Tag: ATO on AWS

What do AWS public sector customers need to know about the State Risk and Authorization Management Program (StateRAMP) and how can you use AWS to help meeting StateRAMP requirements? In this blog post, learn a quick recap on what StateRAMP is and how it differs from the similar Federal Risk and Authorization Management Program (FedRAMP). 

Since signing a framework agreement with the Government of Canada (GC) in 2019, AWS has developed an open source solution to automate the deployment of security controls for GC customers, which can reduce the time it takes to achieve an Authority to Operate (ATO). Natural Resources Canada (NRCan) used this solution to implement their cloud landing zone controls aligned with the Protected B, Medium Integrity, Medium Availability (PBMM) profile. They worked with AWS Partner Kainos to complete an ATO evidence package in only 60 days—a process that typically takes 18 months.

AWS is committed to supporting the mission of our Department of Defense (DoD) customers by providing innovative, efficient, and effective solutions. In support of this commitment, we are announcing the availability of DoD Cloud Infrastructure as Code (IaC) for AWS – a baseline that uses a collection of templates to enable defense mission owners to quickly build out secure, scalable cloud environments. DoD Cloud IaC for AWS is designed to help DoD organizations accelerate cloud adoption and support the rapid delivery of capabilities to the warfighter.

Government departments work hard to meet required security framework controls for cloud services, and obtaining an Authority to Operate (ATO) can sometimes take up to 18 months. To assist with this process, AWS developed the open-source AWS Secure Environment Accelerator (ASEA), a tool designed to help deploy and operate secure multi-account AWS environments. This post describes how government departments can more simply deploy a web application consisting of a single-page application (SPA), backend API, and database within ASEA.

Since its launch in June of 2019, the Authority to Operate on AWS (ATO on AWS) program has supported more than 300 US-based customers to meet their regulatory, security, and compliance requirements on AWS. To extend that support globally, Amazon Web Services (AWS) launched the Global Security and Compliance Acceleration (GSCA) initiative. The GSCA is now available to support customers in the United Kingdom (UK) and the European Union (EU).

Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies, agents, and contractors that access Federal Tax Information (FTI), to make sure they use policies, practices, controls, and safeguards to protect FTI confidentiality and integrity of FTI throughout its lifecycle. Safeguarding FTI is critical to agencies that receive, process, store or transmit FTI. AWS and AWS Partner programs enable agencies to protect FTI and the confidential relationship between the taxpayer and the IRS.

At AWS, we are mission focused. A mission is a purpose—supported by but not driven by IT. How can the AWS Partner Network (APN) help public sector partners and their customers meet their missions? No matter where you are in your journey to cloud adoption and IT modernization—from getting started, to easing the adoption of technology, to planning to take the solution to market, to growing beyond storage and compute, to renewing and scale—APN and its programs and initiatives can help. During my leadership session at AWS re:Invent 2020, I shared new and noteworthy AWS Public Sector Partner programs available to help partners keep their focus on their mission-critical work while also keeping it simple—and I shared some partner successes along the way.

Government agencies and public sector organizations need rapidly deployable and dependable security solutions to support their missions. In response to this need, AWS launched the Security Solutions for Government Workloads initiative under the Authority to Operate (ATO) on AWS Program. This initiative works with AWS Public Sector Partners, members of the AWS Partner Network (APN), to develop security solutions designed to meet the unique security and compliance requirements of public sector workloads.

Government agencies have accelerated their transition to the cloud over the last few years, and COVID-19 has accelerated the urgency and pace of that move. A benefit of moving to the cloud is increased security. But to realize this, new infrastructure must be implemented and managed correctly, using best practices and the right technologies. Working with our partners, AWS has helped dozens of solutions accelerate their FedRAMP authorizations. There are more than 100 FedRAMP-authorized solutions running on AWS.

Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules that protect sensitive information. It is the current United States and Canadian government standard, and is applicable to systems that are required to be compliant with Federal Information Security Management Act (FISMA) or Federal Risk and Authorization Management Program (FedRAMP). In this blog, we demonstrate how to enable FIPS mode in Amazon Linux 2 and verify that unauthorized cryptographic functions are not being used in OpenSSL or the OpenSSH server.