ATO on AWS consists of varying resources that help expedite the authorization process. APN Partners in this program have access to both technical Security Automation and Orchestration (SAO) capabilities as well as direct engament with highly qualified AWS compliance specialists.
The ATO on AWS program reduces the time and cost associated with achieving compliance certifications and authorizations while enabling a capability to continuously develop, integrate, and monitor a solution throughout its life cycle. The program is a partner-driven process which includes training, tools, pre-built AWS CloudFormation templates, control implementation details, and pre-built policy/procedure artifacts.
Benefits of ATO on AWS
Best practices for meeting compliance requirements for solutions on AWS, and maintaining a compliant environment effectively and efficiently over time.
Guidance, templates, and tools
Reusable artifacts, tools, and pre-built templates that ISVs can use to build and optimize DevOps, SecOps, Continuous Integration/Continuous Delivery (CI/CD), and Continuous Risk Treatment (CRT) using proven techniques from AWS Security Automation and Orchestration (SAO). Additionally, we have partnered with multiple solution providers who provide products and tools that help simplify and accelerate compliance authorization and management.
Qualified AWS compliance specialists will provide mentorship, oversight, and support through the process, from planning to authorization. We also have expert consulting partners trained in SAO who can be contracted to manage and support the process and resources.
Joint partner programs
We will be supporting our leading APN Partners in the development and delivery of programs that add value to “ATO on AWS” by providing more options to unique capabilities to ISVs.
Once ISVs achieve their ATO, we will jointly develop and execute a marketing plan to raise awareness and educate customers about the solution. Solutions will be published and marketed on the “ATO on AWS” landing page, and have the option of publication of a written or video case study/testimonial.
Qualified for compliant workloads
AWS supports Managed Service Providers (MSPs) to build and support environments that meet specific compliance standards. These MSPs will be good options for ISVs who prefer to minimize and simplify their area of responsibility by offloading hosting and compliance management.
Achieving FedRAMP compliance
Customers and Solution Providers interested in pursuing FedRAMP or in the process of achieving ATO on AWS should fill out this form.
Achieving other compliance authorizations
Customers and Solution Providers interested in achieving any other compliance authorizations should contact ATOonAWS@amazon.com for more information.
Find an ATO on AWS Partner
Interested in working with an APN Partner who has a proven track record of achieving key public sector security and compliance certifications and authorizations? Check out our APN Partners below:
These APN Partners are vetted security partners providing consulting, deployment, and integration services as well as a staff of AWS partner security strategists that can provide high-level advisory services to end customers and partners alike.
Compliance Consulting Partners
Compliance Technology Partners
Compliance Consulting Partners
ClearDATA is the leader in HIPAA compliant, AWS managed services for healthcare providers, payers, and tech companies that support them.
ClearDATA is a healthcare exclusive, HITRUST certified APN Partner. Advanced monitoring and automation, combined with a comprehensive BAA, ensures healthcare organizations and the technology companies that support them are adhering to the highest standards in security and compliance.
CloudHesive | Workload Migration and Management for Public Sector
CloudHesive and our team has experience in working with private sector providers in designing, documenting, building and managing their platforms’ operating environments, including the selection and implementation of appropriate marketplace solutions and the creation of supporting documentation (package/materials) for ATO submittals.
CloudHesive’s experience with native AWS services, the AWS ecosystem-at-large and the ATO process allow us to design, document (package/materials), build and manage the environments in support of your mission or your customer’s mission, including both shrink-wrap and custom developed software.Coalfire | FedRAMP: Automation, Engineering, and Advisory Services
Coalfire offers automation, engineering, and advisory services to enable FedRAMP ATO on AWS in dramatically less time and at reduced cost.
Coalfire, a leading FedRAMP advisor and third-party assessment organization (3PAO), has consulted and prepared over 89 clients for FedRAMP audits. Coalfire’s automation deployment techniques enable FedRAMP ATO on AWS in drastically less time and at reduced cost when compared to traditional methods.
As an APN Advanced Consulting and Public Sector Partner, InfusionPoints makes use of the highly innovative features of the AWS platform to deliver a highly available and secure customer experience.
InfusionPoints provides AWS expertise to deploy cloud solutions so you can stay focused on your core mission, infusing security at every point in the life cycle of your cloud environment from concept to operations.
As an AWS Advanced Consulting Partner and Public Sector Partner, InfusionPoints makes use of the highly innovative features of the AWS platform to deliver a highly available and secure customer experience. As an AWS Advanced Consulting Partner and Public Sector Partner, InfusionPoints makes use of the highly innovative features of the AWS platform to deliver a highly available and secure customer experience. As an AWS Advanced Consulting Partner and Public Sector Partner, InfusionPoints makes use of the highly innovative features of the AWS platform to deliver a highly available and secure customer experience.JHC Technology, Inc.
With extensive FISMA-compliant projects across the Government, JHC Technology can take you from roadmap and planning through FISMA compliant rollout and to support of the requisite documentation. ATO on AWS delivered by JHC Technology, an APN Premier Partner, provides the efficiency, reliability, and expertise necessary to meet rigorous A&A standards.
JHC Technology delivers FISMA-compliant solutions across Government agencies, including Civilian and Defense. We take a phased approach to securely move an agency through the A&A process. Our AWS certified architects map requirements identified in discovery to FISMA controls, provision the ATO on AWS architecture, and prepare SSP documents for assessment.
Kratos | Cybersecurity Services
Kratos is among the most experienced and trusted third-party assessment organization (3PAO) performing assessments, advisory services, and continuous monitoring for clients targeting FedRAMP ATOs. As cloud security experts, we’ve built streamlined and automated processes to accelerate our clients through the FedRAMP authorization process and help maintain their ATO.
Kratos Cybersecurity Services group has been involved with the FedRAMP program since its launch. Over our years of involvement we have focused on reducing our client’s time and level of effort for acquiring and maintaining their FedRAMP ATO. With audit automation software and deep knowledge of the AWS IaaS/PaaS solutions, we are able to provide reduced timelines and improved accuracy in audit reporting.
Quzara experts understand AWS Security – our Vendor-Agnostic team drives Automation, Compliance and Security Architecture solutions for Federal and Commercial customers.
Quzara provides strategic consulting for Federal (FedRAMP) and Commercial customers. Our AWS Certified team delivers Cyber Engineering, Compliance Documentation and Managed Security services. Our Managed services platform, Cybertorch, provides advanced Application Security Monitoring, Detection and Response capabilities for the layer which is closest to the data – your applications.
Schellman & Company, LLC | Cybersecurity Attestation, Compliance, and Certification Services
Featuring significant experience assessing AWS environments, Schellman provides customers with the ability to consolidate their SOC, PCI, ISO 27001, FedRAMP, HITRUST, penetration testing, and privacy assessments under a single assessor, utilizing a coordinated team approach and an advanced purpose-built audit collaboration platform in order to decrease internal costs for clients.
As a top 100 CPA firm, Schellman’s nearly 2,000 annual assessments and 800+ clients span industries from fintech to healthcare, and over 50% of our clients utilize more than one service. Among those, Schellman has assessed some of the most complex AWS-hosted federal and DoD deployments by FedRAMP CSPs.Smartronix | Cloud Assured Managed Services (CAMS™)
Achieve FedRAMP, HIPAA, DFARS, DoD Impact Level 4/5, or PCI compliance with our accredited managed services offering. Our managed services and managed security services support workloads in all US AWS regions and AWS GovCloud regions.
The Cloud Assured Managed Services platform was designed to support 24x7x365 management of critical infrastructure requiring the most rigid compliance frameworks. Core services include Patch, Backup, Antivirus, Monitoring, Boundary protection, and Billing advisory services. Advanced security services include Incident Response, Log Aggregation and Analysis, Advanced Threat Detection, and Intrusion Detection and Prevention Services.
stackArmor | ThreatAlert Cloud GSS
stackArmor’s ThreatAlert Cloud GSS helps organizations reduce the time and cost of achieving an ATO by 40 to 50%. Our unique “in-boundary” Cloud GSS provides over 150 controls along with security control definitions and a battle-tested team of experts with over 10 years of experience with FISMA, FedRAMP and AWS-based ATO’s.
We provide FedRAMP, FISMA, MARS-E 2.0 and DFARS compliance for DOD, Federal Agencies, Government Contractors, ISV’s & SaaS providers and Educational Institutions. The ThreatAlert Cloud GSS deployed within the customers’ AWS account cuts down the time and cost associated with an ATO. Our agile “pay by sprint” implementation methodology provides financial freedom from expensive consulting contracts.
Compliance Technology Partners
Technology PartnersAllgress | ComplianceVision – SAO edition
Allgress ComplianceVision is the only available software solution that integrates with SAO services and Amazon Partner Network API’s to document, validate, verify, monitor, and maintain regulated AWS customer environments.
Organizations moving regulated workloads into (AWS) are faced with the time-consuming tasks of documenting, validating, verifying and maintaining compliant regulated environments. Allgress ComplianceVision (CV) accelerates all these tasks by offering a software solution that utilizes the AWS (SAO) methodology, integrates (SAO) services with (APN) Partner API’s, and provides content and guidance.
Anitian | Anitian Compliance Automation
Anitian Compliance Automation harnesses the power and scale of AWS to deliver compliance at ludicrous speed. Compliance Automation automatically builds a security infrastructure, pre-configured to meet requirements for FedRAMP, PCI, ISO/GDPR, CJIS, and more. Backed with 24/7 monitoring and compliance guardrails, Compliance Automation is the fastest, proven path to certification.
Anitian Compliance Automation uses the latest automation technologies to build and configure a comprehensive security infrastructure, including endpoint security, IDS/IPS, SIEM, WAF, identity repository, configuration management, vulnerability management, container security, and more. The platform also includes a library of automation code and policy templates to accelerate DevOps teams through compliance.
Barracuda Networks | CloudGen WAF for AWS
Barracuda WAF for AWS protects your web, mobile and API applications from being compromised, and prevents data breaches— ensuring you maintain your reputation and your customer's confidence. Barracuda CloudGen WAF for AWS has achieved the AWS Security Competency.
The Barracuda CloudGen WAF for AWS protects applications, APIs, and mobile app backends against a variety of attacks including OWASP Top 10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks, and combines both positive signature-based policies with robust anomaly detection capabilities to defeat today’s most sophisticated attacks.
Barracuda Networks | CloudGen Firewall for AWS
Barracuda's Cloud Generation Firewall for AWS redefines the role of the Firewall to a distributed network optimization solution that scales across any number of locations and applications, connects on-premises and cloud infrastructures, and helps organizations transform their business. Barracuda CloudGen Firewall AWS has achieved the AWS Security Competency.
Barracuda CloudGen Firewall for AWS delivers advanced security by tightly integrating a comprehensive set of next-generation firewall technologies, including Layer 7 application profiling, intrusion prevention, web filtering, malware and advanced threat protection, antispam protection, and network access control.
Barracuda Networks | Cloud Security Guardian
Build Fast. Stay Secure. Barracuda Cloud Security Guardian watches over security and compliance in your AWS cloud infrastructure, so your builders can focus on what they do best – building your business applications. Cloud Security Guardian is CIS Benchmarks certified.
Barracuda Cloud Security Guardian is an agentless SaaS service that helps organizations stay secure while building applications in and moving workloads to the public Cloud. It provides end to end visibility of your security posture in your public cloud deployment by ensuring continuous compliance and automated remediation of security controls.
Center for Internet Security (CIS) | CIS Hardened Images
CIS Hardened Images are virtual machine images that are securely configured based on the recommendations of the CIS Benchmarks. Start secure and reduce configuration time by using AMIs that are based on configuration guidelines proven to safeguard systems against cyber threats.
CIS Hardened Images are preconfigured to CIS Benchmarks, system configuration guidelines that are developed through community consensus. CIS Benchmarks are recognized by the DoD Cloud Computing SRG, PCI DSS, and other compliance frameworks. CIS Hardened Images are available on all AWS region data centers including the AWS GovCloud (US) region and AWS for the IC.
CloudCheckr Inc. | CloudCheckr
CloudCheckr unifies IT, security and finance teams and provides total visibility, deep insight, cloud automation and governance. CloudCheckr is a comprehensive cloud management solution, helping manage and automate cost and security for public cloud environments.
CloudCheckr helps public sector organizations increase efficiencies, strengthen security and optimize costs. With its certified AWS Government Competency for expertise in highly secure cloud environments, we offer continuous security monitoring, policy enforcement and usage visibility to meet all related compliance requirements, including HIPAA, FedRAMP, DFARS and more.
ComplyUp | Compass
Effortless compliance assessment and documentation management in a simple, team-friendly interface.
ComplyUp’s Compass helps you bridge the documentation gap between your ATO on AWS deployment and your compliance documentation requirements. The Compass interface drives your team forward through each requirement, auto-generates all documentation, and allows you to share your ATO on AWS assessment with external service providers or auditors.
Duo Security | Duo's Trusted Access
Duo's cloud-based trusted access solution is a user-centric zero-trust security platform to protect access to sensitive data at scale for all users, all devices and all applications.
Duo's Trusted Access solution is Secure access to your applications and data, no matter where your users are - on any device - from anywhere. Duo’s trusted access solution creates trust in users, devices and the applications they access. Reduce the risk of a data breach and ensure trusted access to sensitive data.
GitHub | GitHub Enterprise
With flexible security, compliance, and deployment controls for organizations, your team can use GitHub Enterprise wherever you need it to be.
At GitHub, we deploy dozens of times per day using our own product. Like us, our customers use GitHub Enterprise across the entire development process. This platform for continuous integration and deployment allows you to build and ship better software, faster.
HashiCorp | ATO on AWS Products: Vault and Terraform
HashiCorp is the leader in multi-cloud/hybrid infrastructure automation software. The HashiCorp software suite enables organizations to adopt consistent workflows to provision, secure, connect, and run any infrastructure for any application. Enterprise versions of Terraform, Vault, Nomad and Consul enhance the open source tools with features that promote collaboration, operations, governance, and multi-data center functionality.
HashiCorp Terraform is the world’s most widely used cloud provisioning product and can be used to provision infrastructure for any application using an array of providers for any target platform. HashiCorp Vault enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines and applications. This provides a comprehensive secrets management solution. Beyond that, Vault helps protect data at rest and data in transit.
McAfee | Virtual Network Security Platform (vNSP)
McAfee vNSP is a next-generation IPS solution architected for AWS and provides an intelligent security solution that discovers and blocks sophisticated threats in the network with unmatched speed, accuracy, and simplicity. Enabled for the most critical AWS Regions, vNSP solution delivers best-in-class enterprise security against sophisticated attacks and enhanced protection for critical workloads.
Accelerate your ATO by adding McAfee Virtual Network Security Platform (McAfee vNSP) to help identify malicious/anomalous network activity and threats that may otherwise be less detectable with traditional tools. Using this intelligent threat protection platform can accelerate cloud adoption and compliance initiatives such as FedRamp and PCI DSS, and others.
Red Hat | OpenShift Container Platform
Red Hat OpenShift integrates with Amazon Web Services to provide rapid, reliable, and secure development and deployment of applications and other container-based solutions.
Combining Red Hat OpenShift Container Platform and the AWS Cloud platform gives you a flexible, high-performance application environment that supports modern, digital operations. Built on open source innovation and industry standards, Red Hat OpenShift Container Platform is a comprehensive platform for building and running container-based applications with enterprise-grade Kubernetes. Develop, deploy, and manage traditional and container-based applications seamlessly across physical and AWS Cloud environments—without needing to recode or refactor applications. Speed iteration cycles and innovation with self-service capabilities and automation.
Red Hat | Ansible
Red Hat® Ansible® Automation is automation software with hundreds of modules that can automate nearly 100 Amazon Web Services offerings and processes.
Using Ansible to automate your applications in AWS greatly increases the chances that your cloud initiative will be a success. The breadth of AWS capability enables IT organizations to dynamically provision entire workloads like never before. To harness this power, IT organizations must securely control cloud deployments and reliably migrate existing apps to AWS and Ansible is key automation to doing this reliably. When you deploy an application into AWS, you will soon realize that the cloud is much more than a collection of servers in someone else's data center. You now have a fleet of services available to you to rapidly deploy and scale applications. However, if you continue to manage AWS like just a group of servers, you won’t see the full benefit of your migration to the cloud. Ansible automation can help you manage your AWS environment like a fleet of services instead of a collection of servers.
SAINT Corporation | SAINT Security Suite for AWS
SAINT Security Suite interoperates within your AWS environment to provide comprehensive vulnerability scanning, penetration testing, social engineering, configuration assessment and compliance reporting of AWS workloads in a fully- integrated solution.
SAINT Security Suite deploys on AWS EC2 instances to perform vulnerability management and compliance reporting of AWS workloads. SAINT cloud formation templates in the ATO for AWS Github repository facilitate ease of deployment and interoperability across ATO for AWS partner solutions to accelerate the process of FedRAMP and PCI compliance.Telos Corporation | Xacta
Cloud security and compliance automation solutions to accelerate secure cloud deployments.
Xacta speeds cloud compliance with controls inheritance and automation. Stand up cloud-based workloads faster by expediting required approvals; automating risk assessment, remediation, and compliance reporting; leveraging easy-to-use capabilities for accessing, managing, and visualizing compliance data; viewing at-a-glance status of risk and vulnerabilities; and generating enterprise information assurance documentation.
Trend Micro | Deep Security
Trend Micro Deep Security consolidates your security tooling and automates protection, simplifying compliance and giving customers the ability to meet and maintain requirements for FedRAMP, NIST, PCI DSS, HIPAA, and more. With Trend Micro and ATO, customers are able to access direct engagement and guidance from AWS compliance specialists and Trend Micro security and automation experts.
Trend Micro delivers leading cloud native security optimized to automatically protect and scale across platforms, data centers, clouds, and containers, baking security into your CI/CD pipeline and DevOps processes. Build secure, ship fast, and run anywhere with security-as-code, continuous automation, and tools designed to secure applications across your evolving hybrid environment.
Yubico | External Security Key - YubiKey
Yubico, the inventor of the YubiKey, sets global standards for affordable, easy to use two-factor authentication that can be used everywhere for secure access to computers, networks, and online services.
The YubiKey is a hardware authenticator used for two-factor and smart card authentication. With a simple touch, the YubiKey protects access to computers, networks, and online services. Available with a choice of USB-A and USB-C connectors and NFC, AWS IAM and root users can use their YubiKey as a multi-factor authentication (MFA) device to add an extra layer of protection on top of their username and password.
Zscaler | Zscaler Private Access – Government (Zero Trust Networking – VPN Replacement)
ZPA-Government enables digital government with Zero Trust Networking. By replacing legacy VPN technology and providing encrypted connections to applications, this solution eliminates the risks introduced by unmanaged devices while reducing the threat of lateral access.
ZPA-Government is an AWS GovCloud-based service that provides authorized users with secure Zero Trust access to applications hosted on AWS and other destination clouds using a software-defined perimeter, without placing users on the network. Inside-out connectivity ensures applications are “dark” to unauthorized users, eliminating the risks of lateral access, DDoS attacks, and other threats. ZPA-Government replaces VPN technology.
CrowdStrike has revolutionized endpoint protection by unifying next-generation antivirus, endpoint detection and response (EDR), and a 24/7 managed hunting service. CrowdStrike Falcon protects customers against advanced cyber-attacks, using sophisticated signature-less artificial intelligence/machine learning and Indicator of Attack (IOA) based threat prevention to stop known and unknown threats in real time. Core to its innovative approach is the CrowdStrike Threat Graph™ which analyzes and correlates over 45 billion events per day from millions of sensors deployed across more than 170 countries, providing crowdsourced protection for the entire customer community. In addition to Falcon Endpoint protection, CrowdStrike provides Falcon Intelligence, a Cyber Threat Intelligence service providing insights into the tools, tactics, and procedures of 80+ adversary groups – allowing government and organizations to plan for events in the future, diagnose incidents more efficiently, and monitor changes in the environment to prevent damage from advanced malware and targeted attacks.Druva
Druva is a leader in cloud backup, data protection, and information management, leveraging AWS GovCloud (US) to offer a single pane of glass to protect, preserve, and discover information - dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost, and complexity of managing and protecting it. Druva’s award-winning solutions intelligently collect data, and unify backup, disaster recovery, archival, and governance capabilities onto a single, optimized data set. As one of the industry's fastest growing data protection provider, Druva is trusted by over 4,000 global organizations and protects over 25 PB of data.FireEye
The FireEye® Email Threat Prevention Cloud is a SaaS offering that not only combats against today’s advanced email attacks but also provides anti-spam and anti-virus protection. To protect against malicious emails, organizations simply route messages to the Email Threat Prevention Cloud. The cloud analyzes the emails for spam and known viruses first. It then uses the signature-less FireEye Multi-vector Virtual Execution™ (MVX) engine to analyze attachments and URLs to detect threats and stop APT attacks in real time. Email Threat Prevention Cloud integrates with the entire FireEye portfolio for real-time threat intelligence sharing. This rich correlation of threat intelligence provides organizations several unique capabilities, such as: identifying previous targets of spear-phishing emails; finding out if the message is being forwarded to new targets; and highlighting URLs that become malicious after message delivery. For added accessibility and ease-of-use, the dashboard shows region- and industry-based malware trends, and audit logging.New Relic
New Relic is a comprehensive cloud-based observability platform built to create more perfect software. From the beginning, New Relic’s ambition has driven the company to instrument more of the digital world than anyone else. The world’s best software and DevOps teams rely on New Relic to move faster, make better decisions, and create best-in-class digital experiences. The New Relic One observability platform is open, connected, and programmable, empowering teams to find, visualize, and understand everything you need to deliver more perfect software. If you run software, you need to run New Relic.Palantir
The Palantir Federal Cloud Service (PFCS) is a dedicated environment for the purpose of delivering Palantir software to federal government customers as a cloud service. Palantir enables organizations to integrate, manage, and secure all of their enterprise data, forming a single data asset that powers operations and decision-making. Users of varying technical ability collaborate in Palantir to accelerate analysis and compound their data asset, while a defense-in-depth architecture keeps data secure. Palantir Technologies has over a decade of experience deploying software to hundreds of government and commercial organizations, producing products that have been tested, hardened, and proven in the world's most complex and sensitive data environments. The PFCS allows customers to acquire Palantir in a matter of days to quickly deliver value against their hardest data problems.TalaTek
The TalaTek intelligent Governance and Risk Integrated Solution (TiGRIS) software-as-a-service (SaaS) manages a customer’s governance, risk, and compliance (GRC) needs for an information system or network throughout its entire life cycle. Meet your governance, risk, and compliance goals with TelaTek's FedRAMP-authorized GRC solution. TiGRIS incorporates the high data privacy and security standards put forth by FISMA + NIST as well as the FIPS 140-2 guidance for data encryption and user authentication. TiGRIS provides a system of record, facilitating organization-wide monitoring from a single dashboard for one or more regulatory standards such as FISMA, FedRAMP, and HIPAA. Automate data gathering for internal audiences and third parties, and gather real-time data to assess risk measurement and risk impact. Create cascading workflows using automatic or decision-based triggers and alerts to ensure appropriate resources are engaged and action is taken. From inception through assessment and continuous monitoring to decommissioning, the TiGRIS application, developed by TalaTek’s team of security professionals, provides a user-friendly, powerful tool for GRC management.