The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.
Cloud service providers who want to offer their products and services to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to receive an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see the FedRAMP website.
Why is FedRAMP important?
In response to the Cloud First Policy, the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo to establish the first government-wide security authorization program for FISMA. FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:
- Consistency and confidence in the security of cloud solutions using NIST and FISMA defined standards
- Transparency between US government and cloud providers
- Automation and near real time continuous monitoring
- Adoption of secure cloud solutions through reuse of assessments and authorizations
What are the requirements for FedRAMP compliance?
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:
- The cloud service provider (CSP) has been granted an Agency Authority to Operate (ATO) by a US federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
- The CSP meets the FedRAMP security control requirements as described in the NIST 800-53, Rev. 4 security control baseline for moderate or high impact levels.
- All system security packages must use the required FedRAMP templates.
- The CSP must be assessed by a third-party assessment organization (3PAO).
- The completed security assessment package must be posted in the FedRAMP secure repository.
What are the types of FedRAMP compliance?
There are two paths for CSPs to be FedRAMP compliant:
1. JAB Authorization
To receive FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO), a CSP is reviewed by the FedRAMP Program Management Office (PMO), assessed by a FedRAMP-accredited 3PAO, and receives a P-ATO from the JAB. The JAB is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
2. Agency Authorization
To receive FedRAMP Agency Authority to Operate (ATO), a CSP is reviewed by a customer Agency CIO or Delegated Authorizing Official(s) to achieve a FedRAMP-compliant ATO that is verified by the FedRAMP Program Management Office (PMO).
Is Amazon Web Services FedRAMP compliant?
Yes, AWS offers the following FedRAMP compliant systems that have been granted authorizations, have addressed the FedRAMP security controls (based on NIST SP 800-53), used the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, has been assessed by an accredited independent third party assessor (3PAO) and maintains continuous monitoring requirements of FedRAMP:
AWS GovCloud (US), has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for high impact level. The services in scope of the AWS GovCloud (US) JAB P-ATO boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program.
AWS US East-West, has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for moderate impact level. The services in scope of the AWS US East-West JAB P-ATO boundary at Moderate baseline security categorization can be found within AWS Services in Scope by Compliance Program.
Will compliance with FedRAMP increase my AWS service costs?
No, there is no increase in service costs for any region as a result of AWS’ FedRAMP compliance.
What AWS Regions are covered?
Are there US Government entities using AWS now?
Yes, over 2000 government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today. You can review case studies about US government entities using AWS, including US Department of State, US Food and Drug Administration (FDA), US Centers for Disease Control and Prevention (CDC), NASA/JPL's Desert Research and Training Studies, NASA JPL and Amazon SWF, and NASA/JPL's Mars Curiosity Mission. For all available case studies, see the AWS Customer Success webpage. For more information about how AWS meets the high security requirements of governments, see the AWS for Government webpage.
What Services are Covered?
The covered AWS services that are already in scope of the FedRAMP and DoD SRG boundary can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact AWS Sales and Business Development.
Can Other AWS Services be Used?
Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Can High Impact Level Systems be Placed on AWS?
Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, FedRAMP only applies to cloud computing systems at the FISMA low and moderate impact levels, however, AWS already meets many of the NIST 800-53 High controls and we have developed the AWS FISMA-High workbook for our customers who are looking to expand on the NIST Moderate baseline to build FISMA-High applications and services to support their critical workloads. Please contact our AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.
Where can I access the AWS FedRAMP Security Packages?
AWS customers can request access to the AWS FedRAMP Security Packages through the FedRAMP PMO or their AWS Sales Account Manager.
US Government agency customers can request access to the AWS FedRAMP Security Package from the FedRAMP PMO by completing a Package Access Request Form and submitting it to email@example.com, or contacting their AWS Sales Account Manager.
Non-government customers, such as AWS partners, can download the AWS Partner FedRAMP Security Package using AWS Artifact.
How does an agency leverage the AWS FedRAMP authorization?
An agency Authorizing Official (AO) can leverage any of the AWS FedRAMP Security Packages to review supporting documentation and make his or her own risk-based decision to grant an Agency Authority to Operate (ATO) to AWS. Agencies are responsible for issuing their own ATO on AWS and are also responsible for the overall authorization of their system components that are not covered in the AWS ATO. If you have questions or need more information, please contact your AWS Sales Account Manager.
How is continuous monitoring handled with FedRAMP authorizations?
Within the FedRAMP Concept of Operations (CONOPS), after an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive reauthorization of a FedRAMP authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Federal agencies leveraging the FedRAMP continuous monitoring program, and the Authorizing Officials (AO) and their designated teams, are responsible for reviewing the ongoing compliance of AWS. On a continuous, ongoing basis, AOs and their designated teams review artifacts provided through the AWS FedRAMP continuous monitoring process, in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls. For additional information, see your agency’s information system security program or policy.
As a US federal agency, do I need an Interconnection Security Agreement (ISA) with AWS?
No. The FedRAMP PMO states that ISAs are not required for use between a CSP and a federal agency.
What if I need to discuss my organization’s FedRAMP-specific AWS workloads or architectures with AWS?
The AWS FedRAMP Security Package is available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
If you have specific follow-up questions regarding FedRAMP or DoD compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.