrastructure as Code (IaC) practices.

Coalfire’s review determined that the LZA significantly supports the objectives and requirements of the FedRAMP High control baseline in scenarios similar to the one used in the reference architecture discussed in the whitepaper. The AWS Landing Zone Accelerator Verified Reference Architecture Whitepaper for FedRAMP document breaks down the FedRAMP controls based upon the customer’s responsibility in the Shared Responsibility Model, full and partial inheritance of FedRAMP controls from AWS GovCloud (US), and LZA implementations. Coalfire determined that customers and partners can inherit FedRAMP high baseline controls from LZA deployment in AWS GovCloud(US).

Coalfire observed that the environment deployed by the LZA and IaC base also:

Conclusion

The Coalfire assessment and resulting artifacts, including the AWS Landing Zone Accelerator VRA Whitepaper for FedRAMP and LZA on AWS solution FedRAMP High coverage map document, is available for customer download in AWS Artifact in both the AWS Standard and the AWS GovCloud (US) regions. These resources can help customers reduce the time and effort for deploying an environment that aligns with FedRAMP requirements. Customers that can map their requirements directly to FedRAMP controls can also benefit from these artifacts, such as those that align with CMMC.

While the Landing Zone Accelerator on AWS solution can help you align with frameworks and best practices, customers are responsible for making their own assessment of whether the use of the best practices meets their legal and regulatory requirements. Learn more about the latest on AWS FedRAMP solutions and compliance information here. If you have questions or need more information, please contact your AWS Sales Account Manager or the Global Security & Compliance Acceleration on AWS Program.

Learn more about how AWS supports federal government customers and how AWS supports defense customers, or contact us directly for more information.

Read more about Landing Zone Accelerator:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.