The document discusses AWS GovCloud (US), a region intended for customers with strict regulatory requirements. It received a FedRAMP High authorization in June 2016, allowing federal agencies to run highly sensitive workloads in the cloud. FedRAMP establishes a standardized approach for security assessment and authorization of cloud services, reducing redundant work. The authorization allows agencies to leverage existing authorizations rather than each conducting their own security reviews.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FedRAMP High & AWS GovCloud (US)
FISMA High Requirements in the Cloud

2. AWS Cloud adoption in the Public Sector
Government Agencies Education Institutions Nonprofit Organizations
2,300 7,000 22,000

3. AWS global infrastructure
13
Regions
35
Availability
Zones
56
Edge
Locations

4. AWS GovCloud (US) is an isolated AWS region
Intended for customers with strict regulatory and compliance
requirements and sensitive data or workloads
August 2011
Available to qualified customers
Compliance
Safeguard sensitive data/systems
Addresses multiple US Government regulations and security requirements

5. Various types of enterprises use GovCloud
US Government
Federal, state, and local
Consulting firms and
systems integrators
Technology firms
and ISVs
Education
institutions
Research
organizations
Regulated industries
(Aerospace, Defense, Energy,
Manufacturing, Healthcare)
Nonprofit
organizations
Managed service
providers

6. Example workloads customers run on GovCloud
Web applications
and websites
Backup
and recovery
Archiving Disaster recovery Development
and test
Big data
High-performance
computing
Business/mission
critical systems
Enterprise IT Mobile

7. Fit for Controlled Unclassified Information (CUI)
Agriculture Copyright Critical infrastructure
Export control Financial Immigration
Intelligence Law enforcement Legal
Nuclear Patent Privacy (PII)
Proprietary (IP) Statistical (census) Tax
Transportation
Many customers use GovCloud for all categories of CUI

8. GovCloud is all about “compliance in the cloud”
SP 800-53 (rev 4) and SP 800-171

9. AWS GovCloud (US) FedRAMP High JAB ATO
Announced June 23, 2016 by FedRAMP PMO and allows
Government agencies to leverage the AWS Cloud for highly
sensitive workloads and meet FISMA High requirements.
High Baseline

10. 10
eGov Act of 2002 includes
Federal Information Security Management
Act (FISMA)
Agency ATO
Congress passes FISMA
as part of 2002 eGov Act
OMB A-130
FIPS 200, FIPS 199
NIST SP 800-37, 800-137,
800-53
OMB A-130 provides policy,
NIST provides risk
management framework
Agencies leverage RMF process,
heads of agencies review packages
and risk, accept risk and grant ATOs
Source: FedRAMP PMO (modified)
US Government IA Policy Framework

11. Risk Management Framework
Source: NIST 800-53 Rev. 4

12. NIST Specialist Publication 800-53 rev. 4
• Control specification
• Supplemental Guidance
• Control Enhancements
• Baseline Alignment

13. However…
“Organizations have flexibility in applying the baseline security
controls in accordance with the guidance provided in Special
Publication 800-53. This allows organizations to tailor the
relevant security control baseline so that it more closely
aligns with their mission and business requirements and
environments of operation.”
• Enforces at least the following number of changed characters when new
passwords are created: [Assignment: organization-defined number];
• Enforces password minimum and maximum lifetime restrictions of
[Assignment: organization-defined numbers for lifetime minimum, lifetime
maximum];
• Prohibits password reuse for [Assignment: organization-defined number]
generations

14. Cloud complicates this approach
Problem:
• A duplicative, inconsistent, time
consuming, costly, and inefficient
cloud security risk management
approach with little incentive to
leverage existing Authorizations to
Operate (ATOs) among agencies.
Solution: FedRAMP
• Uniform risk management approach
• Standard set of approved, minimum
security controls (FISMA Low,
Moderate, and High Impact)
• Consistent assessment process
• Provisional ATO
Source: FedRAMP PMO (Modified)

15. What is FedRAMP?
15
FedRAMP is a government-wide program that provides a
standardized approach to security assessment, authorization,
and continuous monitoring for cloud products and services.
This approach uses a “do once, use many
times” framework that will save cost, time, and
staff required to conduct redundant agency
security assessments.
Source: FedRAMP PMO

16. 16
eGov Act of 2002 includes
Federal Information Security Management
Act (FISMA)
FedRAMP Security
Requirements
Agency
ATO
Congress passes FISMA
as part of 2002 eGov Act
OMB A-130
FIPS 199, FIPS 200
NIST SP 800-37, 800-137,
800-53
OMB A-130 provides policy,
NIST provides risk
management framework
FedRAMP builds upon NIST
SPs establishing common cloud
computing baseline
requirements
Agencies leverage FedRAMP
process, heads of agencies review
packages and risk, accept risk and
grant ATOs
Source: FedRAMP PMO
FedRAMP Policy Framework

17. FedRAMP High
June 23, 2016: AWS received a
P-ATO from the FedRAMP JAB
421 Baseline Controls
Highly sensitive workloads
(PII, financial data, CUI, etc…)
Covers five core AWS services
“The loss of confidentiality,
integrity, or availability
could be expected to have
severe or catastrophic
adverse effect on
organizational operations,
organizational assets, or
individuals”
- FIPS 199

18. FedRAMP High
Why is this such a big deal?
Low,
Moderate
High
FEDERAL INFORMATION
Low,
Moderate
High
$80B FEDERAL IT BUDGET
Source: FedRAMP PMO

19. So, FedRAMP authorizes workloads on AWS?
No… Agencies authorize
Authorizations cover specific services and boundaries
Once one agency authorizes a workload, all agencies
can use it?
No… Each agency is responsible for ATO issuance
Outputs are reusable, but risk assessment is individual

20. But what happens if a service isn’t authorized?

21. AWS FedRAMP assets for customers
For US Government Agencies:
• AWS FedRAMP High Package
• Monthly Continuous Monitoring Reviews
For AWS Customers and Partners:
• Partner Package for FedRAMP High
For Everyone:
• AWS Partner Ecosystem
• AWS Professional Services
• Enterprise Accelerators for Compliance (AWS QuickStarts)
• Whitepapers

22. Getting started with AWS GovCloud (US)
Visit https://aws.amazon.com/govcloud-us/getting-started to
learn about access requirements and begin using GovCloud
Resellers contact your AWS business representative to get started

23. Learn more about AWS GovCloud (US)
AWS GovCloud (US) webpage
https://aws.amazon.com/govcloud-us/
AWS GovCloud (US) User Guide
http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html
AWS Cloud Compliance
https://aws.amazon.com/compliance/
AWS NIST Quick Start Reference Deployment
https://aws.amazon.com/professional-services/enterprise-accelerators/

24. Thank You.