FedRAMP is the short-hand name for the Federal Risk and Authorization Management Program, which the U.S. federal government uses to assess the security of cloud-based vendors and service providers. If a company wants to provide technology services to federal agencies, and delivers those services via the cloud, that company must be FedRAMP-certified.
To assess the security of such vendors, FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800 series, and mandates that cloud service providers undergo an independent security assessment by a Third-Party Assessment Organization (3PAO).
Since so many cloud service providers (CSPs) rely on Amazon Web Services to at least some extent, the question arises of whether AWS is FedRAMP-compliant. This article aims to answer that question.
What Is FedRAMP?
FedRAMP is a U.S. government program established to provide a standardized approach to the security assessment, authorization process, and continuous monitoring of cloud products and services, so that federal agencies can adopt secure cloud solutions.
The governing bodies of the FedRAMP program include the following government agencies:
- The Office of Management and Budget (OMB).
- General Services Administration (GSA).
- U.S. Department of Homeland Security (DHS).
- U.S. Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers Council.
CSPs that want to offer their Software-as-a-Service (SaaS) solutions and other cloud services to federal agencies must demonstrate that they are FedRAMP compliant.
The FedRAMP program, which uses the NIST SP 800 cybersecurity standards as its framework, requires that each CSP receive an independent security assessment by a Third-Party Assessment Organization (3PAO) to assure that authorizations comply with the Federal Information Security Management Act (FISMA).
What Is AWS?
Amazon’s cloud computing platform, Amazon Web Services (AWS), is extensive and constantly expanding. It combines Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Packaged Software-as-a-Service (SaaS) products. An enterprise can take advantage of AWS offerings by purchasing resources such as computing power, database storage, and content delivery services.
For businesses and software developers, “AWS compliance” provides a wide range of tools and solutions you can apply in data centers in as many as 190 nations. In addition, AWS services are available to organizations such as governmental bodies, academic institutions, nonprofits, and for-profit businesses.
Is AWS FedRAMP-Certified?
Yes. AWS GovCloud (U.S.) and all U.S. AWS Regions has been FedRAMP certified since 2013.
At that time, each AWS region had received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements at the moderate impact level.
The FedRAMP program assures that the proper level of information security is in place when federal agencies access the offerings of Cloud Service Providers (CSPs).
Is AWS GovCloud ‘FedRAMP High’?
FedRAMP authorizations are granted at three impact levels: low, medium, and high. The FedRAMP levels determine which types of federal data a CSP is permitted to process, store, and transmit.
These levels rank the disruption that a data breach could impose on an organization. For example, the low impact would have a limited effect (say, because the data isn’t confidential); a FedRAMP moderate result would have a profound adverse effect; and high impact would have a severe or catastrophic effect.
To pursue the appropriate authorization baseline, a CSP must align its cloud service offerings to an impact level. Simply put: the more confidential data you handle, the worse the disruption a breach would cause; so the more controls you’ll need to have in place, so that you can achieve the appropriate impact level.
Since 2013, AWS GovCloud (U.S.) has been granted a Joint Authorization Board Provisional Authority-to-Operate (JAB P-ATO) and numerous agency authorizations for the high impact level.
AWS GovCloud (U.S.) is an isolated AWS region established to host sensitive data and regulated workloads in the cloud. AWS GovCloud (U.S.) helps customers support their federal government compliance requirements, including FedRAMP and International Traffic in Arms Regulations.
AWS’ FedRAMP high-impact level authorization includes more than 400 security controls. It allows federal agencies to use the AWS Cloud for highly sensitive workloads, including sensitive patient records, financial data, and law enforcement data.
In addition, AWS US East/West Regions have been granted a JAB P-ATO and multiple Agency Authorizations (A-ATO) for a moderate impact level.
More than 2,000 government agencies and organizations that provide systems integration and other services to governmental agencies use AWS. These organizations include the U.S. Department of State, the U.S. Food and Drug Administration, and the Centers for Disease Control and Prevention.
Manage FedRAMP Compliance with ROAR
Keeping your business and data secure as the pace of technological innovation keeps accelerating is no easy task. The Reciprocity ROAR® Platform is an intuitive, simple-to-use platform that follows your processes and allows you to identify high-risk areas before those risks become genuine threats.
Using artificial intelligence and machine learning, ROAR can help you create a thorough security and compliance program, detect your coverage gaps, and provide customized solutions so that you can fill those gaps.
We developed ROAR to make it easier for your chief information security officer (CISO), security analyst, or other cybersecurity experts to satisfy regulatory demands and create a robust security program that guards against cyberattacks and makes information protection possible. In addition, the approach to risk management is anxiety-free!
Schedule a demo to learn more about how ROAR may be your information security solution.