FedRAMP High & AWS GovCloud (US): FISMA High Requirements

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

FedRAMP High & AWS GovCloud (US)FISMA High Requirements in the Cloud

AWS Cloud adoption in the Public Sector

Government Agencies Education Institutions Nonprofit Organizations

2,300 7,000 22,000

AWS global infrastructure

13 Regions

35AvailabilityZones

56EdgeLocations

AWS GovCloud (US) is an isolated AWS region

Intended for customers with strict regulatory and compliance requirements and sensitive data or workloads

August 2011Available to qualified customers

ComplianceSafeguard sensitive data/systems

Addresses multiple US Government regulations and security requirements

Various types of enterprises use GovCloud

US GovernmentFederal, state, and local

Consulting firms and systems integrators

Technology firms and ISVs

Education institutions

Researchorganizations

Regulated industries(Aerospace, Defense, Energy,

Manufacturing, Healthcare)

Nonprofit organizations

Managed service providers

Example workloads customers run on GovCloud

Web applicationsand websites

Backup and recovery

Archiving Disaster recovery Development and test

Big data High-performance computing

Business/mission critical systems Enterprise IT Mobile

Fit for Controlled Unclassified Information (CUI)

Agriculture Copyright Critical infrastructure

Export control Financial Immigration

Intelligence Law enforcement Legal

Nuclear Patent Privacy (PII)

Proprietary (IP) Statistical (census) Tax

Transportation

Many customers use GovCloud for all categories of CUI

GovCloud is all about “compliance in the cloud”

SP 800-53 (rev 4) and SP 800-171

AWS GovCloud (US) FedRAMP High JAB ATO

Announced June 23, 2016 by FedRAMP PMO and allows Government agencies to leverage the AWS Cloud for highly sensitive workloads and meet FISMA High requirements.

High Baseline

10

eGov Act of 2002 includes Federal Information Security Management

Act (FISMA)

Agency ATO

Congress passes FISMA as part of 2002 eGov Act

OMB A-130FIPS 200, FIPS 199

NIST SP 800-37, 800-137, 800-53

OMB A-130 provides policy, NIST provides risk management framework

Agencies leverage RMF process, heads of agencies review packages and risk, accept risk and grant ATOs

Source: FedRAMP PMO (modified)

US Government IA Policy Framework

Risk Management Framework

Source: NIST 800-53 Rev. 4

NIST Specialist Publication 800-53 rev. 4• Control specification

• Supplemental Guidance

• Control Enhancements

• Baseline Alignment

However…

“Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.”

• Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];

• Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

• Prohibits password reuse for [Assignment: organization-defined number] generations

Cloud complicates this approach

14

Problem:• A duplicative, inconsistent, time

consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.

Solution: FedRAMP• Uniform risk management approach• Standard set of approved, minimum

security controls (FISMA Low, Moderate, and High Impact)

• Consistent assessment process• Provisional ATO

Source: FedRAMP PMO (Modified)

What is FedRAMP?

15

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.

Source: FedRAMP PMO

16

eGov Act of 2002 includes Federal Information Security Management

Act (FISMA)

FedRAMP Security Requirements

Agency ATO

Congress passes FISMA as part of 2002 eGov Act

OMB A-130 FIPS 199, FIPS 200

NIST SP 800-37, 800-137, 800-53

OMB A-130 provides policy, NIST provides risk management framework

FedRAMP builds upon NIST SPs establishing common cloud computing baseline requirements

Agencies leverage FedRAMP process, heads of agencies review packages and risk, accept risk and grant ATOs

Source: FedRAMP PMO

FedRAMP Policy Framework

FedRAMP High

June 23, 2016: AWS received a P-ATO from the FedRAMP JAB

421 Baseline Controls

Highly sensitive workloads(PII, financial data, CUI, etc…)

Covers five core AWS services

“The loss of confidentiality, integrity, or availability could be expected to have severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals”- FIPS 199

FedRAMP High

Why is this such a big deal?

Low, Moderate

High

Federal Information

Low, Mod-erate

High$80B Federal IT Budget

Source: FedRAMP PMO

So, FedRAMP authorizes workloads on AWS?

No… Agencies authorize

Authorizations cover specific services and boundaries

Once one agency authorizes a workload, all agencies can use it?No… Each agency is responsible for ATO issuance

Outputs are reusable, but risk assessment is individual

But what happens if a service isn’t authorized?

AWS FedRAMP assets for customers

For US Government Agencies:• AWS FedRAMP High Package• Monthly Continuous Monitoring Reviews

For AWS Customers and Partners:• Partner Package for FedRAMP High

For Everyone:• AWS Partner Ecosystem• AWS Professional Services• Enterprise Accelerators for Compliance (AWS QuickStarts)• Whitepapers

Getting started with AWS GovCloud (US)

Visit https://aws.amazon.com/govcloud-us/getting-started to learn about access requirements and begin using GovCloud

Resellers contact your AWS business representative to get started

Learn more about AWS GovCloud (US)

AWS GovCloud (US) webpagehttps://aws.amazon.com/govcloud-us/

AWS GovCloud (US) User Guidehttp://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html

AWS Cloud Compliancehttps://aws.amazon.com/compliance/

AWS NIST Quick Start Reference Deploymenthttps://aws.amazon.com/professional-services/enterprise-accelerators/

Thank You.