Upload
amazon-web-services
View
1.249
Download
1
Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FedRAMP High & AWS GovCloud (US)FISMA High Requirements in the Cloud
AWS Cloud adoption in the Public Sector
Government Agencies Education Institutions Nonprofit Organizations
2,300 7,000 22,000
AWS global infrastructure
13 Regions
35AvailabilityZones
56EdgeLocations
AWS GovCloud (US) is an isolated AWS region
Intended for customers with strict regulatory and compliance requirements and sensitive data or workloads
August 2011Available to qualified customers
ComplianceSafeguard sensitive data/systems
Addresses multiple US Government regulations and security requirements
Various types of enterprises use GovCloud
US GovernmentFederal, state, and local
Consulting firms and systems integrators
Technology firms and ISVs
Education institutions
Researchorganizations
Regulated industries(Aerospace, Defense, Energy,
Manufacturing, Healthcare)
Nonprofit organizations
Managed service providers
Example workloads customers run on GovCloud
Web applicationsand websites
Backup and recovery
Archiving Disaster recovery Development and test
Big data High-performance computing
Business/mission critical systems Enterprise IT Mobile
Fit for Controlled Unclassified Information (CUI)
Agriculture Copyright Critical infrastructure
Export control Financial Immigration
Intelligence Law enforcement Legal
Nuclear Patent Privacy (PII)
Proprietary (IP) Statistical (census) Tax
Transportation
Many customers use GovCloud for all categories of CUI
GovCloud is all about “compliance in the cloud”
SP 800-53 (rev 4) and SP 800-171
AWS GovCloud (US) FedRAMP High JAB ATO
Announced June 23, 2016 by FedRAMP PMO and allows Government agencies to leverage the AWS Cloud for highly sensitive workloads and meet FISMA High requirements.
High Baseline
10
eGov Act of 2002 includes Federal Information Security Management
Act (FISMA)
Agency ATO
Congress passes FISMA as part of 2002 eGov Act
OMB A-130FIPS 200, FIPS 199
NIST SP 800-37, 800-137, 800-53
OMB A-130 provides policy, NIST provides risk management framework
Agencies leverage RMF process, heads of agencies review packages and risk, accept risk and grant ATOs
Source: FedRAMP PMO (modified)
US Government IA Policy Framework
Risk Management Framework
Source: NIST 800-53 Rev. 4
NIST Specialist Publication 800-53 rev. 4• Control specification
• Supplemental Guidance
• Control Enhancements
• Baseline Alignment
However…
“Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.”
• Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
• Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
• Prohibits password reuse for [Assignment: organization-defined number] generations
Cloud complicates this approach
14
Problem:• A duplicative, inconsistent, time
consuming, costly, and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.
Solution: FedRAMP• Uniform risk management approach• Standard set of approved, minimum
security controls (FISMA Low, Moderate, and High Impact)
• Consistent assessment process• Provisional ATO
Source: FedRAMP PMO (Modified)
What is FedRAMP?
15
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Source: FedRAMP PMO
16
eGov Act of 2002 includes Federal Information Security Management
Act (FISMA)
FedRAMP Security Requirements
Agency ATO
Congress passes FISMA as part of 2002 eGov Act
OMB A-130 FIPS 199, FIPS 200
NIST SP 800-37, 800-137, 800-53
OMB A-130 provides policy, NIST provides risk management framework
FedRAMP builds upon NIST SPs establishing common cloud computing baseline requirements
Agencies leverage FedRAMP process, heads of agencies review packages and risk, accept risk and grant ATOs
Source: FedRAMP PMO
FedRAMP Policy Framework
FedRAMP High
June 23, 2016: AWS received a P-ATO from the FedRAMP JAB
421 Baseline Controls
Highly sensitive workloads(PII, financial data, CUI, etc…)
Covers five core AWS services
“The loss of confidentiality, integrity, or availability could be expected to have severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals”- FIPS 199
FedRAMP High
Why is this such a big deal?
Low, Moderate
High
Federal Information
Low, Mod-erate
High$80B Federal IT Budget
Source: FedRAMP PMO
So, FedRAMP authorizes workloads on AWS?
No… Agencies authorize
Authorizations cover specific services and boundaries
Once one agency authorizes a workload, all agencies can use it?No… Each agency is responsible for ATO issuance
Outputs are reusable, but risk assessment is individual
But what happens if a service isn’t authorized?
AWS FedRAMP assets for customers
For US Government Agencies:• AWS FedRAMP High Package• Monthly Continuous Monitoring Reviews
For AWS Customers and Partners:• Partner Package for FedRAMP High
For Everyone:• AWS Partner Ecosystem• AWS Professional Services• Enterprise Accelerators for Compliance (AWS QuickStarts)• Whitepapers
Getting started with AWS GovCloud (US)
Visit https://aws.amazon.com/govcloud-us/getting-started to learn about access requirements and begin using GovCloud
Resellers contact your AWS business representative to get started
Learn more about AWS GovCloud (US)
AWS GovCloud (US) webpagehttps://aws.amazon.com/govcloud-us/
AWS GovCloud (US) User Guidehttp://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html
AWS Cloud Compliancehttps://aws.amazon.com/compliance/
AWS NIST Quick Start Reference Deploymenthttps://aws.amazon.com/professional-services/enterprise-accelerators/
Thank You.