AWS recognized by GovRAMP Federal JAB Attestation

We are pleased to announce that Amazon Web Services (AWS) is now listed on the GovRAMP Authorized Product List under the GovRAMP Federal JAB Attestation category for both AWS GovCloud (US) (High) and AWS US East/West (Moderate) regions. GovRAMP—formerly known as StateRAMP—is a nonprofit organization that provides a standardized framework designed specifically for state and local governments in the United States (US) to ensure cloud security compliance.

Similar to FedRAMP but tailored to state and local government needs, GovRAMP provides a consistent approach to security assessment, authorization, and continuous monitoring for cloud products and services. This Provisional Authorization to Operate (P-ATO) recognizes AWS GovCloud (US) as a secure environment in which to run highly sensitive government workloads, including Personally Identifiable Information (PII), sensitive student and patient records, financial data, research data, health data, and other Controlled Unclassified Information (CUI).

StateRAMP rebranded to GovRAMP in Q1 of fiscal year 2025 to better reflect its expanded scope beyond state governments. Originally created by state officials in 2021, the organization attracted interest from local governments and educational institutions to support the “whole-of-state” cybersecurity model where services are shared across different government levels. These developments demonstrate the exciting evolution of cloud computing usage within US state and local governments. We’re seeing a growing number of US state and local government agencies using AWS to better protect and secure their sensitive data and critical workloads, leveraging the advanced security and control features that AWS provides. To date, more than 11,000 government entities worldwide have utilized AWS, and we anticipate this high baseline P-ATO will broaden the use of AWS across city, county, and state agencies.

This recognition of our FedRAMP authorization as meeting GovRAMP requirements showcases AWS’s commitment to customer security and compliance requirements, and applies to both the AWS GovCloud (High) and AWS US East/West (Moderate) regions, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), AWS Identity and Access Management (IAM), and Amazon Elastic Block Store (EBS). Launched in 2011, the AWS GovCloud (US) Region is isolated and designed to host sensitive workloads in the cloud. AWS GovCloud (US) also adheres to US International Traffic in Arms Regulations (ITAR), Criminal Justice Information Services (CJIS) requirements, and Levels 2 and 4 of Department of Defense systems. To learn more about AWS’s GovRAMP compliance, visit this webpage.

If you have additional questions about GovRAMP, contact us, or if you would like to learn more about compliance in the cloud, see our AWS Cloud Compliance page.