Are you a systems integrator (SI), small, or mid-size enterpriser required to secure controlled unclassified Information (CUI) data in order to meet NIST 800-171 security requirements? Learn how to simplify and automate compliance for your government customers. Learn how to architect and document IT workloads to meet NIST 800-171 security requirements in AWS GovCloud (US) – Amazon’s isolated cloud region built for sensitive data and regulated workloads.
The slides present:
· How to use AWS Enterprise Accelerator for Compliance Quick Start tools to accelerate compliance.
· The steps necessary to modify the security control matrix (SCM) for specific customer workloads.
· AWS tools and techniques to make security and compliance easier, while improving the security posture of your system.
Automating nist 800 171 compliance in AWS Govcloud (US)
1. Brett Miller
AWS Envision Engineering Center
brettmi@amazon.com
April 2017
Automating NIST 800-171 Compliance in AWS
GovCloud (US) with the NIST Quick Start tool
2. What is NIST SP 800-171?
Per Executive Order 13556, Controlled Unclassified Information, the National Archives and
Records Administration (NARA) issued a Federal regulation, “Controlled Unclassified
Information (CUI),” establishing consistent practices and procedures for safeguarding,
disseminating, controlling, and marking CUI across Executive Branch departments and
agencies. This regulation went into effect November 14, 2016.
In October, the U.S. Department of Defense (DoD) issued two final rules that changed the
DoD Federal Acquisition Regulations Supplement ("DFARS") which require DoD contractors
to provide adequate security to safeguard CUI on their information systems that support the
performance of work under a DoD contract, in accordance with NIST SP 800-171.
NIST SP 800-171 basically selects the Confidentiality security controls at the Moderate impact
level from NIST SP 800-53 to achieve that objective.
NIST SP 800-171 requirements are the security controls levied upon contractors and other
non-federal orgs that store/process federal CUI on their own systems, which can be enforced
contractually as part of the new acquisition regulations.
4. • Genomics professor reviewing U.S. population health
data for federally-funded research program at a U.S.
university
• Systems Integrator serving a government agency by
updating their employee management system housing
government employee PII including tax information
• Design engineer working for an aviation manufacturing
government contractor updating hardware designs in
CAD
• Veterans hospital administrator managing blood type
information housed by the hospital’s electronic health
records platform
CUI example use cases:
5. Shared Responsibility Model
Customers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customer
Responsible for
security ‘in’ the Cloud
Responsible for
security ‘of’ the Cloud
AWS
7. Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Meeting compliance requirements i.e., NIST
Challenge
Incorporate compliance requirements which can be pre-approved by
customer assessment organizations
Solution
8. Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Making many critical decisions to ensure a secure application when
using the AWS Shared Responsibility Model
Challenge
Incorporate AWS functional and security best practices in the baseline
Solution
9. Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Mapping security controls to numerous AWS services
Challenge
Pre-document the alignment of AWS best practices with
security/compliance requirements
Solution
10. Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Error prone and time-consuming manual configuration of AWS
resources
Challenge
Create fully automated infrastructure as code CloudFormation
templates to reduce human error
Solution
11. Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Enforcing configuration management of AWS infrastructure over time
Challenge
Keep AWS CloudFormation Templates under version control and only
deploy from the approved repository using approved processes
Solution
12. Addressing Customer Compliance Challenges with
Standardized Reference Architectures
Authorization process is time consuming, labor intensive, and delays
mission deployments
Challenge
Reduces time necessary to engineer, build, and document security
compliance controls
Solution
13. How Does AWS Make This Easy?
The Enterprise Accelerator Compliance Quick Start
https://aws.amazon.com/quickstart
18. AvailabilityZone#2
App server
CloudWatch
RDS Snapshots
Fixed Content
App
App
Web
Web
RDS
RDS
Availability Zone #1
Internet
AvailabilityZone#2
Availability Zone #1
RDP
RDP
AD
AD
Management Network
Customer
Gateway
Production/Development VPC Management VPC
End Users
VPC Peering
CloudTrail LogsIAM
Incorporates Security Features via AWS Best Practices (200+ APIs)
Users accessing AWS
console can be required
to use multi-factor
authentication (MFA)
with physical or virtual
token
CloudTrail logs API
activity and outputs
this logging to an S3
bucket where it can be
analyzed with a
number of tools
CloudTrail
Users who access or manage
AWS resources can be
restricted by roles and
permissions
Elastic Load Balancer
supports HTTPS and
high availability
S3 supports both
SSL and encryption
at rest
ACLs and IAM
policies applied to
any S3 bucket
restricts access to
S3 data
Network ACL associated
with multiple subnets can
specify allow/deny ingress
and egress rules
Separate Management
VPC isolates all
management
applications and access,
accessible only via
Virtual Private Gateway
Logging can be
enabled on S3
buckets to track
access and
operations
Private subnets
(subnets not
routing through
a gateway) are
not accessible
to Internet
Each EC2 instance type (web, app)
can have standard security group
specified in the autoscaling launch
configuration
DB security
groups
specify only
app
instances
have access
to RDS
23. How Does AWS CloudFormation Work?
• By setting up Infrastructure through code
Main Stack
IAM Stack Logging Stack
Production VPC Stack
Management VPC
Stack
Config Rule Stack NAT Instance Stack
Application Stack
main.template
Iam. logging.template
vpc-
production.template
vpc-
management.templ
ate
config-
rules.template
nat-
instance.template
application.template
24. Deployment Guide
Contents:
• Overview of Compliance
Framework(s) supported
• AWS Account Prerequisites
• Deployment steps
• Best practices
• How to customize and manage
the CloudFormation templates
25. • NIST 800-53 controls expand to 1711 granular
requirements
– ~736 = Moderate Confidentiality Controls
– AWS provides:
• ~84 Inherited by AWS Fedramp ATO
• ~51 addressed by AWS Quick Start architecture (infrastructure layer).
– You provide:
• ~415/525 – Organizational controls (~80%)
• ~110 Application level technical controls
• Some may be addressed with other AWS services not covered by AWS
Quick Start (ex. MFA, Marketplace partners).
Approximate Control Breakdown based on
Enterprise Accelerator NIST SCM
28. Where do I go from here:
AWS Compliance Jumpstart Program
Accelerate cloud adoption and save staff time by enabling a NIST compliant cloud
architecture with post-workshop Technical Discovery services provided by AWS ProServe
Contact your AWS Account Manager to learn more and get started!
v1.0
Activity
Day
1
Day
2
Day
3
Day
4
Day
5
Day
6
Day
7
Day
8
Day
9
Day
10
Day
11
Day
12
Day
13
Day
14
Day
15
Day
16
Day
17
Day
18
Day
19
Day
20
Kick-Off & Introductions
Discovery of Customer Objectives
Introduction to AWS
AWS Security Deep-Dive
AWS DevOps Deep-Dive
Compliance Package Deep-Dive
AWS CloudFormation Deep-Dive
Technical Discovery
AWS QuickStart Deployment
Assist Customer in deploying one Customer provided 3 tier web app
Security Controls Matrix Deep-Dive
Compliance Package deployment to AWS Service Catalog
(Optional) Telos xActa Deep Dive
Project Plan
AWS Compliance Jumpstart
29. Samples Roles & Responsibilities:
• AWS provides:
– Consulting: high-level analysis, design, planning
– Remote and on site implementation services as agreed upon (Time & Materials)
– AWS is not required to perform any business application development for implementation
• Customer provides:
– Giving AWS access to Personnel (e.g.) at prescheduled times. Other resources needed by phase are:
• Workshop: Key Stakeholders like ATO Decision Makers, CISO, CIO and Client SPOC for the entire duration of
engagement.
• Technical Discovery: SPOC and ATO representative
• QuickStart/Deployment: Application Owner and SPOC
• Security Control: Security, Application, Infrastructure, Operations resources and SPOC
– Staffing for deploying, testing, and supporting any AWS Content (including but not limited to sample code)
provided by AWS
– Granting AWS access to Test Environment, Application Code and Database
– All third party software required
– Documentation (e.g. application dependencies, compliance requirements) during discovery phase
Program Details
*See SOW for details and legal limitations and disclaimers. Items listed above are not contractual terms.