AWS’ NIST compliant cloud infrastructure services have been validated by third-party testing performed against the NIST 800-53 Rev. 4 controls plus FedRAMP requirements. AWS has received FedRAMP Authorizations to Operate (ATO) from multiple authorizing agencies for both the AWS GovCloud (US) Region and the AWS US East/West regions. For more information, see the following links:

•   For a complete listing of authorizing agencies for the AWS East/West Regions, go here

•   For a complete listing of authorizing agencies for the AWS GovCloud, go here

•   For the AWS GovCloud JAB P-ATO at the high baseline, go here

For more information about the AWS FedRAMP program, please visit our FedRAMP webpage.

While some controls are specifically inherited from AWS, many of the controls are shared inheritance between you and AWS. Under NDA, AWS provides an AWS FedRAMP SSP template based upon NIST 800-53 Rev. 4, which is prepopulated with the applicable NIST 800-5 Rev. 4 low/moderate/high control baseline. Control responsibility is as follows:

• Shared Responsibility: You will provide security and configurations of your software components and AWS will provide security for its infrastructure.

• Customer-Only Responsibility: You are fully responsible for guest operating systems, deployed applications, and select networking resources (for example, firewalls). More specifically, you are solely responsible for configuring and managing security “in” the cloud.

• AWS-Only Responsibility: AWS manages the cloud infrastructure, including the network, data storage, system resources, data centers, physical security, reliability, and supporting hardware and software. Applications built on top of the AWS system inherit the features and configurable options that AWS provides. AWS is solely responsible for configuring and managing security “of” the cloud.

For security authorization purposes, compliance with the FedRAMP requirements (based on NIST 800-53 rev 4 Low/Moderate/High control baseline) is contingent upon AWS fully implementing AWS-Only and Shared controls, and you implementing Customer-Only and Shared controls. A FedRAMP accredited 3PAO (Third Party Assessor Organization) has assessed and authorized AWS’ implementation of their control responsibility. The portion of shared controls that you are responsibility for, and controls related to applications you implement on top of the AWS infrastructure, must be separately assessed and authorized by you in agreement with NIST 800-37 and customer-specific security authorization policies and procedures.

AWS FedRAMP compliant systems have been granted authorizations, have addressed the FedRAMP security controls (NIST SP 800-53), use the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, have been assessed by an accredited independent third party assessor (3PAO) and maintain continuous monitoring requirements of FedRAMP.

According to the AWS Shared Responsibility Model, AWS manages security of the cloud and you are responsible for security in the cloud. To support your implementation of shared responsibilities, AWS Quick Starts (powered by AWS CloudFormation) use a single click to automate the deployment of key technologies on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a workload on AWS that addresses the need to achieve compliance with common security standards and frameworks such as PCI DSS and NIST 800-53.

Quick Starts streamline, automate and implement secure baselines with comprehensive rule sets that can be systematically enforced. For example, the Standardized Architecture for NIST-based Assurance Frameworks on the AWS Cloud Quick Start includes AWS CloudFormation templates. These templates can be integrated with AWS Service Catalog to automate building a standardized baseline architecture workload that falls in scope for NIST 800-53 (Revision 4) and NIST 800-171. The Quick Start also includes a security controls reference, which maps security controls architecture decisions, features, and configuration of the baseline. These can be used to support your compliance efforts in AWS in a way that makes sense for your organization’s AWS Cloud security and compliance objectives.

Both public and commercial sector organizations can use this whitepaper to assess the AWS environment against the NIST CSF and improve the security measures they implement and operate (also known as security in the cloud). We provide a detailed breakout of AWS Cloud offerings and associated customer and AWS responsibilities to facilitate alignment with the NIST CSF. The whitepaper also provides a third-party auditor letter attesting to the AWS Cloud offering’s conformance to NIST CSF risk management practices (also known as security of the cloud), allowing organizations to properly protect their data across AWS.

Organizations ranging from federal and state agencies to regulated entities to large enterprises can use this whitepaper as a guide for implementing AWS solutions to achieve the risk management outcomes in the NIST CSF.