AWS Security Blog

AWS Achieves First FedRAMP(SM) Agency ATOs

FedRAMP logo

I’m very excited to share that AWS is now a FedRAMP-compliant cloud service provider. See the Amazon press release. This is game-changing news for our U.S. government customers and systems integrators and other companies that provide products and services to the U.S. government because:

  1. It provides agencies a standardized approach to security assessment, authorization, and continuous monitoring for AWS products and services. Prior to the FedRAMP process, government security assessments of cloud providers were not standardized; each varied greatly in scope and depth and were an inefficient use of time and resources. Through FedRAMP, agencies now have a mechanism to obtain comprehensive AWS security assessment documentation and to perform an evaluation of our environment. Agencies can immediately request access to the AWS FedRAMP package by submitting a FedRAMP Package Access Request Form and begin moving through the process to evaluate our platform and authorize AWS for sensitive government workloads.
  2. It demonstrates the AWS environment meets the high bar of the FedRAMP security and control requirements. This means U.S. government customers can immediately start leveraging the Authority to Operate (ATO) provided by the Department of Health and Human Services (HHS) to use the AWS cloud. Kevin Charest, HHS Chief Information Security Officer, shared that by using AWS, all of the HHS Operating Divisions can now “reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes.”
  3. It provides agencies with the immediate ability to comply with the Office of Management and Budget’s (OMB) mandate to “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB).

This announcement is timely for federal CIOs. Budget, cybersecurity and workforce challenges rose to the top in TechAmerica’s 23rd annual Survey of Federal CIOs published earlier this month (http://www.techamerica.org/cio-survey/). The survey found that 94% of CIO respondents have already or are planning to adopt public or private cloud services. Numerous U.S. government agencies are using the wide range of AWS services today.  And now AWS FedRAMP compliance eases the regulatory compliance burden for all government customers, as the Department of Health and Human Services has already demonstrated by being the first federal agency to publicly authorize the use of AWS under FedRAMP.

Want to learn more about AWS and FedRAMP? Check-out answers to frequently asked questions on the AWS FedRAMP FAQ site.

Chad Woolf
Director, AWS Risk and Compliance

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.