Security is your number one priority and it is ours too. With customers around the world across all industries, it is our top priority to ensure the underlying cloud infrastructure is secure and compliant. This presentation will address our shared security/responsibility model, specific compliance requirements such as FedRAMP, DISA/DoD Cloud Security Models, and detail the specific AWS compliance programs that supports our customers in these compliance environments.
Federal Compliance Deep Dive: FISMA, FedRAMP, and Beyond - AWS Symposium 2014 - Washington D.C.
1. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Federal Compliance Deep Dive:
AWS Public Sector Security
Assurance Programs
Chris Gile
Senior Manager
AWS Risk and Compliance
cgile@amazon.com
2. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Shared Security Responsibility
• AWS & Customers both have
security/compliance obligations
• Logical assessment &
accreditation boundaries
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Compliance of
the Cloud
Compliance in
the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App
Controls
3. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS FedRAMP Program
• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS,
FDA, CDC, and NIH covering:
– All AWS US Regions (US East/West, & GovCloud (US))
– EC2, S3, EBS, VPC, IAM
– New: Amazon Redshift (US East/West only)
• Assessed against all FedRAMP-Moderate controls
• Agency ATO packages have reciprocity with federal agencies
• AWS will directly field FedRAMP package requests; agencies can still
request AWS FedRAMP package from FedRAMP PMO
– AWS provides customers a FedRAMP SSP Template, inherited/shared control
matrix, as well as FedRAMP package
cloud.cio.gov/fedramp/amazon
4. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Building Solutions on AWS
• Partners & Agencies can leverage FedRAMP compliant AWS
• AWS’s FedRAMP package covers AWS infrastructure and
underlying management of services
• Partner’s FedRAMP package includes inherited controls; shared
controls documents partner’s application/service built on AWS
• To support partners we can provide:
– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199,
etc.
– SSP Template: Pre-populated with inherited control language, guidance
on completing shared controls
– ATO Letters as stand-alone documents
– Support: Security Solutions Architects, Security Assurance Architects,
Professional Services
5. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Documentation Support
• AWS Package is specific to the
AWS Infrastructure
• Partner’s Package is specific to
the Partner’s Application or
managed services
• Inherited v. Shared Controls
6. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS DoD CSM Program
• 2/6/14 Provisional Authorization for Levels 1-2
• DISA-managed Cloud Security Model (CSM)
• 70 additional control enhancements overlaid on
FedRAMP Moderate
• Partners have achieved MAC II Sensitive DIACAP ATOs
7. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Certifications & Compliance
• AWS Environment
– SOC 1/2/3
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service
Provider
– FedRAMP (up to Moderate)
– AWS GovCloud (US) – ITAR compliant region
• Customers have deployed various compliant applications
– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA/FedRAMP (US Federal Government)
– DIACAP – up to MAC II Sensitive
– International Traffic in Arms Regulations (ITAR)
8. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Customer Resources
• Whitepapers
– Risk & Compliance Whitepaper
– Overview of Security Processes
– “Security at Scale” series
• Governance in AWS
• Logging in AWS
• Template
– FedRAMP SSP Template
• Workbooks
– FISMA-High
– CJIS
9. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Other Compliance Programs
• FISMA-High
– Workbook available for partners under NDA
– 84 additional control enhancements; 21 inherited, 54
shared, 9 customer
• CJIS Workbook
– Available under NDA
– 121 security requirements; 10 inherited, 87 shared, and
24 customer-responsible requirements
• Both are partner-based approaches to
build a portfolio of authorizations
10. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Compliance & Security Centers
• Answers to many security and compliance
questions
• Security whitepaper
• Risk and Compliance whitepaper
• Overview of Security Processes whitepaper
• “Security at Scale” whitepaper series
• Security bulletins
• Customer penetration testing requests
• Security best practices
• Request more information by contacting us
aws.amazon.com/security
aws.amazon.com/compliance
11. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Additional AWS Security &
Compliance References
• https://aws.amazon.com/security
• https://aws.amazon.com/compliance
• https://aws.amazon.com/compliance/#whitepapers
• https://aws.amazon.com/compliance/fedramp-faqs
• https://aws.amazon.com/govcloud-us
• https://aws.amazon.com/documentation
• https://aws.amazon.com/iam
awscompliance@amazon.com
12. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Questions?
13. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Thank You
Chris Gile
cgile@amazon.com