Federal Risk and Authorization Management Program

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program intended to standardize the security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. The governing bodies of FedRAMP include the FedRAMP Board, the FedRAMP Program Management Office (PMO), the FedRAMP Technical Advisory Group (TAG), and Federal Secure Cloud Advisory Committee (FSCAC).

Cloud Service Providers (CSPs) that want to offer their Cloud Service Offerings (CSOs) to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to complete an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act of 2002 (FISMA 2002). For more information, see the FedRAMP website.

In response to the federal government’s Cloud First Policy (now Cloud Smart Strategy), the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo established FedRAMP to provide a standard path for agencies to comply with their obligations under FISMA 2002. FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:

• Consistency and confidence in the security of cloud solutions using National Institutes of Standards & Technology (NIST) and FISMA defined standards
• Transparency between US government and cloud providers
• Automation and near real time continuous monitoring
• Adoption of secure cloud solutions through reuse of assessments and authorizations

All federal agencies are required to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:

• The cloud service provider (CSP) has been granted an Agency Authority to Operate (ATO) by a US federal agency.
• The CSP meets the FedRAMP security control requirements as described in the National Institutes of Standards & Technology (NIST) 800-53, Rev. 5 security control baseline for moderate or high impact levels.
• All system security packages must use the required FedRAMP templates.
• The CSP must be assessed by an approved third-party assessment organization (3PAO).
• The completed security assessment package must be posted in the FedRAMP secure repository.

Agency Authorization: To receive a FedRAMP Agency Authority to Operate (ATO), a CSP is reviewed by a customer Agency CIO or Delegated Authorizing Official(s). An agency ATO issued by a customer agency is verified by the FedRAMP Program Management Office (PMO).

As a part of the recently announced FedRAMP 20x initiative, the FedRAMP Program Management Office (PMO), industry stakeholders, and agency experts are working to redesign the FedRAMP assessment process. According to the FedRAMP PMO, the goal of FedRAMP 20x is to streamline and enhance the compliance process by:

• Streamlining Continuous Monitoring: Revisiting the approach to continuous monitoring, emphasizing ongoing, automated assessments to ensure compliance is maintained effectively over time.
• Automating Assessments: Developing mechanisms to automate security requirement validations, reducing the time and resources required for manual reviews.
• Leveraging Existing Frameworks: Allowing CSPs to use existing commercial security frameworks, minimizing duplicative efforts and enhancing compatibility with federal requirements.
• Enabling Continuous Reporting: Enhancing communication between CSPs and federal agencies by providing real-time reporting and monitoring capabilities.

To facilitate these improvements, working groups have been established to discuss these topics and gather input from stakeholders. These groups will help shape the future of FedRAMP.

For more information about FedRAMP 20x, please visit the FedRAMP 20x and FedRAMP 20x Working Groups pages.

• A Federal Agency or Department of Defense (DoD) organization can leverage AWS Cloud Service Offerings (CSOs) as building blocks for solutions hosted in the cloud. Each AWS CSO is authorized for Federal and DoD use by FedRAMP and DISA, and their authorization of each CSO is documented. Currently, this authorization is in the form of a ATO, a form of authorization previously issued by FedRAMP. However, the form and structure of authorizations may change as FedRAMP 20x and other aspects of FedRAMP evolve.
• An agency Authorizing Official (AO) can leverage any of the AWS FedRAMP Security Packages to review supporting documentation, to include shared responsibility details, and make his or her own risk-based decision to grant an Agency Authority to Operate (ATO) to AWS. Agencies are responsible for issuing their own ATO on AWS and are also responsible for the overall authorization of their system components. If you have questions or need more information, please contact your AWS Sales Account Manager or the ATO on AWS team.
   

AWS is a Cloud Service Provider (CSP) that offers Cloud Service Offerings (CSOs). As a CSP, AWS follows the FedRAMP process to get its CSOs authorized for Federal or DoD use. The FedRAMP process does not issue an ATO to CSPs. Rather, agencies may issue an ATO to CSPs based on the CSP’s completion of the FedRAMP authorization process for a CSO. Previously, FedRAMP’s now-defunct Joint Authorization Board (JAB) issued Provisional Authorities to Operate (P-ATOs), which agencies could leverage to issue their own ATOs. Federal civilian agencies and the DoD have used the P-ATO and the inherited controls associated with the P-ATO when they follow the Risk Management Framework (RMF) process to issue their own ATO. Note the AWS P-ATO will not be upgraded to an ATO because the FedRAMP process does not issue ATOs to CSPs. ATOs are only issued as part of the RMF process and they are issued by Federal Agency or DoD Authorizing Officers (AOs). More information on FedRAMP can be found at on the FedRAMP website. Currently, FedRAMP does not issue new P-ATOs, and the form and structure of authorizations may change as FedRAMP 20x and other aspects of FedRAMP evolve.

FedRAMP is the process that Cloud Service Providers (CSPs) follow to get their Cloud Service Offerings (CSOs) approved for Federal civilian agencies or the DoD to use a building blocks for systems hosted in the cloud. The Risk Management Framework (RMF) is the process that Federal civilian agencies and the DoD follow to get their IT system authorized to operate. Only CSPs use the FedRAMP process and CSPs do not follow the RMF process. Federal civilian agencies and the DoD would only follow the FedRAMP process if they were creating cloud services (for example MilCloud).

We encourage agency customers to leverage the existing FedRAMP ATO and authorization package to issue their own Authorization to Operate.

Yes, AWS offers the following FedRAMP compliant services that have been granted authorizations, have addressed the FedRAMP security controls (based on NIST SP 800-53), used the required FedRAMP templates for the security packages posted in the secure FedRAMP Repository, has been assessed by an accredited independent third party assessor (3PAO) and maintains continuous monitoring requirements of FedRAMP:

• AWS GovCloud (US), has been granted a JAB Provisional Authority-To-Operate (the previous FedRAMP governing body) for high impact level. The services in scope of the AWS GovCloud (US) FedRAMP P-ATO boundary at high baseline security categorization can be found within AWS Services in Scope by Compliance Program.
• AWS US East-West (Northern Virginia, Ohio, Oregon, Northern California) has been granted a P-ATO for moderate impact level. The services in scope of the AWS US East-West FedRAMP P-ATO boundary at Moderate baseline security categorization can be found within AWS Services in Scope by Compliance Program.

No, there is no increase in service costs for any region as a result of AWS’ FedRAMP compliance.

Two separate FedRAMP P-ATOs have been issued; one encompassing AWS GovCloud (US), and the other covering the AWS US East/West regions.

Yes, there are government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of AWS services today. You can review case studies about US government entities using AWS through the AWS Customer Success webpage. For more information about how AWS meets the high security requirements of governments, see the AWS for Government webpage.

The covered AWS services that are already in scope of the FedRAMP and DoD SRG boundary can be found within AWS Services in Scope by Compliance Program. Upon clicking on either the FedRAMP or DoD CC SRG tab, services with a '“✓” indicates that the service has been authorized as sufficiently meeting FedRAMP moderate baseline requirements (subsequently DoD SRG IL2) for AWS US East-West and/or FedRAMP High baseline requirements (subsequently DoD SRG IL2, IL4, and IL5) for AWS GovCloud (US). These services are posted under the service description for AWS on FedRAMP Marketplace. If you would like to learn more about using these services and/or have interest in other services please contact AWS Sales and Business Development.

Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.

Yes, customers can evaluate their high-impact workloads for suitability with AWS. Currently, customers can place their high-impact workloads on AWS GovCloud (US), which has been authorized for high impact level.

U.S. Government employees and contractors can request access to the AWS FedRAMP Security Package from the FedRAMP PMO by completing a Package Access Request Form and submitting it to info@fedramp.gov.

Commercial customers and partners may request access to the AWS FedRAMP Partner Package for guidance related to building on top of AWS offerings and assistance in architecting FedRAMP compliant services on AWS. The Partner Package may be found in your AWS account via AWS Artifact or by request through your AWS account manager.

For AWS US East-West Regions, the FedRAMP ID is AGENCYAMAZONEW. For AWS GovCloud (US) Region, the FedRAMP ID is F1603047866.

Within the FedRAMP Concept of Operations (CONOPS), after an authorization has been granted, the CSP’s security posture is monitored according to the assessment and authorization process. To receive re-authorization of a FedRAMP authorization from year to year, CSPs must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. On a continuous, ongoing basis, AOs and their designated teams review artifacts provided through the AWS FedRAMP continuous monitoring process, in addition to evidence of the implementation of any agency-specific controls required beyond the FedRAMP controls. For additional information, see your agency’s information system security program or policy.

The AWS FedRAMP Security Artifacts are available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

If you have specific questions regarding FedRAMP or DoD compliance, please contact your AWS account manager or submit the AWS Compliance Contact Us Form.

For more information about any applicable compliance programs, please see our AWS Compliance Program webpage. You can also find more information specific to Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG), Federal Information Security Management Act (FISMA), and National Institute of Standards and Technology (NIST).

Federal government agencies are assessed by their Office of Inspector General (OIG) and internally based on metrics provided by the Department of Homeland Security (DHS). Criteria for FISMA OIG and CIO metrics are NIST SP 800 special publications, with emphasis on NIST SP 800-53. For these agencies to rely upon the security of the CSP, FedRAMP is a compliance program that is built on a baseline of NIST SP 800-53 controls to comply with FISMA requirements within the cloud.

The FedRAMP compliance program is leveraged by the DoD to meet Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Levels, both of which require compliance with FIPS 140-3 for certain encryption controls. The Defense Federal Acquisition Regulation Supplement (DFARS) requires DoD contractors that process, store or transmit Controlled Unclassified Information (CUI), to meet a certain set of security standards, which includes NIST SP 800-171 requirements. NIST SP 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

You can inherit various security controls when using FedRAMP-authorized infrastructure, platforms, and services. Your initial analysis of control versus inheritance will determine your compliance responsibilities.

AWS supports your FedRAMP implementation through:

• Service-specific configuration guides
• Direct consultation with your AWS Sales Account Manager or the ATO on AWS team.