The U.S. Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing continues to be a major catalyst in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS' utility-based cloud services to process, store, and transmit federal government data.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at: http://www.fedramp.gov.
The Cloud First policy mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP program office has outlined five requirements for FedRAMP compliance:
1. The cloud service provider (CSP) has been granted an Authority to Operate (ATO) by a Federal Agency
2. The CSP addresses the FedRAMP security control requirements that are aligned to the NIST 800-53, Rev. 4 security control baseline for moderate impact levels.
3. All system security packages must use the required FedRAMP templates.
4. The CSP was assessed by an independent auditor.
5. The completed security assessment package is posted in the FedRAMP secure repository.
There are three paths for CSPs to be FedRAMP Compliant:
1. JAB Provisional Authorizations (JAB P-ATOs) Path
CSPs with a FedRAMP P-ATO path are reviewed by the FedRAMP PMO, assessed by a FedRAMP accredited 3PAO, and received an P-ATO from DHS, DOD, and GSA CIOs.
2. Agency FedRAMP Authorizations (A-ATOs) Path
CSPs with an Agency Authorization path are reviewed by a customer Agency CIO or Delegated Authorizing Official(s) to achieve a FedRAMP compliant ATO that has been verified by the FedRAMP PMO.
3. CSP Supplied Packages Path
CSP with a CSP Supplied Package have submitted to the FedRAMP PMO a completed Security Assessment Package that has been assessed by a FedRAMP accredited 3PAO.
Yes, AWS is a FedRAMP Compliant Cloud Service Provider (CSP). AWS has completed the testing performed by a FedRAMP-accredited Third Party Assessment Organization (3PAO) and has been granted two Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements. AWS’ compliance with FedRAMP requirements was achieved based on testing performed against the stringent set of FedRAMP requirements (NIST 800-53 Rev. 4 – Moderate baseline requirements, plus additional FedRAMP security controls). The AWS security assessment was performed by a FedRAMP-accredited 3PAO, Veris Group, LLC. The HHS authorization validates AWS’ security posture at the Moderate impact level to store, process, and protect a diverse array of sensitive government data. The assessment and associated ATOs have been registered in the FedRAMP repository and allow government agencies to evaluate AWS’ security and the opportunity to store, process, and maintain a diverse array of sensitive government data within the AWS cloud.
No, there is no increase in service costs for any region as a result of AWS’s FedRAMP compliance.
Two separate FedRAMP Agency ATOs have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.
Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today.
The following services are in the accreditation boundary for the regions stated above:
- Amazon Redshift. Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools [currently only in AWS US East/West Regions].
- Amazon Elastic Compute Cloud (Amazon EC2). Amazon EC2 provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.
- Amazon Simple Storage Service (S3). Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
- Amazon Virtual Private Cloud (VPC). Amazon VPC provides the ability for you to provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
- Amazon Elastic Block Store (EBS). Amazon EBS provides highly available, highly reliable, predictable storage volumes that can be attached to a running Amazon EC2 instance and exposed as a device within the instance.
- AWS Identity and Access Management (IAM). IAM enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, FedRAMP only applies to cloud computing systems at the FISMA low and moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls and we have developed the AWS FISMA-High workbook for our customers who are looking to expand on the NIST Moderate baseline to build FISMA-High applications and services to support their critical workloads. Please contact our AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
AWS provides a wide range of security functionality that can be used by our customers to protect their data in accordance with federal and DoD security guidelines. We are continually iterating on the existing security tools we provide our customers, and regularly release enhancements to existing security functionality. For additional information and solutions for securing your data in the cloud, please reference the following AWS Security guidance:
AWS customers and prospective AWS customers can request the relevant agency or partner FedRAMP packages directly from AWS. Please reach out to your sales account manager or technical account manager to initiate the request, or submit a request through our Contact Us form. Please contact us at firstname.lastname@example.org if you have any other questions or have no other contacts at AWS.
Additionally, agencies can request access to the AWS HHS ATO packages by submitting a FedRAMP Package Access Request Form through the FedRAMP PMO. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at http://www.fedramp.gov.
Federal customers can leverage our FedRAMP packages and authorizations in order to accelerate their Security Assessment and Authorization (SA&A) efforts.
In support of our federal customer base, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a federal hosting solution. In particular, we provide an SSP template based upon NIST 800-53 Rev. 4, which is prepopulated with applicable control baselines. The controls within the template are prepopulated where applicable from AWS, shared between AWS and the customer, or fully the responsibility of the customer.
To request access to AWS's security documentation as it pertains to federal customers, or contractors conducting business with the federal government, please contact AWS Sales and Business Development or send an email to email@example.com
Using the security functionality provided by AWS and our ecosystem of vendors, you are able to control and monitor how you build available systems to that incorporate your agency’s security, privacy, and/or enterprise risk management policies.
Take it from our customers, partners, and system integrators - read about the value they have achieved with AWS:
Appian Cloud leverages Amazon Web Services' infrastructure and FedRAMP authorization. Read More
AWS Case Studies
Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP Authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Federal agencies leveraging the FedRAMP continuous monitoring program, and the Authorizing Officials (AO) and their designated teams, will be responsible for reviewing the ongoing compliance of AWS. AOs and their designated teams will review artifacts provided through the AWS FedRAMP continuous monitoring process in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls on a continuous, ongoing basis. For additional information please refer to your agency’s information system security program or policy.