Amazon Web Services (AWS) is a widely used cloud platform that allows organizations to leverage the many benefits of the cloud. They can choose from more than 200 services to move to a cloud infrastructure to lower costs, become more agile, and accelerate the pace of innovation.
But for U.S. federal agencies to use AWS services, these services must first be approved by FedRAMP – the set of standards that lets U.S. government agencies assess, adopt, and use cloud services (including AWS) in an expedited fashion.
This article takes a deep dive into FedRAMP and AWS services. If you’re part of a government agency and need more information about AWS and its FedRAMP status, read on!
What Is FedRAMP?
Established in 2011, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security and risk assessment for cloud technologies and federal agencies.
This cloud compliance program acts as a seal of approval for cloud-based service providers. It establishes transparent standards and processes to assess the security authorization for cloud products and services, so that government agencies can begin using approved cloud providers more quickly.
It standardizes security requirements and authorizations for cloud services per FISMA and the Federal Cloud Computing Strategy. The program also uses the NIST Special Publication 800 series that help address the security requirements of information systems for the U.S. federal government.
FedRAMP standards and their implementation are governed by:
- Office of Management and Budget (OMB)
- U.S. General Services Administration (GSA)
- U.S. Department of Homeland Security (DHS)
- U.S. Department of Defense (DoD)
- National Institutes of Standards & Technology (NIST)
- Federal Chief Information Officers (CIO) Council
Why Is FedRAMP Important?
FedRAMP provides a cost-effective, risk-based approach for the whole federal government to adopt and use cloud services. It uses NIST and Federal Information Security Management Act (FISMA)-defined standards to bring consistency into security authorizations for cloud solutions.
FedRAMP also creates a more transparent business environment between federal agencies and Cloud Service Providers (CSPs), promotes innovation in cloud computing technologies, and establishes confidence in the security of CSP offerings.
Without FedRAMP, each government agency would need to undertake its own laborious process to review cloud-based providers. That would drive up costs, slow adoption, and let a host of other inefficiencies endure – all for no good reason.
To Whom Does FedRAMP Apply?
FedRAMP compliance is mandatory for all U.S. federal agencies and their cloud deployments at the low-, moderate-, and high-risk impact levels. They must use the FedRAMP process for the security assessments, authorizations, and continuous monitoring of Cloud Service Offerings (CSOs).
CSPs looking to offer their services to the U.S. government must prove FedRAMP compliance. They must also complete an independent security assessment by a third-party assessment organization (3PAO) to show that received authorizations are FISMA-compliant.
The FedRAMP Compliance Process for CSPs Such as AWS
FedRAMP specifies these requirements for CSPs to achieve compliance:
- A U.S. federal agency has granted the CSP the Authority to Operate (ATO); or
- The Joint Authorization Board (JAB) has granted a Provisional Authority to Operate (P-ATO);
- System security packages use the established standard FedRAMP templates;
- An approved 3PAO must assess the CSP;
- The completed security assessment package must be posted in the FedRAMP secure repository.
The ATO is a formal declaration by the JAB or a federal agency. It authorizes the use of a CSO and explicitly accepts the risk of using the CSO. The JAB is the main FedRAMP decision-making body, comprising representatives from the Defense Department, Department of Homeland Security, and the General Services Administration (GSA).
The P-ATO is an initial approval of the CSP’s authorization package by the JAB. Federal agencies can review the P-ATO and grant an ATO to the CSP to use their CSO.
CSPs can obtain the FedRAMP ATO/P-ATO in two ways:
JAB authorization
The CSP will achieve the P-ATO directly from the JAB. But first, a FedRAMP-accredited 3PAO will assess it, and the FedRAMP project management office (PMO) will review it.
Agency authorization
Alternatively, a CSP can receive an ATO after a customer agency reviews the CSP’s offering. The FedRAMP project management office will also review it.
Once authorized, a CSP will get listed on FedRAMP’s marketplace. Three listing designations are available:
- FedRAMP-ready. A 3PAO attests to a CSP’s readiness for the authorization process.
- In process. For CSPs that are working toward a FedRAMP authorization.
- Authorized. The CSP has successfully completed the FedRAMP authorization process.
Does AWS Have FedRAMP ATO?
The short answer is no, AWS as a single entity does not have FedRAMP ATO – because that’s not how the FedRAMP program was designed to work.
FedRAMP operates by granting a P-ATO for a cloud service provider. Individual federal agencies then review that P-ATO and issue their own authorization (that is, their own ATO) to use the cloud service provider. This process applies to all providers, including AWS.
Hence AWS services don’t automatically get a single ATO. That said, many individual AWS services have achieved the FedRAMP P-ATO. These are explored in detail in the next section.
AWS Services With FedRAMP Approval
Rather than say that AWS is FedRAMP-certified, it’s more accurate to say that numerous AWS offerings are FedRAMP-approved (P-ATO). As of February 2022, more than 200 AWS services were FedRAMP-approved.
Of those 200+ services, 111 were authorized for use by federal agencies in the AWS U.S. east/west regions under FedRAMP moderate authorization, and 91 achieved P-ATO for the AWS GovCloud (U.S.) regions under FedRAMP high authorization.
Some of the key FedRAMP-authorized services are described below:
Amazon Detective
Amazon Detective helps a business to analyze and investigate cloud security issues or suspicious activities. It automatically collects log data from multiple AWS resources such as Virtual Private Cloud (VPC) Flow Logs and Amazon GuardDuty. It then presents a unified view of findings so investigators can find the underlying root cause of security issues.
Amazon FSx for Lustre and Amazon FSx for Windows File Server
Amazon FSx for Lustre and Amazon FSx for Windows File Server are both managed services for shared storage, built on the Lustre and Windows file systems, respectively. These AWS offerings help organizations to accelerate compute workloads with sub-millisecond latencies, potentially hundreds of GBps of throughput, and millions of IOPS.
Amazon Macie
Amazon Macie is a fully managed data security and data privacy service to discover and protect sensitive data in AWS. It uses machine learning and pattern matching to identify sensitive data buckets and raises alerts so organizations can take the necessary remediation actions.
Amazon Elastic Kubernetes Service (EKS)
Amazon EKS is a managed container service to start, run, and scale Kubernetes applications in AWS. With this service, organizations can manage their Kubernetes clusters, create auto-scaled applications, and model machine learning workflows to run distributed training jobs.
Amazon Cognito
Amazon Cognito allows enterprise users to quickly add user sign-up, sign-in, and access control to their web and mobile apps. The service supports sign-in with multiple social identity providers and provides a secure identity store that can scale to millions of users at a time.
It also supports multiple identity and access management standards, multi-factor authentication, and the encryption of data-at-rest and data-in-transit.
The list of FedRAMP-approved AWS services is constantly growing and listed on the FedRAMP marketplace. AWS also offers the Authority to Operate (ATO) on AWS Program to help AWS Partners satisfy their customers’ authorization needs.
Does AWS Have FedRAMP-High Approval?
FedRAMP grants ATO and P-ATO to CSPs at three impact levels: low, medium, and high. The low-impact level is for offerings where the loss of data confidentiality, integrity, and availability (CIA) would have only limited harm on a federal agency’s operations or assets.
About 80 percent of FedRAMP authorization applications fall under the moderate-risk category. It is suitable for CSOs where the loss of CIA could have a serious adverse impact on a customer agency’s operations.
The high-impact risk level applies to the government’s most sensitive data (such as healthcare or financial) in the cloud. The loss of its CIA could have a catastrophic effect on the agency. All cloud service providers, including AWS, must align their offerings to the correct risk impact level before pursuing FedRAMP authorization.
In 2016, AWS GovCloud (U.S.) received a P-ATO under FedRAMP’s high baseline. Since then, many AWS CSOs have achieved FedRAMP high authorization. These include:
Manage FedRAMP Compliance with Reciprocity ZenComply
ZenComply is an integrated platform to simplify FedRAMP compliance and audit management. With ZenComply and its single system of record, organizations can keep up with regulatory changes. They can also eliminate tedious manual processes to meet all their compliance requirements.
ZenComply facilitates continuous compliance monitoring and automates the audit process. It also provides complete visibility into the enterprise FedRAMP compliance program. Schedule a demo to see how ZenComply can help you set up a successful FedRAMP compliance program.