National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems.
The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of its sector or size. According to Gartner, in 2015 the CSF was used by approximately 30 percent of US organizations and usage is projected to reach 50 percent by 2020. Since Fiscal Year 2016, federal agency Federal Information Security Modernization Act (FISMA) metrics have been organized around the CSF, and agencies are now required to implement the CSF under the Cybersecurity Executive Order.
Is AWS compliant with the NIST 800-53 framework?
Yes, AWS Cloud infrastructure and services have been validated by third-party testing performed against the NIST 800-53 Revision 4 controls, as well as additional FedRAMP requirements. AWS has received FedRAMP Authorizations to Operate (ATO) from multiple authorizing agencies for both AWS GovCloud (US) and the AWS US East/West Region. For more information, see the AWS FedRAMP compliance webpage, or the following FedRAMP Marketplace webpages:
What are my customer responsibilities to align my AWS systems with NIST frameworks?
While some of your controls are inherited from AWS, many of the controls are shared inheritance between you as a customer and AWS. Control responsibility is as follows:
- Shared Responsibility: You will provide security and configurations of your software components and AWS will provide security for its infrastructure.
- Customer-Only Responsibility: You are fully responsible for guest operating systems, deployed applications, and select networking resources (for example, firewalls). More specifically, you are solely responsible for configuring and managing your security in the cloud.
- AWS-Only Responsibility: AWS manages the cloud infrastructure, including the network, data storage, system resources, data centers, physical security, reliability, and supporting hardware and software. Applications built on top of the AWS system inherit the features and configurable options that AWS provides. AWS is solely responsible for configuring and managing security of the cloud.
For security authorization purposes, compliance with the FedRAMP requirements (based on NIST 800-53 rev 4 Low/Moderate/High control baseline) is contingent upon AWS fully implementing AWS-Only and Shared controls, and you implementing Customer-Only and Shared controls. A FedRAMP accredited third-party assessment organization (3PAO) has assessed and authorized AWS implementation of our control responsibility. The portion of shared controls that you are responsible for, and controls related to applications you implement on top of the AWS infrastructure, must be separately assessed and authorized by you, in agreement with NIST 800-37 and your specific security authorization policies and procedures.
How can AWS help me achieve alignment with NIST frameworks?
AWS FedRAMP-compliant systems have been granted authorizations, have addressed the FedRAMP security controls (NIST SP 800-53), use the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, have been assessed by an accredited independent third-party assessment organization (3PAO) and maintain the continuous monitoring requirements of FedRAMP.
According to the AWS Shared Responsibility Model, AWS manages security of the cloud and you are responsible for your security in the cloud. To support your implementation of shared responsibilities, AWS created the Landing Zone Accelerator on AWS solution (powered by AWS CloudFormation). The Landing Zone Accelerator on AWS solution deploys a cloud foundation that is architected to align with AWS best practices and multiple global compliance frameworks including NIST-based frameworks. With this solution, customers with highly-regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. When used in coordination with other AWS services, it provides a comprehensive low-code solution across 35+ AWS services. The Landing Zone Accelerator on AWS solution helps you quickly deploy a secure, resilient, scalable, and fully automated cloud foundation that accelerates your readiness for your cloud compliance program. Note: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.
How should I use the NIST CSF?
Whether you are a public or commercial sector organization, you can use the NIST Cybersecurity Framework (CSF) whitepaper to assess your AWS environment against the NIST CSF, and improve the security measures you implement and operate (your part of the Shared Responsibility Model, also known as security in the cloud). To facilitate your alignment with the NIST CSF, we provide a detailed description of AWS Cloud services and the associated customer and AWS responsibilities. The whitepaper also provides a third-party auditor letter attesting to the AWS Cloud services’ conformance to NIST CSF risk management practices (our part of the Shared Responsibility Model, also known as security of the cloud), allowing organizations to properly protect their data across AWS.
Organizations including federal and state agencies, regulated entities, and large enterprises can use this whitepaper as a guide for implementing AWS solutions to achieve the risk management outcomes in the NIST CSF.