A growing number of military customers are adopting AWS' utility-based cloud services to process, store, and transmit Department of Defense (DoD) data.
AWS enables military organizations and their business associates to leverage the secure AWS environments to process, maintain, and store DoD data. AWS has attained provisional authorizations from the Defense Information Systems Agency (DISA).
AWS maintains two environments covered by DoD Provisional Authorizations: the US East and US West Regions and the AWS GovCloud (US) Region (for more details see the FAQ below):
- US East/West holds a DoD Impact Level (IL) 2 Provisional Authorization. The covered AWS services within US East/West that are already in scope of the DoD SRG IL2 authorization boundary can be found within AWS Services in Scope by Compliance Program.
- AWS GovCloud (US) holds DoD Provisional Authorizations at Impact Level 2 and 4. The covered AWS services within GovCloud (US) that are already in scope of the DoD SRG IL2 and IL4 authorization boundary can be found within AWS Services in Scope by Compliance Program.
As a DoD customer, you are also responsible for complying with DoD security guidance within your AWS application environment, to include the following:
• The mission owner requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG)
• All relevant operating system security technical implementation guides (STIGs)
• All relevant application STIGs
• DoD ports and protocols guidance (DoDI 8551.01)
The infrastructure, governance and operating environment of AWS have been assessed and authorized through the FedRAMP and DoD authorization processes. As a customer deploying an application on the AWS infrastructure, you fully inherit the security controls pertaining to our physical, environmental and media protection controls, and no longer need to provide a detailed description as to how you comply with these control families. The remaining DoD Risk Management Framework (RMF) controls are shared between AWS and its customers, as each organization retains responsibility for implementation of these controls within their portion of the shared IT security model.
As an AWS customer, you are responsible for designing, deploying, managing and monitoring your AWS environment and applications leveraging AWS features, third party capabilities, including your own utilities, software, and applications. Using the security functionality provided by AWS and our ecosystem of vendors, you are able to build highly available systems that are also tightly controlled and monitored in accordance with your organization’s relevant policies.
Our DoD customers and vendors can leverage our FedRAMP and DoD authorizations in order to accelerate their certification and accreditation efforts. In support of the authorization of military systems hosted on AWS, we provide DoD security personnel with our security documentation as a means of verifying the security and compliance of AWS in accordance with applicable NIST controls as defined by 800-53 rev4) and the DoD Cloud Computing SRG.
In support of our DoD customer base, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a DoD hosting solution. In particular, we provide an AWS FedRAMP SSP template based upon NIST 800-53v4, which is prepopulated with the applicable FedRAMP and DoD control baseline. The inherited controls within the template are prepopulated by AWS; shared controls are the responsibility of both AWS and the customer; and finally, some controls are fully the responsibility of the customer.
To request access to AWS’ security documentation as it pertains to DoD customers, either a military organization or a contractor conducting business with the DoD, please contact AWS Sales and Business Development or send an email directly to our team at firstname.lastname@example.org.
Our government customers are quickly realizing that migration to the cloud is an opportunity to improve their level of security assurance and reduce operational risk. The AWS operating environment allows for customers to realize a level of security and compliance that are only possible in an environment that is supported by high levels of automation. On AWS, our customers possess the ability to conduct audits on a continual basis rather than conducting a periodic inventories and audits of their environment at a "point-in-time" as most DoD customers conduct within their traditional data centers. When you possess this level of visibility into your environment, it directly enhances your level of control of your data, and your ability to maintain assurance that only authorized users are gaining access.
DoD mission owners can realize higher levels of control over applications through programmatic enforcement of DoD security and compliance guidelines. Using AWS functionality, you can create pre-approved templates for common application use cases, reducing the time to authorize new applications. Through the use of such templates, DoD organizations can also ensure that application owners do not change vital security settings such as security groups and network ACLs, as well as enforcing the use of STIG hardened machine images. The programmatic enforcement of DoD security guidelines reduce the amount of manual configuration conducted by system administrators, significantly cutting down the chance of improper configuration, thereby reducing overall risk to the DoD. Our federal customers are already achieving higher levels of security assurance on AWS.
Customers in other compliance programs are also directly benefiting from using AWS to achieve their risk and compliance goals:
• HIPAA Compliance: Claritas Genomics had limited budget and needed low-cost IT resources that would allow it to meet HIPAA requirements.
• Financial Services Compliance: Challenged by steadily increasing market volumes and changing regulatory rules, FINRA turned to AWS.
• Financial Services Compliance: NASDAQ needed the ability to provide regulators with access to increasingly detailed financial information.
The DoD SRG is published to provide a standardized assessment and authorization process for CSPs to gain a DoD Provisional Authorization, which can subsequently be leveraged by DoD customers. A Provisional Authorization under the DoD guidance provides a reusable certification that attests to our compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation on AWS. For additional information on the SRG, including the full definition of the security control baselines defined for Levels 2, 4, 5 and 6 can be found here.
As a DoD mission owner, you are responsible for building out an authorization package that fully defines your implementation of the security controls applicable to your application. As with any traditional authorization package, you will need to document your security control baseline with a system security plan, and have this plan and its implementation reviewed by the relevant certification personnel from your DoD organization. As part of this review, your certification personnel or your authorizing official may wish to review the AWS authorization package as part of the review of your application in order to gain a holistic view of the security control implementation of the from top to bottom. After reviewing the security authorization packages of AWS and the mission owner, your authorizing official will have the information necessary to make an accreditation decision for your application, and grant an ATO.
For more information regarding the responsibility of DoD application owners operating on AWS, please consult our DoD Compliant Implementations in the AWS Cloud Whitepaper.
As a cloud service provider that has already been authorized by the DoD, AWS is required to undergo assessment against the FedRAMP+ controls established in the SRG. AWS completed this assessment and has received a full IL4 PA allowing mission owners to migrate production workloads including:
- Export Controlled Data
- Privacy Information
- Protected Health Information
- As well as other information requiring explicit CUI designation:
- For Official Use Only
- Official Use Only
- Law Enforcement Sensitive
- Critical Infrastructure Information
- Sensitive Security Information
The SRG supports the overall Federal goal to increase utilization of cloud computing, and provides a means for the DoD to support this goal. On February 8, 2011, the Office of Management and Budget (OMB) established The Federal Cloud Computing Strategy which established guidance for all federal agencies to adopt cloud technologies across the federal government. This strategy was followed by a federal requirement released in December 2011 establishing the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate and high risk impact levels.
In July 2012, the DoD issued its Cloud Computing Strategy from the DoD Chief Information officer. This established the Joint Information Environment (JIE) and the DoD Enterprise Cloud Environment: "The DoD Cloud Computing Strategy introduces an approach to move the Department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs. The DoD Chief Information Officer (CIO) is committed to accelerating the adoption of cloud computing within the Department ..."
The DoD SRG leverages the FedRAMP program as a means to establish a standardized approach for the DoD to assess cloud service providers. AWS has been assessed and approved under FedRAMP, and has been issued numerous Agency Moderate ATOs for US East and US West and a FedRAMP JAB High Provisional ATO (pATO) covering AWS GovCloud (US). More information regarding AWS’ FedRAMP compliance can be found on our FedRAMP FAQ page.
Yes, AWS has been assessed and approved as a cloud service provider at IL2 for US East and US West and IL4 for AWS GovCloud (US).
• At level 2, all AWS US-based regions (US East/West & AWS GovCloud (US)) have been assessed by DISA and issued two Provisional Authorizations after demonstrating compliance with DoD requirements. AWS’ compliance with DoD requirements was achieved by leveraging our existing FedRAMP Agency ATOs and FedRAMP High Baseline pATO. The Provisional Authorizations allow DoD entities to evaluate AWS’ security and the opportunity to store, process, and maintain a diverse array of DoD data within the AWS cloud.
• At level 4, AWS GovCloud (US) has been issued a Provisional Authorization from DISA to allow DoD customers to deploy production applications with the enhanced control baselines corresponding to those levels of the SRG. DoD customers with prospective IL 4 applications should contact DISA to begin the approval process.
Our provisional authorizations cover all regions within the continental United States, including AWS GovCloud (US) (Levels 2 and 4), and the AWS US East/West regions (Level 2).
The US East and US West regions hold a Provisional Authorization for level 2 which permits mission owners to deploy public, unclassified information in these regions with both the AWS Authorization and the mission application’s ATO. The AWS GovCloud (US) region now holds a Provisional Authorization for levels 2 and 4 and permits mission owners to deploy the full range of controlled, unclassified information categories covered by these levels.
The Authorizations confirm our longstanding commitment to the security of our services to our customers. Going through the authorization process confirms that we are addressing the security controls of the DoD SRG and that our management practices comply with DoD guidance. We have been assessed at the SRG IL4 level and have been issued a IL4 PA by DISA.
Our Level 2 Provisional Authorizations mean that DoD customers who use our services to store, process or transmit DoD data can rely on our authorizations for the AWS infrastructure covering all requirements defined by Level 2 as they manage their own compliance and certification, including audits and security management. Moving your DoD IT environment to AWS can help improve your own compliance oversight with the services and features made available by AWS.
Our Level 4 Provisional Authorization for AWS GovCloud (US) means that our DoD customers can deploy their production applications to AWS GovCloud (US). This authorization allows customers to engage in design, development and integration activities for workloads that are required to comply with impact Level 4 of the DoD Cloud Computing SRG.
When operating an application on AWS in the spirit of shared security responsibility, the DoD mission owner is responsible for a reduced baseline of security controls. AWS provides a secure hosting environment with applicable security controls for mission owners to field their applications - but does not relieve the mission owner of their responsibility to securely deploy, manage, and monitor their application in accordance with DoD security controls and compliance policy.
For more information regarding the responsibility of DoD application owners operating on AWS, please consult our DoD Compliant Implementations in the AWS Cloud whitepaper. We will be revising this whitepaper in accordance with the SRG in the near future.
Yes, customers can evaluate their workloads for suitability with other AWS services. Each mission owner is empowered to evaluate and accept the risk of any of our services that they choose to employ. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
No, there is no increase in service costs for any service as a result of AWS’ compliance programs.
Yes, many DoD entities and other organizations that provide systems integration and other products and services to DoD are using the wide-range of AWS services today. AWS cannot disclose many of the customers who have achieved DoD ATOs for systems on AWS, but does regularly work with customers and their assessors in planning for, deploying, certifying, and accrediting their DoD workloads on AWS.
No. In accordance with the DoD SRG, a DoD customer obtains an ATO without a physical walkthrough of a service provider's data center by leveraging our Authorizations. DoD customers can rely on the work performed by our FedRAMP third-party assessment organizations (3PAO), which includes an extensive on-site review of the physical security of our data centers.