AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Federal Compliance Deep Dive: AWS Public Sector Security Assurance Programs

Chris GileSenior Manager

AWS Risk and Compliancecgile@amazon.com

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Shared Security Responsibility

• AWS & Customers both have security/compliance obligations

• Logical assessment & accreditation boundaries

Cross-service Controls

Service-specific Controls

Managed by AWS

Managed by Customer

Compliance of the Cloud

Compliance in the Cloud

Cloud Service Provider Controls

Optimized Network/OS/App Controls

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS FedRAMP Program

• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:

– All AWS US Regions (US East/West, & GovCloud (US))– EC2, S3, EBS, VPC, IAM– New: Amazon Redshift (US East/West only)

• Assessed against all FedRAMP-Moderate controls• Agency ATO packages have reciprocity with federal agencies• AWS will directly field FedRAMP package requests; agencies can still

request AWS FedRAMP package from FedRAMP PMO– AWS provides customers a FedRAMP SSP Template, inherited/shared control

matrix, as well as FedRAMP package

cloud.cio.gov/fedramp/amazon

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Building Solutions on AWS• Partners & Agencies can leverage FedRAMP compliant AWS• AWS’s FedRAMP package covers AWS infrastructure and underlying

management of services• Partner’s FedRAMP package includes inherited controls; shared

controls documents partner’s application/service built on AWS• To support partners we can provide:

– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc.– SSP Template: Pre-populated with inherited control language, guidance on

completing shared controls– ATO Letters as stand-alone documents– Support: Security Solutions Architects, Security Assurance Architects,

Professional Services

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Documentation Support

• AWS Package is specific to the AWS Infrastructure

• Partner’s Package is specific to the Partner’s Application or managed services

• Inherited v. Shared Controls

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS DoD CSM Program• 2/6/14 Provisional Authorization for Levels 1-2 • DISA-managed Cloud Security Model (CSM)• 70 additional control enhancements overlaid on

FedRAMP Moderate• Partners have achieved MAC II Sensitive DIACAP ATOs

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Certifications & Compliance• AWS Environment

– SOC 1/2/3

– ISO 27001 Certification

– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

– FedRAMP (up to Moderate)

– AWS GovCloud (US) – ITAR compliant region

• Customers have deployed various compliant applications– Sarbanes-Oxley (SOX)

– HIPAA (healthcare)

– FISMA/FedRAMP (US Federal Government)

– DIACAP – up to MAC II Sensitive

– International Traffic in Arms Regulations (ITAR)

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Customer Resources• Whitepapers– Risk & Compliance Whitepaper– Overview of Security Processes– “Security at Scale” series• Governance in AWS• Logging in AWS• Template– FedRAMP SSP Template• Workbooks– FISMA-High– CJIS

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Other Compliance Programs

• FISMA-High– Workbook available for partners under NDA– 84 additional control enhancements; 21 inherited, 54

shared, 9 customer

• CJIS Workbook– Available under NDA– 121 security requirements; 10 inherited, 87 shared, and

24 customer-responsible requirements

• Both are partner-based approaches to build a portfolio of authorizations

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Compliance & Security Centers• Answers to many security and compliance

questions• Security whitepaper• Risk and Compliance whitepaper• Overview of Security Processes whitepaper• “Security at Scale” whitepaper series

• Security bulletins• Customer penetration testing requests• Security best practices• Request more information by contacting us

aws.amazon.com/securityaws.amazon.com/compliance

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Additional AWS Security & Compliance References• https://aws.amazon.com/security• https://aws.amazon.com/compliance• https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs• https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam

awscompliance@amazon.com

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Questions?

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Thank YouChris Gile

cgile@amazon.com