National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems.
The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of its sector or size. According to Gartner, in 2015 the CSF was used by approximately 30 percent of US organizations and usage is projected to reach 50 percent by 2020. Since Fiscal Year 2016, federal agency Federal Information Security Modernization Act (FISMA) metrics have been organized around the CSF, and agencies are now required to implement the CSF under the Cybersecurity Executive Order.
Is AWS compliant with the NIST 800-53 framework?
Yes, AWS Cloud infrastructure and services have been validated by third-party testing performed against the NIST 800-53 Revision 4 controls, as well as additional FedRAMP requirements. AWS has received FedRAMP Authorizations to Operate (ATO) from multiple authorizing agencies for both AWS GovCloud (US) and the AWS US East/West Region. For more information, see the AWS FedRAMP compliance webpage, or the following FedRAMP Marketplace webpages:
What are my customer responsibilities to align my AWS systems with NIST frameworks?
While some of your controls are inherited from AWS, many of the controls are shared inheritance between you as a customer and AWS. Under NDA, AWS provides an AWS FedRAMP SSP template based upon NIST 800-53 Rev. 4, which is prepopulated with the applicable NIST 800-5 Rev. 4 low/moderate/high control baseline. Control responsibility is as follows:
- Shared Responsibility: You will provide security and configurations of your software components and AWS will provide security for its infrastructure.
- Customer-Only Responsibility: You are fully responsible for guest operating systems, deployed applications, and select networking resources (for example, firewalls). More specifically, you are solely responsible for configuring and managing your security in the cloud.
- AWS-Only Responsibility: AWS manages the cloud infrastructure, including the network, data storage, system resources, data centers, physical security, reliability, and supporting hardware and software. Applications built on top of the AWS system inherit the features and configurable options that AWS provides. AWS is solely responsible for configuring and managing security of the cloud.
For security authorization purposes, compliance with the FedRAMP requirements (based on NIST 800-53 rev 4 Low/Moderate/High control baseline) is contingent upon AWS fully implementing AWS-Only and Shared controls, and you implementing Customer-Only and Shared controls. A FedRAMP accredited third-party assessment organization (3PAO) has assessed and authorized AWS implementation of our control responsibility. The portion of shared controls that you are responsible for, and controls related to applications you implement on top of the AWS infrastructure, must be separately assessed and authorized by you, in agreement with NIST 800-37 and your specific security authorization policies and procedures.
How can AWS help me achieve alignment with NIST frameworks?
AWS FedRAMP-compliant systems have been granted authorizations, have addressed the FedRAMP security controls (NIST SP 800-53), use the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, have been assessed by an accredited independent third-party assessment organization (3PAO) and maintain the continuous monitoring requirements of FedRAMP.
According to the AWS Shared Responsibility Model, AWS manages security of the cloud and you are responsible for your security in the cloud. To support your implementation of shared responsibilities, AWS has created Quick Start solutions (powered by AWS CloudFormation) that use a single click to automate your deployment of important technologies in the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a workload in AWS that addresses the compliance requirements of security standards and frameworks such as NIST 800-53.
AWS Quick Starts streamline, automate, and implement secure baselines with comprehensive rule sets that can be systematically enforced. For example, the Quick Start Standardized Architecture for NIST-based Assurance Frameworks on the AWS Cloud includes AWS CloudFormation templates. These templates can be integrated with AWS Service Catalog to automate building a standardized baseline architecture workload that falls in scope for NIST 800-53 Revision 4 and NIST 800-171. This Quick Start also includes a security controls reference, which maps security controls architecture decisions, features, and configuration of the baseline. Quick Starts can be used to support your compliance efforts in AWS in a way that makes sense for your organization’s AWS Cloud security and compliance objectives.
How should I use the NIST CSF?
Whether you are a public or commercial sector organization, you can use the NIST Cybersecurity Framework (CSF) whitepaper to assess your AWS environment against the NIST CSF, and improve the security measures you implement and operate (your part of the Shared Responsibility Model, also known as security in the cloud). To facilitate your alignment with the NIST CSF, we provide a detailed description of AWS Cloud services and the associated customer and AWS responsibilities. The whitepaper also provides a third-party auditor letter attesting to the AWS Cloud services’ conformance to NIST CSF risk management practices (our part of the Shared Responsibility Model, also known as security of the cloud), allowing organizations to properly protect their data across AWS.
Organizations including federal and state agencies, regulated entities, and large enterprises can use this whitepaper as a guide for implementing AWS solutions to achieve the risk management outcomes in the NIST CSF.