The U.S. Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing continues to be a major catalyst in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS' utility-based cloud services to process, store, and transmit federal government data.
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that delivers a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), U.S. General Services Administration (GSA), U.S. Department of Homeland Security (DHS), U.S. Department of Defense (DOD), National Institutes of Standards & Technology (NIST) and the Federal CIO Council.
FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to receive an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA). Cloud providers who want to offer their products and services to the US government must demonstrate FedRAMP compliance. For additional information on FedRAMP requirements please visit www.FedRAMP.gov.
Amazon Web Services (AWS) offers the following FedRAMP compliant systems:
AWS GovCloud (US), has been granted a Joint Authorization Board Provisional Authorization (JAB P-ATO) for high impact level. The services covered are: EC2, EBS, IAM, S3, and VPC.
AWS US East-West, has been granted multiple Agency Authorizations for moderate impact level. The services covered are EC2, EBS, IAM, Redshift, S3, and VPC.
In response to the Cloud First Policy, the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo to establish the first government-wide security authorization program for FISMA. FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:
- Consistency and confidence in the security of cloud solutions using NIST and FISMA defined standards,
- Transparency between US government and cloud providers,
- Automation and near real time continuous monitoring, and
- Adoption of secure cloud solutions through reuse of assessments and authorizations.
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP program office has outlined five requirements for FedRAMP compliance:
1. The cloud service provider (CSP) has been granted an Authority to Operate (ATO) by a Federal Agency
2. The CSP addresses the FedRAMP security control requirements that are aligned to the NIST 800-53, Rev. 4 security control baseline for moderate impact levels.
3. All system security packages must use the required FedRAMP templates.
4. The CSP was assessed by an independent auditor.
5. The completed security assessment package is posted in the FedRAMP secure repository.
There are three paths for CSPs to be FedRAMP Compliant:
1. JAB Provisional Authorizations (JAB P-ATOs) Path
CSPs with a FedRAMP P-ATO path are reviewed by the FedRAMP PMO, assessed by a FedRAMP accredited 3PAO, and received an P-ATO from DHS, DOD, and GSA CIOs.
2. Agency FedRAMP Authorizations (A-ATOs) Path
CSPs with an Agency Authorization path are reviewed by a customer Agency CIO or Delegated Authorizing Official(s) to achieve a FedRAMP compliant ATO that has been verified by the FedRAMP PMO.
3. CSP Supplied Packages Path
CSP with a CSP Supplied Package have submitted to the FedRAMP PMO a completed Security Assessment Package that has been assessed by a FedRAMP accredited 3PAO.
Yes, AWS offers the following FedRAMP compliant systems that have been granted authorizations, have addressed the FedRAMP security controls (based on NIST SP 800-53), used the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, has been assessed by an accredited independent third party assessor (3PAO) and maintains continuous monitoring requirements of FedRAMP:
AWS GovCloud (US), has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for high impact level. The services in scope of the AWS GovCloud (US) JAB P-ATO boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program. For a complete list of authorizing agencies who have issued an ATO on AWS GovCloud (US), please visit FedRAMP Compliant Systems.
AWS US East-West, has been granted multiple Agency ATOs for moderate impact level. The services in scope of the AWS US East-West authorization boundary can be found within AWS Services in Scope by Compliance Program. For a complete list of authorizing agencies who have issued an ATO on AWS US East-West please visit FedRAMP Compliant Systems.
No, there is no increase in service costs for any region as a result of AWS’s FedRAMP compliance.
Two separate FedRAMP Agency ATOs have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.
Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today.
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, FedRAMP only applies to cloud computing systems at the FISMA low and moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls and we have developed the AWS FISMA-High workbook for our customers who are looking to expand on the NIST Moderate baseline to build FISMA-High applications and services to support their critical workloads. Please contact our AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
AWS provides a wide range of security functionality that can be used by our customers to protect their data in accordance with federal and DoD security guidelines. We are continually iterating on the existing security tools we provide our customers, and regularly release enhancements to existing security functionality. For additional information and solutions for securing your data in the cloud, please reference the following AWS Security guidance:
AWS customers can request access to the AWS FedRAMP Security Packages through the FedRAMP PMO or their AWS Sales Account Manager.
US Government agency customers can request access to the AWS FedRAMP Security Package from the FedRAMP PMO by completing a Package Access Request Form and submitting it to email@example.com, or contacting their AWS Sales Account Manager.
AWS partners and prospective customers can also request access to the AWS Partner FedRAMP Security Package by contacting their AWS Sales Account Manager.
An Agency Authoring Official (AO) can leverage any of the AWS FedRAMP Authorization Security Packages to review supporting documentation and make his or her own risk-based decision to grant an agency authorization or ATO to AWS. Agencies are responsible for issuing their own ATO on AWS and are also responsible for the overall authorization of their system components that are not covered in the AWS A-ATO. To learn more about the AWS Shared Responsibility Model please contact your AWS Sales Account Manager.
Using the security functionality provided by AWS and our ecosystem of vendors, you are able to control and monitor how you build available systems to that incorporate your agency’s security, privacy, and/or enterprise risk management policies.
Take it from our customers, partners, and system integrators - read about the value they have achieved with AWS:
Appian Cloud leverages Amazon Web Services' infrastructure and FedRAMP authorization. Read More
AWS Case Studies
Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP Authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Federal agencies leveraging the FedRAMP continuous monitoring program, and the Authorizing Officials (AO) and their designated teams, will be responsible for reviewing the ongoing compliance of AWS. AOs and their designated teams will review artifacts provided through the AWS FedRAMP continuous monitoring process in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls on a continuous, ongoing basis. For additional information please refer to your agency’s information system security program or policy.