AWS’s industry-leading security strength benefits you in many ways, one of which is by using a platform that is audited extensively by independent third-party assessors. At times, these audits confirm we can meet new requirements, even as they are issued, and this is the case for the National Institute of Standards and Technology (NIST) guidelines 800-171, which were released in June 2015. This guidance is applicable to the protection of Controlled Unclassified Information (CUI) on nonfederal systems.
AWS is already compliant with these guidelines, and customers can effectively comply with NIST 800-171 immediately. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which we have already been audited under our FedRAMP program. The FedRAMP Moderate security control baseline is more rigorous than the recommended requirements established in Chapter 3 of 800-171 and includes a significant number of security controls above and beyond those required of FISMA Moderate systems that protect CUI data. A detailed mapping is available in the NIST Special Publication 800-171, starting on page D2 (which is page 37 in the PDF).
With this in mind, federal customers can move forward with migrating CUI workloads to AWS, with the knowledge that AWS can maintain compliance with US federal security requirements as they evolve.
Please contact us with questions about NIST, FedRAMP, and any other security assurance questions you may have.
- Chad Woolf, Director of AWS Risk and Compliance