A growing number of military customers are adopting AWS Services to process, store, and transmit Department of Defense (DoD) data.
AWS enables defense organizations and their business associates to leverage secure environments to process, maintain, and store DoD data. AWS has attained provisional authorizations from the Defense Information Systems Agency (DISA).
AWS maintains three environments covered by DoD Provisional Authorizations: the US East and US West Regions, the AWS GovCloud (US) Region, and the AWS Secret Region:
US East/West holds a DoD Impact Level (IL) 2 Provisional Authorization. The covered AWS services within US East/West that are already in scope of the DoD SRG IL2 authorization boundary can be found within AWS Services in Scope by Compliance Program.
AWS GovCloud (US) holds DoD Provisional Authorizations at Impact Level 2, 4 and 5. The covered AWS services within GovCloud (US) that are already in scope of the DoD SRG IL2, IL4 and IL5 authorization boundary can be found within AWS Services in Scope by Compliance Program.
The AWS Secret Region holds a DoD Provisional Authorization (PA) at Impact Level 6. The AWS Secret Region was designed and built to meet the specific security requirements of secret classified workloads for the DoD and the intelligence community. A service catalog for the region is available through your AWS Account Executive.
As a DoD customer, you are also responsible for complying with DoD security guidance within your AWS application environment, which includes:
• Mission owner requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG)
• All relevant operating system security technical implementation guides (STIGs)
• All relevant application STIGs
• DoD ports and protocols guidance (DoDI 8551.01)
The infrastructure, governance and operating environment of AWS have been assessed and authorized through the FedRAMP and DoD authorization processes. As a customer deploying an application on AWS infrastructure, you inherit security controls pertaining to our physical, environmental and media protection, and no longer need to provide a detailed description of how you comply with these control families. The remaining DoD Risk Management Framework (RMF) controls are shared between AWS and customers with each organization retaining responsibility for control implementation within their portion of the shared IT security model.
How do I consume AWS security documentation and guidance?
Our DoD customers and vendors can leverage our FedRAMP and DoD authorizations in order to accelerate their certification and accreditation efforts. In support of the authorization of military systems hosted on AWS, we provide DoD security personnel with our security documentation as a means of verifying the security and compliance of AWS in accordance with applicable NIST controls as defined by 800-53 rev4 and the DoD Cloud Computing SRG.
In support of our DoD customer base, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a DoD hosting solution. In particular, we provide an AWS FedRAMP SSP template based upon NIST 800-53v4, which is prepopulated with the applicable FedRAMP and DoD control baseline. The inherited controls within the template are prepopulated by AWS; shared controls are the responsibility of both AWS and the customer; and finally, some controls are fully the responsibility of the customer.
To request access to AWS’ security documentation as it pertains to DoD customers, either a military organization or a contractor conducting business with the DoD, please contact AWS Sales and Business Development or send an email directly to our team at firstname.lastname@example.org.
What value do I get from moving to AWS?
We believe that for government customers migration to the cloud is an opportunity to improve their level of security assurance and reduce operational risk. The AWS operating environment allows customers to obtain a level of security and compliance only possible in an environment supported by high levels of automation. On AWS, customers have the ability to conduct audits on a continual basis rather than conducting periodic inventories and "point-in-time" audits, which is the way most DoD customers operate with traditional data centers. Gaining this level of visibility into your environment enhances data control and increases your ability to maintain assurance that only authorized users have access.
For example, DoD mission owners can realize higher levels of control over applications through programmatic enforcement of DoD security and compliance guidelines. Using AWS functionality, you can create pre-approved templates for common application use cases, reducing the time to authorize new applications. The templates can help ensure application owners do not change vital security settings such as security groups and network ACLs, as well as enforcing the use of STIG-hardened machine images. Additionally, programmatic enforcement of DoD security guidelines reduces manual configuration efforts, which can decrease improper configuration and overall risk to the DoD.
Customers in other compliance programs are also directly benefiting from using AWS to achieve their risk and compliance goals:
• HIPAA Compliance: Claritas Genomics had limited budget and needed low-cost IT resources that would allow it to meet HIPAA requirements.
• Financial Services Compliance: Challenged by steadily increasing market volumes and changing regulatory rules, FINRA turned to AWS.
• Financial Services Compliance: NASDAQ needed the ability to provide regulators with access to increasingly detailed financial information.
What is the DoD Cloud Computing SRG?
The DoD SRG is published to provide a standardized assessment and authorization process for CSPs to gain a DoD Provisional Authorization, which can subsequently be leveraged by DoD customers. A Provisional Authorization under the DoD guidance provides a reusable certification that attests to our compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation on AWS. For additional information on the SRG, including the full definition of the security control baselines defined for Levels 2, 4, 5 and 6 can be found here.
The authorization path to a mission owner's Authority to Operate (ATO)
As a DoD mission owner, you are responsible for building out an authorization package that fully defines your implementation of the security controls applicable to your application. As with any traditional authorization package, you will need to document your security control baseline with a system security plan, and have this plan and its implementation reviewed by the relevant certification personnel from your DoD organization. As part of this review, your certification personnel or your authorizing official may wish to review the AWS authorization package as part of the review of your application in order to gain a holistic view of the security control implementation of the from top to bottom. After reviewing the security authorization packages of AWS and the mission owner, your authorizing official will have the information necessary to make an accreditation decision for your application, and grant an ATO.
For more information regarding the responsibility of DoD application owners operating on AWS, please consult our DoD Compliant Implementations in the AWS Cloud Whitepaper.
How does the release of the Cloud Computing SRG affect the current AWS PAs?
As a cloud service provider that has already been authorized by the DoD, AWS is required to undergo assessment against the FedRAMP+ controls established in the SRG. AWS completed this assessment and received IL4 and IL5 PAs allowing mission owners to migrate production workloads such as:
- Export Controlled Data
- Privacy Information
- Protected Health Information
- As well as other information requiring explicit Controlled Unclassified Information designation:
- For Official Use Only
- Official Use Only
- Law Enforcement Sensitive
- Critical Infrastructure Information
- Sensitive Security Information
Why is the SRG important?
The SRG supports the overall Federal goal to increase utilization of cloud computing, and provides a means for the DoD to support this goal. On February 8, 2011, the Office of Management and Budget (OMB) established The Federal Cloud Computing Strategy which established guidance for all federal agencies to adopt cloud technologies across the federal government. This strategy was followed by a federal requirement released in December 2011 establishing the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate and high risk impact levels.
In July 2012, the DoD issued its Cloud Computing Strategy from the DoD Chief Information officer. This established the Joint Information Environment (JIE) and the DoD Enterprise Cloud Environment: "The DoD Cloud Computing Strategy introduces an approach to move the Department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs. The DoD Chief Information Officer (CIO) is committed to accelerating the adoption of cloud computing within the Department ..."
The DoD SRG leverages the FedRAMP program as a means to establish a standardized approach for the DoD to assess cloud service providers. AWS has been assessed and approved under FedRAMP, and has been issued numerous Agency Moderate ATOs for US East and US West and a FedRAMP JAB High Provisional ATO (pATO) covering AWS GovCloud (US). More information regarding AWS’ FedRAMP compliance can be found on our FedRAMP FAQ page.
Do AWS cloud services meet DoD requirements?
Yes, AWS has been assessed and approved as a cloud service provider for the US East and US West Regions at IL2, the AWS GovCloud (US) Region at IL4 and IL5, and the AWS Secret Region at IL6.
• At level 2, AWS US-based regions, US East/West & AWS GovCloud (US), have been assessed by DISA and issued two Provisional Authorizations after demonstrating compliance with DoD requirements. AWS’ compliance with DoD requirements was achieved by leveraging our existing FedRAMP JAB P-ATO. The Provisional Authorizations allow DoD entities to evaluate AWS’ security and the opportunity to store, process, and maintain a diverse array of DoD data within the AWS Cloud.
• At levels 4 and 5, AWS GovCloud (US) has been issued a Provisional Authorization from DISA to allow DoD customers to deploy production applications with the enhanced control baselines corresponding to those levels of the SRG. DoD customers with prospective IL4 or IL5 applications should contact DISA to begin the approval process.
• At levels 6, The AWS Secret Region holds a DoD Provisional Authorization at IL6 for workloads up to, and including Secret level. A service catalog for the region is available through your AWS Account Executive.
What AWS Regions are covered?
Our provisional authorizations cover multiple regions within the continental United States, including AWS GovCloud (US) (Levels 2, 4, and 5), AWS US East/West regions (Level 2), and the AWS Secret Region (Level 6).
What classifications of DoD systems can be placed on AWS?
The US East and US West Regions hold a Provisional Authorization for Level 2, which permits mission owners to deploy public, unclassified information in these regions with both the AWS Authorization and the mission application’s ATO. The AWS GovCloud (US) Region holds a Provisional Authorization for Levels 2, 4 and 5, and permits mission owners to deploy the full range of controlled, unclassified information categories covered by these levels. The AWS Secret Region holds a Provisional Authorization for Level 6 and permits workloads up to, and including Secret classification.
How do the Authorizations impact AWS?
The Authorizations confirm our longstanding commitment to the security of our services to our customers. Going through the authorization process confirms that we are addressing the security controls of the DoD SRG and that our management practices comply with DoD guidance. We have been assessed at the SRG IL4, IL5, and IL6 levels and have been issued IL4, IL5, and IL6 PA’s by DISA.
What does this mean to me as a DoD mission owner?
Our Level 2 Provisional Authorizations enable DoD customers to leverage compliant AWS infrastructure and services to deploy workloads including with data cleared for public release, as well as some DoD private unclassified information. Moving your DoD IT environment to AWS can help improve your own compliance oversight with the services and features made available by AWS.
Our Level 4 and 5 Provisional Authorizations for the AWS GovCloud (US) Region means our DoD customers can deploy their production applications to AWS GovCloud (US). This authorization allows customers to engage in design, development and integration activities for workloads that are required to comply with Impact Level 4 and 5 of the DoD Cloud Computing SRG.
Our Level 6 Provisional Authorization for AWS Secret Region means DoD customers who use our services to store, process or transmit data up to and including Secret level, can rely on our authorization for AWS infrastructure to cover all requirements defined by Level 6 as they manage their own compliance and certification, including audits and security management.
How does the AWS Provisional Authorization affect the mission owner's ATO?
When operating an application on AWS in the spirit of shared security responsibility, the DoD mission owner is responsible for a reduced baseline of security controls. AWS provides a secure hosting environment with applicable security controls for mission owners to field their applications - but does not relieve the mission owner of their responsibility to securely deploy, manage, and monitor their application in accordance with DoD security controls and compliance policy.
For more information regarding the responsibility of DoD application owners operating on AWS, please consult our DoD Compliant Implementations in the AWS Cloud whitepaper. We will be revising this whitepaper in accordance with the SRG in the near future.
Can other AWS services be used?
Yes, customers can evaluate their workloads for suitability with other AWS services. Each mission owner is empowered to evaluate and accept the risk of any of our services that they choose to employ. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Will DoD compliance increase AWS service prices?
No, there is no increase in service costs for any service as a result of AWS’ compliance programs.
Are other DoD entities using AWS now?
Yes, many DoD entities and other organizations that provide systems integration and other products and services to DoD are using the wide-range of AWS services today. AWS cannot disclose many of the customers who have achieved DoD ATOs for systems on AWS, but does regularly work with customers and their assessors in planning for, deploying, certifying, and accrediting their DoD workloads on AWS.
Does an ATO require a physical walkthrough of a service provider's data center?
No. In accordance with the DoD SRG, a DoD customer obtains an ATO without a physical walkthrough of a service provider's data center by leveraging our Authorizations. DoD customers can rely on the work performed by our FedRAMP third-party assessment organizations (3PAO), which includes an extensive on-site review of the physical security of our data centers.
How do I access the AWS Authorizations and documentation?
Which AWS services are covered?