The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.
Cloud Service Providers (CSPs) who want to offer their Cloud Service Offerings (CSOs) to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to complete an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see the FedRAMP website.
Why is FedRAMP important?
In response to the Cloud First Policy (now Cloud Smart Strategy), the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo (now Federal Cloud Computing Strategy) to establish the first government-wide security authorization program for Federal Information Security Modernization Act (FISMA). FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:
- Consistency and confidence in the security of cloud solutions using National Institutes of Standards & Technology (NIST) and FISMA defined standards
- Transparency between US government and cloud providers
- Automation and near real time continuous monitoring
- Adoption of secure cloud solutions through reuse of assessments and authorizations
What are the requirements for FedRAMP compliance?
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:
- The cloud service provider (CSP) has been granted an Agency Authority to Operate (ATO) by a US federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
- The CSP meets the FedRAMP security control requirements as described in the National Institutes of Standards & Technology (NIST) 800-53, Rev. 4 security control baseline for moderate or high impact levels.
- All system security packages must use the required FedRAMP templates.
- The CSP must be assessed by an approved third-party assessment organization (3PAO).
- The completed security assessment package must be posted in the FedRAMP secure repository.
What are the types of FedRAMP compliance?
There are two paths for Cloud Service Providers (CSPs) to be FedRAMP compliant:
- Joint Authorization Board (JAB) Authorization: To receive FedRAMP JAB Provisional Authority to Operate (P-ATO), a CSP is assessed by a FedRAMP-accredited 3PAO, reviewed by the FedRAMP Program Management Office (PMO), and receives a P-ATO from the JAB. The JAB is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
- Agency Authorization: To receive FedRAMP Agency Authority to Operate (ATO), a CSP is reviewed by a customer Agency CIO or Delegated Authorizing Official(s) to achieve a FedRAMP-compliant ATO that is verified by the FedRAMP Program Management Office (PMO).
How does an agency leverage the AWS FedRAMP authorization?
A Federal Agency or Department of Defense (DoD) organization can leverage AWS Cloud Service Offerings (CSOs) as building blocks for solutions hosted in the cloud. Each AWS CSOs is authorized for Federal and DoD use by FedRAMP and DISA, and their authorization is documented in a Provisional Authority to Operate (P-ATO). CSPs do not get an Authority to Operate (ATO) for their CSOs, instead they receive P-ATOs. A PATO is a pre-procurement approval for Federal or DoD organizations to use CSOs. Federal Agencies or DoD organizations can leverage the AWS FedRAMP Security Packages to review supporting documentation, to include shared responsibility details, and make their own risk-based decision to grant an ATO. If you have more questions or need more information, please contact your AWS Sales Account Manager.
An agency Authorizing Official (AO) can leverage any of the AWS FedRAMP Security Packages to review supporting documentation, to include shared responsibility details, and make his or her own risk-based decision to grant an Agency Authority to Operate (ATO) to AWS. Agencies are responsible for issuing their own ATO on AWS and are also responsible for the overall authorization of their system components. If you have questions or need more information, please contact your AWS Sales Account Manager or the ATO on AWS team.
Does AWS have an Authority to Operate (ATO)?
AWS is a Cloud Service Provider (CSP) that offers Cloud Service Offerings (CSOs). As a CSP, AWS follows the FedRAMP process to get its CSOs authorized for Federal or DoD use. The FedRAMP process does not issue an Authority to Operate (ATO) to CSPs, instead, the FedRAMP process issues Provisional Authority to Operate (PATO). The PATO is a pre-procurement approval for Federal Agencies or the DoD to use CSOs. Federal Agencies or the DoD use the PATO and the inherited controls associated with the PATO when they follow the Risk Management Framework (RMF) process to get their own ATO. Note the AWS PATO will not be upgraded to an ATO because the FedRAMP process does not issue ATOs to CSPs. ATOs are only issued as part of the RMF process and they are issued by Federal Agency or DoD Authorizing Officers (AOs). More information on FedRAMP can be found at on the FedRAMP website.
How is FedRAMP different from the Risk Management Framework (RMF)?
FedRAMP is the process that Cloud Service Providers (CSPs) follow to get their Cloud Service Offerings (CSOs) approved for Federal agencies or the DoD to use a building blocks for systems hosted in the cloud. The Risk Management Framework (RMF) is the process that Federal Agencies or the DoD follow to get their IT system authorized to operate. Only CSPs use the FedRAMP process and CSPs do not follow the RMF process. Federal Agencies or the DoD would only follow the FedRAMP process if they were creating cloud services (for example MilCloud).
Does AWS support agency authorizations to operate (ATO) for services outside of FedRAMP?
We encourage agency customers to leverage the existing FedRAMP JAB ATO and authorization package to issue their own Authorization to Operate.
Is Amazon Web Services FedRAMP compliant?
Yes, AWS offers the following FedRAMP compliant services that have been granted authorizations, have addressed the FedRAMP security controls (based on NIST SP 800-53), used the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, has been assessed by an accredited independent third party assessor (3PAO) and maintains continuous monitoring requirements of FedRAMP:
- AWS GovCloud (US), has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for high impact level. The services in scope of the AWS GovCloud (US) JAB P-ATO boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program.
- AWS US East-West (Northern Virginia, Ohio, Oregon, Northern California) has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for moderate impact level. The services in scope of the AWS US East-West JAB P-ATO boundary at Moderate baseline security categorization can be found within AWS Services in Scope by Compliance Program.
Will compliance with FedRAMP increase my AWS service costs?
No, there is no increase in service costs for any region as a result of AWS’ FedRAMP compliance.
What AWS Regions are covered?
Two separate FedRAMP P-ATOs have been issued; one encompassing AWS GovCloud (US), and the other covering the AWS US East/West regions.
Are there US Government entities using AWS now?
Yes, over 2,000 government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today. You can review case studies about US government entities using AWS through the AWS Customer Success webpage. For more information about how AWS meets the high security requirements of governments, see the AWS for Government webpage.
What services are covered and how can we validate FedRAMP compliance?
The covered AWS services that are already in scope of the FedRAMP and DoD SRG boundary can be found within AWS Services in Scope by Compliance Program. Upon clicking on either the FedRAMP or DoD SRG tab, services with a '“✓” indicates that the FedRAMP JAB has authorized the service as sufficiently meeting FedRAMP moderate baseline requirements (subsequently DoD SRG IL2) for AWS US East-West and/or FedRAMP High baseline requirements (subsequently DoD SRG IL2, IL4, and IL5) for AWS GovCloud (US). These services are posted under the service description for AWS on FedRAMP Marketplace. If the services are marked as "3PAO Assessment" or "Under Assessment", AWS does not assert implementation or maintenance of FedRAMP controls because those services are still under evaluation. If the service is marked as "JAB Review" or "DISA Review", the service has completed the 3PAO assessment and is currently in our regulator's queue. For these services, AWS has implemented and have been assessed for the relevant FedRAMP controls based on the environment, yet it has not been authorized by the JAB. If you would like to learn more about using these services and/or have interest in other services please contact AWS Sales and Business Development.
Can other AWS Services be used?
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Can high impact level systems be placed on AWS?
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, customers can place their high-impact workloads on AWS GovCloud (US), which has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) for high impact level.
Where can I access the AWS FedRAMP Security Package?
U.S. Government employees and contractors can request access to the AWS FedRAMP Security Package from the FedRAMP PMO by completing a Package Access Request Form and submitting it to email@example.com.
Commercial customers and partners may request access to the AWS FedRAMP Partner Package for guidance related to building on top of AWS offerings and assistance in architecting FedRAMP/DoD compliant services on AWS. The Partner Package may be found in your AWS account via AWS Artifact or by request through your AWS account manager.
What is the FedRAMP ID for reference purposes?
For AWS US East-West Regions, the FedRAMP ID is AGENCYAMAZONEW. For AWS GovCloud (US) Region, the FedRAMP ID is F1603047866.
How is continuous monitoring handled with FedRAMP authorizations?
Within the FedRAMP Concept of Operations (CONOPS), after an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive re-authorization of a FedRAMP authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Federal agencies leveraging the FedRAMP continuous monitoring program, and the Authorizing Officials (AO) and their designated teams, are responsible for reviewing the ongoing compliance of AWS. On a continuous, ongoing basis, AOs and their designated teams review artifacts provided through the AWS FedRAMP continuous monitoring process, in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls. For additional information, see your agency’s information system security program or policy.
As a US federal agency, do I need an interconnection security agreement (ISA) with AWS?
No. According to the FedRAMP Weekly Tips & Cues – August 10, 2016, ISAs are not required for use between a CSP and a federal agency.
What if I need to discuss my organization’s FedRAMP-specific AWS workloads or architectures with AWS?
The AWS FedRAMP Security Package is available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
If you have specific questions regarding FedRAMP or DoD compliance, please contact your AWS account manager or submit the AWS Compliance Contact Us Form to be connected with our FedRAMP compliance team.
Where can I find more information about other compliance programs related to FedRAMP?
For more information about any applicable compliance programs, please see our AWS Compliance Program webpage. You can also find more information specific to Federal Information Processing Standard (FIPS) 140-2, Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG), Federal Information Security Management Act (FISMA), and National Institute of Standards and Technology (NIST).
What are the relationships between FedRAMP and other federal compliance programs (FISMA, DFARS, DoD SRG, NIST SP 800-171, FIPS 140-2)?
Federal government agencies are assessed by their Office of Inspector General (OIG) and internally based on metrics provided by the Department of Homeland Security (DHS). Criteria for FISMA OIG and CIO metrics are NIST SP 800 special publications, with emphasis on NIST SP 800-53. For these agencies to rely upon the security of the CSP, FedRAMP is a compliance program that is built on a baseline of NIST SP 800-53 controls to comply with FISMA requirements within the cloud.
The FedRAMP compliance program is leveraged by the DoD to meet Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Levels, both of which require compliance with FIPS 140-2 for certain encryption controls. The Defense Federal Acquisition Regulation Supplement (DFARS) requires DoD contractors that process, store or transmit Controlled Unclassified Information (CUI), to meet a certain set of security standards, which includes NIST SP 800-171 requirements. NIST SP 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).