Getting Started with Authority to Operate on AWS

Expedite regulated workloads with Authority to Operate on AWS

ATO on AWS consists of varying resources that help expedite the authorization process. AWS Partners in this program have access to both technical Security Automation and Orchestration (SAO) capabilities as well as direct engagement with highly qualified AWS compliance specialists.

The ATO on AWS program reduces the time and cost associated with achieving compliance certifications and authorizations while enabling a capability to continuously develop, integrate, and monitor a solution throughout its life cycle. The program is a Partner-driven process which includes training, tools, pre-built AWS CloudFormation templates, control implementation details, and pre-built policy/procedure artifacts.

AWS Partner Network Authority to Operate

Benefits of ATO on AWS


Best practices for meeting compliance requirements for solutions on AWS, and maintaining a compliant environment effectively and efficiently over time.

Guidance, templates, and tools

Reusable artifacts, tools, and pre-built templates that ISVs can use to build and optimize DevOps, SecOps, Continuous Integration/Continuous Delivery (CI/CD), and Continuous Risk Treatment (CRT) using proven techniques from AWS Security Automation and Orchestration (SAO). Additionally, we have partnered with multiple solution providers who provide products and tools that help simplify and accelerate compliance authorization and management.

Direct engagement

Qualified AWS compliance specialists will provide mentorship, oversight, and support through the process, from planning to authorization. We also have expert Consulting Partners trained in SAO who can be contracted to manage and support the process and resources.

Joint Partner programs

We will be supporting our leading AWS Partners in the development and delivery of programs that add value to “ATO on AWS” by providing more options to unique capabilities to ISVs.


Once ISVs achieve their ATO, we will jointly develop and execute a marketing plan to raise awareness and educate customers about the solution. Solutions will be published and marketed on the “ATO on AWS” landing page, and have the option of publication of a written or video case study/testimonial.

Qualified for compliant workloads

AWS supports Managed Service Providers (MSPs) to build and support environments that meet specific compliance standards. These MSPs will be good options for ISVs who prefer to minimize and simplify their area of responsibility by offloading hosting and compliance management.

Getting Started

Achieving FedRAMP compliance

Customers and Solution Providers interested in pursuing FedRAMP or in the process of achieving ATO on AWS should fill out this form

Achieving other compliance authorizations

Customers and Solution Providers interested in achieving any other compliance authorizations should contact for more information. 

Find an ATO on AWS Partner

Interested in working with an AWS Partner who has a proven track record of achieving key public sector security and compliance certifications and authorizations? Check out our AWS Partners below: 

AWS Partners

These AWS Partners are vetted security Partners providing consulting, deployment, and integration services as well as a staff of AWS Partner security strategists that can provide high-level advisory services to end customers and Partners alike.

  • Compliance Consulting Partners
  • Compliance Technology Partners
  • FedRAMP Partners
  • Compliance Consulting Partners
  • Consulting Partners


    A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to help mitigate cybersecurity risks.

    A-LIGN is a security and compliance partner that uniquely delivers a single-provider approach as an accredited FedRAMP 3PAO, designated CMMC C3PAO, HITRUST CSF Assessor firm, Qualified Security Assessor (QSA) company, accredited ISO 27001, ISO 27701, and ISO 22301 Certification Body, and licensed CPA firm. A-LIGN will leverage a flexible and customized methodology, proprietary compliance management platform A-SCEND, and 24-hour response time commitment to deliver affordable, quality, and timely audits and attestations.


    ClearDATA is the leader in HIPAA compliant, AWS managed services for healthcare providers, payers, and tech companies that support them.

    ClearDATA is a healthcare exclusive, HITRUST certified AWS Partner. Advanced monitoring and automation, combined with a comprehensive BAA, ensures healthcare organizations and the technology companies that support them are adhering to the highest standards in security and compliance.

    CloudHesive | Workload Migration and Management for Public Sector

    CloudHesive and our team has experience in working with private sector providers in designing, documenting, building and managing their platforms’ operating environments, including the selection and implementation of appropriate marketplace solutions and the creation of supporting documentation (package/materials) for ATO submittals.

    CloudHesive’s experience with native AWS services, the AWS ecosystem-at-large and the ATO process allow us to design, document (package/materials), build and manage the environments in support of your mission or your customer’s mission, including both shrink-wrap and custom developed software.

    Cloudticity Oxygen

    Cloudticity Oxygen™ provides over 200 inheritable and partially inheritable HITRUST controls. This allows for customers to shorten the certification/recertification timeline which increases their business differentiation and their time to revenue. Cloudticity Oxygen enables IT to unleash healthcare innovation via groundbreaking automation and deep cloud expertise. By offloading infrastructure operations, security, and compliance management to Oxygen, healthcare IT leaders can free up internal resources to focus on innovation.


    Prepare for a FedRAMP, NIST, or DoD audit in as little as 60 days with accelerated cloud engineering.

    Using AWS services and security and compliance vendor solutions, Accelerated Cloud Engineering FedRAMP Launchpad is preconfigured to address a number of regulatory compliance frameworks deployable in AWS East/West or AWS GovCloud regions. Accelerated Cloud Engineering FedRAMP Launchpad supports the following compliance regulations: NIST 800-53 (Low, Moderate, and High baselines), FedRAMP (Li-SaaS, Moderate, and High), and DoD Impact Levels 2-5 (IL2-IL5).

    eCloud Managed Solutions

    Reference architecture, workload migration, and managed services for healthcare, financial services, public sector, and more.

    eCloud Managed Solutions has experience working with automation through Infrastructure as Code (IaC) for healthcare, financial services, public sector, startups/SaaS providers, private equity, and manufacturing organizations. eCloud offers a US-based cloud concierge managed service for migration and migration planning, automated environment buildouts, security and compliance alignment, and managing AWS Cloud deployment.


    As an AWS Advanced Consulting and Public Sector Partner, InfusionPoints makes use of the highly innovative features of the AWS platform to deliver a highly available and secure customer experience.

    InfusionPoints provides AWS expertise to deploy cloud solutions so you can stay focused on your core mission, infusing security at every point in the life cycle of your cloud environment from concept to operations.

    JHC Technology, Inc.

    With extensive FISMA-compliant projects across the Government, JHC Technology can take you from roadmap and planning through FISMA compliant rollout and to support of the requisite documentation. ATO on AWS delivered by JHC Technology, an AWS Premier Partner, provides the efficiency, reliability, and expertise necessary to meet rigorous A&A standards.

    JHC Technology delivers FISMA-compliant solutions across Government agencies, including Civilian and Defense. We take a phased approach to securely move an agency through the A&A process. Our AWS certified architects map requirements identified in discovery to FISMA controls, provision the ATO on AWS architecture, and prepare SSP documents for assessment.

    Kratos | Cybersecurity Services

    Kratos is among the most experienced and trusted third-party assessment organization (3PAO) performing assessments, advisory services, and continuous monitoring for clients targeting FedRAMP ATOs. As cloud security experts, we’ve built streamlined and automated processes to accelerate our clients through the FedRAMP authorization process and help maintain their ATO.

    Kratos Cybersecurity Services group has been involved with the FedRAMP program since its launch. Over our years of involvement we have focused on reducing our client’s time and level of effort for acquiring and maintaining their FedRAMP ATO. With audit automation software and deep knowledge of the AWS IaaS/PaaS solutions, we are able to provide reduced timelines and improved accuracy in audit reporting.

    Quzara, LLC

    Quzara experts understand AWS Security – our Vendor-Agnostic team drives Automation, Compliance and Security Architecture solutions for Federal and Commercial customers.

    Quzara provides strategic consulting for Federal (FedRAMP) and Commercial customers. Our AWS Certified team delivers Cyber Engineering, Compliance Documentation and Managed Security services. Our Managed services platform, Cybertorch, provides advanced Application Security Monitoring, Detection and Response capabilities for the layer which is closest to the data – your applications.

    Schellman & Company, LLC | Cybersecurity Attestation, Compliance, and Certification Services

    Featuring significant experience assessing AWS environments, Schellman provides customers with the ability to consolidate their SOC, PCI, ISO 27001, FedRAMP, HITRUST, penetration testing, and privacy assessments under a single assessor, utilizing a coordinated team approach and an advanced purpose-built audit collaboration platform in order to decrease internal costs for clients.

    As a top 100 CPA firm, Schellman’s nearly 2,000 annual assessments and 800+ clients span industries from fintech to healthcare, and over 50% of our clients utilize more than one service. Among those, Schellman has assessed some of the most complex AWS-hosted federal and DoD deployments by FedRAMP CSPs.  

    Smartronix | Cloud Assured Managed Services (CAMS™)

    Achieve FedRAMP, HIPAA, DFARS, DoD Impact Level 4/5, or PCI compliance with our accredited managed services offering. Our managed services and managed security services support workloads in all US AWS regions and AWS GovCloud regions.

    The Cloud Assured Managed Services platform was designed to support 24x7x365 management of critical infrastructure requiring the most rigid compliance frameworks. Core services include Patch, Backup, Antivirus, Monitoring, Boundary protection, and Billing advisory services. Advanced security services include Incident Response, Log Aggregation and Analysis, Advanced Threat Detection, and Intrusion Detection and Prevention Services.

    stackArmor | ThreatAlert Cloud GSS

    stackArmor’s ThreatAlert Cloud GSS helps organizations reduce the time and cost of achieving an ATO by 40 to 50%. Our unique “in-boundary” Cloud GSS provides over 150 controls along with security control definitions and a battle-tested team of experts with over 10 years of experience with FISMA, FedRAMP and AWS-based ATO’s.

    We provide FedRAMP, FISMA, MARS-E 2.0 and DFARS compliance for DOD, Federal Agencies, Government Contractors, ISV’s & SaaS providers and Educational Institutions. The ThreatAlert Cloud GSS deployed within the customers’ AWS account cuts down the time and cost associated with an ATO. Our agile “pay by sprint” implementation methodology provides financial freedom from expensive consulting contracts.

  • Compliance Technology Partners
  • Technology Partners

    Allgress | ComplianceVision – SAO edition

    Allgress ComplianceVision is the only available software solution that integrates with SAO services and Amazon Partner Network API’s to document, validate, verify, monitor, and maintain regulated AWS customer environments.

    Organizations moving regulated workloads onto AWS are faced with the time-consuming tasks of documenting, validating, verifying and maintaining compliant regulated environments. Allgress ComplianceVision (CV) accelerates all these tasks by offering a software solution that utilizes the AWS (SAO) methodology, integrates (SAO) services with AWS Partner API’s, and provides content and guidance.

    Anitian | Anitian Compliance Automation

    Anitian Compliance Automation harnesses the power and scale of AWS to deliver compliance at ludicrous speed. Compliance Automation automatically builds a security infrastructure, pre-configured to meet requirements for FedRAMP, PCI, ISO/GDPR, CJIS, and more. Backed with 24/7 monitoring and compliance guardrails, Compliance Automation is the fastest, proven path to certification.

    Anitian Compliance Automation uses the latest automation technologies to build and configure a comprehensive security infrastructure, including endpoint security, IDS/IPS, SIEM, WAF, identity repository, configuration management, vulnerability management, container security, and more. The platform also includes a library of automation code and policy templates to accelerate DevOps teams through compliance.

    Barracuda Networks
    Barracuda Networks | CloudGen WAF for AWS

    Barracuda WAF for AWS protects your web, mobile and API applications from being compromised, and prevents data breaches— ensuring you maintain your reputation and your customer's confidence. Barracuda CloudGen WAF for AWS has achieved the AWS Security Competency.

    The Barracuda CloudGen WAF for AWS protects applications, APIs, and mobile app backends against a variety of attacks including OWASP Top 10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks, and combines both positive signature-based policies with robust anomaly detection capabilities to defeat today’s most sophisticated attacks.

    Barracuda Networks | CloudGen Firewall for AWS

    Barracuda's Cloud Generation Firewall for AWS redefines the role of the Firewall to a distributed network optimization solution that scales across any number of locations and applications, connects on-premises and cloud infrastructures, and helps organizations transform their business. Barracuda CloudGen Firewall AWS has achieved the AWS Security Competency.

    Barracuda CloudGen Firewall for AWS delivers advanced security by tightly integrating a comprehensive set of next-generation firewall technologies, including Layer 7 application profiling, intrusion prevention, web filtering, malware and advanced threat protection, antispam protection, and network access control.

    Barracuda Networks | Cloud Security Guardian

    Build Fast. Stay Secure. Barracuda Cloud Security Guardian watches over security and compliance in your AWS cloud infrastructure, so your builders can focus on what they do best – building your business applications. Cloud Security Guardian is CIS Benchmarks certified.

    Barracuda Cloud Security Guardian is an agentless SaaS service that helps organizations stay secure while building applications in and moving workloads to the public Cloud. It provides end to end visibility of your security posture in your public cloud deployment by ensuring continuous compliance and automated remediation of security controls.

    Center for Internet Security (CIS) | CIS Hardened Images

    CIS Hardened Images are virtual machine images that are securely configured based on the recommendations of the CIS Benchmarks. Start secure and reduce configuration time by using AMIs that are based on configuration guidelines proven to safeguard systems against cyber threats.

    CIS Hardened Images are preconfigured to CIS Benchmarks, system configuration guidelines that are developed through community consensus. CIS Benchmarks are recognized by the DoD Cloud Computing SRG, PCI DSS, and other compliance frameworks. CIS Hardened Images are available on all AWS region data centers including the AWS GovCloud (US) region and AWS for the IC.

    CloudCheckr Inc. | CloudCheckr

    CloudCheckr unifies IT, security and finance teams and provides total visibility, deep insight, cloud automation and governance. CloudCheckr is a comprehensive cloud management solution, helping manage and automate cost and security for public cloud environments.  

    CloudCheckr helps public sector organizations increase efficiencies, strengthen security and optimize costs. With its certified AWS Government Competency for expertise in highly secure cloud environments, we offer continuous security monitoring, policy enforcement and usage visibility to meet all related compliance requirements, including HIPAA, FedRAMP, DFARS and more.

    ComplyUp | Compass

    Effortless compliance assessment and documentation management in a simple, team-friendly interface.

    ComplyUp’s Compass helps you bridge the documentation gap between your ATO on AWS deployment and your compliance documentation requirements. The Compass interface drives your team forward through each requirement, auto-generates all documentation, and allows you to share your ATO on AWS assessment with external service providers or auditors.

    Dash Solutions
    Dash ComplyOps

    Dash ComplyOps allows organizations to create and manage an AWS specific security and compliance plan without the need for dedicated staff or in-house expertise. By connecting compliance and organizational policies directly to AWS monitoring, ComplyOps ensures teams are always audit ready.

    Duo Security | Duo's Trusted Access

    Duo's cloud-based trusted access solution is a user-centric zero-trust security platform to protect access to sensitive data at scale for all users, all devices and all applications.

    Duo's Trusted Access solution is Secure access to your applications and data, no matter where your users are - on any device - from anywhere. Duo’s trusted access solution creates trust in users, devices and the applications they access. Reduce the risk of a data breach and ensure trusted access to sensitive data.

    DuploCloud Automation Platform

    The DuploCloud Automation Platform is a no code/low code DevSecOps automation platform that enables you to focus on your product while the bot does the heavy lifting, building automation, and implementing security and compliance controls including SOC2, HIPAA, PCI, and GDPR.

    GitHub | GitHub Enterprise

    With flexible security, compliance, and deployment controls for organizations, your team can use GitHub Enterprise wherever you need it to be.

    At GitHub, we deploy dozens of times per day using our own product. Like us, our customers use GitHub Enterprise across the entire development process. This platform for continuous integration and deployment allows you to build and ship better software, faster.

    HashiCorp | ATO on AWS Products: Vault and Terraform

    HashiCorp is the leader in multi-cloud/hybrid infrastructure automation software. The HashiCorp software suite enables organizations to adopt consistent workflows to provision, secure, connect, and run any infrastructure for any application. Enterprise versions of Terraform, Vault, Nomad and Consul enhance the open source tools with features that promote collaboration, operations, governance, and multi-data center functionality.

    HashiCorp Terraform is the world’s most widely used cloud provisioning product and can be used to provision infrastructure for any application using an array of providers for any target platform. HashiCorp Vault enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines and applications. This provides a comprehensive secrets management solution. Beyond that, Vault helps protect data at rest and data in transit.

    McAfee | Virtual Network Security Platform (vNSP)

    McAfee vNSP is a next-generation IPS solution architected for AWS and provides an intelligent security solution that discovers and blocks sophisticated threats in the network with unmatched speed, accuracy, and simplicity. Enabled for the most critical AWS Regions, vNSP solution delivers best-in-class enterprise security against sophisticated attacks and enhanced protection for critical workloads.

    Accelerate your ATO by adding McAfee Virtual Network Security Platform (McAfee vNSP) to help identify malicious/anomalous network activity and threats that may otherwise be less detectable with traditional tools. Using this intelligent threat protection platform can accelerate cloud adoption and compliance initiatives such as FedRamp and PCI DSS, and others.

    Red Hat
    Red Hat | OpenShift Container Platform

    Red Hat OpenShift integrates with Amazon Web Services to provide rapid, reliable, and secure development and deployment of applications and other container-based solutions.

    Combining Red Hat OpenShift Container Platform and the AWS Cloud platform gives you a flexible, high-performance application environment that supports modern, digital operations. Built on open source innovation and industry standards, Red Hat OpenShift Container Platform is a comprehensive platform for building and running container-based applications with enterprise-grade Kubernetes. Develop, deploy, and manage traditional and container-based applications seamlessly across physical and AWS Cloud environments—without needing to recode or refactor applications. Speed iteration cycles and innovation with self-service capabilities and automation.

    Red Hat | Ansible

    Red Hat® Ansible® Automation is automation software with hundreds of modules that can automate nearly 100 Amazon Web Services offerings and processes.

    Using Ansible to automate your applications in AWS greatly increases the chances that your cloud initiative will be a success. The breadth of AWS capability enables IT organizations to dynamically provision entire workloads like never before. To harness this power, IT organizations must securely control cloud deployments and reliably migrate existing apps to AWS and Ansible is key automation to doing this reliably. When you deploy an application into AWS, you will soon realize that the cloud is much more than a collection of servers in someone else's data center. You now have a fleet of services available to you to rapidly deploy and scale applications. However, if you continue to manage AWS like just a group of servers, you won’t see the full benefit of your migration to the cloud. Ansible automation can help you manage your AWS environment like a fleet of services instead of a collection of servers.

    SAINT Corporation
    SAINT Corporation | SAINT Security Suite for AWS

    SAINT Security Suite interoperates within your AWS environment to provide comprehensive vulnerability scanning, penetration testing, social engineering, configuration assessment and compliance reporting of AWS workloads in a fully- integrated solution.

    SAINT Security Suite deploys on AWS EC2 instances to perform vulnerability management and compliance reporting of AWS workloads. SAINT cloud formation templates in the ATO for AWS Github repository facilitate ease of deployment and interoperability across ATO for AWS partner solutions to accelerate the process of FedRAMP and PCI compliance.

    TalaTek intelligent Governance and Risk Integrated Solution (TiGRIS)

    The TalaTek intelligent Governance and Risk Integrated Solution (TiGRIS) software-as-a-service (SaaS) manages a customer’s governance, risk, and compliance (GRC) needs for an information system or network throughout its entire life cycle. TiGRIS incorporates the high data privacy and security standards put forth by FISMA + NIST guidance, providing a system of record, facilitating organization-wide monitoring from a single dashboard for one or more regulatory standards such as FISMA, FedRAMP, CSF, and HIPAA.

    Telos Corporation | Xacta

    Cloud security and compliance automation solutions to accelerate secure cloud deployments.

    Xacta speeds cloud compliance with controls inheritance and automation. Stand up cloud-based workloads faster by expediting required approvals; automating risk assessment, remediation, and compliance reporting; leveraging easy-to-use capabilities for accessing, managing, and visualizing compliance data; viewing at-a-glance status of risk and vulnerabilities; and generating enterprise information assurance documentation.

    Trend Micro | Deep Security

    Trend Micro Deep Security consolidates your security tooling and automates protection, simplifying compliance and giving customers the ability to meet and maintain requirements for FedRAMP, NIST, PCI DSS, HIPAA, and more. With Trend Micro and ATO, customers are able to access direct engagement and guidance from AWS compliance specialists and Trend Micro security and automation experts.

    Trend Micro delivers leading cloud native security optimized to automatically protect and scale across platforms, data centers, clouds, and containers, baking security into your CI/CD pipeline and DevOps processes. Build secure, ship fast, and run anywhere with security-as-code, continuous automation, and tools designed to secure applications across your evolving hybrid environment.

    Yubico | External Security Key - YubiKey

    Yubico, the inventor of the YubiKey, sets global standards for affordable, easy to use two-factor authentication that can be used everywhere for secure access to computers, networks, and online services.

    The YubiKey is a hardware authenticator used for two-factor and smart card authentication. With a simple touch, the YubiKey protects access to computers, networks, and online services. Available with a choice of USB-A and USB-C connectors and NFC, AWS IAM and root users can use their YubiKey as a multi-factor authentication (MFA) device to add an extra layer of protection on top of their username and password.

    Zscaler | Zscaler Private Access – Government (Zero Trust Networking – VPN Replacement)

    ZPA-Government enables digital government with Zero Trust Networking. By replacing legacy VPN technology and providing encrypted connections to applications, this solution eliminates the risks introduced by unmanaged devices while reducing the threat of lateral access.

    ZPA-Government is an AWS GovCloud-based service that provides authorized users with secure Zero Trust access to applications hosted on AWS and other destination clouds using a software-defined perimeter, without placing users on the network. Inside-out connectivity ensures applications are “dark” to unauthorized users, eliminating the risks of lateral access, DDoS attacks, and other threats. ZPA-Government replaces VPN technology.

  • FedRAMP Partners