Is AWS FedRAMP Certified?Published August 6, 2019 • 2 min read
Is AWS FedRAMP Certified?
Yes. On May 21, 2013, Amazon Web Services (AWS) announced that AWS GovCloud (US) and all U.S. AWS Regions had been FedRAMP certified.
At that time, each AWS region had received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements at the moderate impact level.
The FedRAMP program ensures that the proper level of information security is in place when federal agencies access the offerings of cloud service providers (CSPs).
FedRAMP authorizations are granted at three impact levels: low, medium, and high. The levels determine which types of federal data CSPs can process, store, and transmit.
These levels rank the impact that the loss of the confidentiality, availability, or integrity of the data could have on an organization, i.e., low impact would have a limited effect, a medium impact would have a serious adverse effect, and high impact would have a severe or catastrophic effect.
A CSP must correctly align its cloud service offerings to an impact level to pursue the appropriate authorization baseline.
Since the 2013 announcement, AWS GovCloud (US) has been granted a Joint Authorization Board Provisional Authority-to-Operate (JAB P-ATO) and numerous agency authorizations for the high impact level, according to AWS FedRAMP FAQs.
AWS GovCloud (US) is an isolated AWS region established to host sensitive data and regulated workloads in the cloud. AWS GovCloud (US) helps customers support their federal government compliance requirements, including FedRAMP and International Traffic in Arms Regulations.
AWS’ FedRAMP high impact level authorization includes over 400 security controls. It enables federal agencies to use the AWS Cloud for highly sensitive workloads, including sensitive patient records, financial data, and law enforcement data.
In addition, AWS US East/West Regions have been granted a JAB P-ATO and multiple Agency Authorizations (A-ATO) for moderate impact level.
Over 2,000 government agencies and other organizations that provide systems integration and other products and services to governmental agencies are using numerous AWS services, including the U.S. Department of State, the U.S. Food and Drug Administration, and the Centers for Disease Control and Prevention, according to AWS.
What is FedRAMP?
FedRAMP is a U.S. government program that was established to provide a standardized approach to the security assessment, authorization process, and continuous monitoring for cloud products and cloud services and to enable federal agencies to more quickly adopt secure cloud solutions.
The governing bodies of the FedRAMP program include the following government agencies: the Office of Management and Budget (OMB); General Services Administration (GSA); U.S. Department of Homeland Security (DHS); U.S. Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers Council.
CSPs that want to offer their software-as-a-service (SaaS) solutions and other cloud services to federal agencies have to demonstrate that they are FedRAMP compliant.
The FedRAMP program, which uses the NIST Special Publication 800 series guidelines for its own framework, requires that each CSP receive an independent security assessment by a third-party assessment organization (3PAO) to ensure that authorizations comply with the Federal Information Security Management Act (FISMA).