AWS FedRAMP: How AWS Complies with FedRAMP for U.S. Government Agencies 

The Federal Risk and Authorization Management Program (FedRAMP) provides a comprehensive guide for assessing, authorizing, and continuously monitoring cloud products and services to ensure they are suitable for use by the U.S. federal government. This article explores how AWS aligns with FedRAMP’s rigorous standards and what this means for government agencies and other entities leveraging AWS's cloud services.

The image below shows 15 AWS services that achieved FedRAMP Provisional Authority to Operate (P-ATO). 


In this article:

What Is FedRAMP Compliance? 

FedRAMP, short for the Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Established in 2011, FedRAMP aims to ensure effective, repeatable cloud security for the government of the United States.

The main focus of FedRAMP is risk management. It recognizes the dynamic nature of cybersecurity threats, and rather than providing a rigid set of rules, it establishes a framework for evaluating and managing risks. This approach helps ensure security while allowing for flexibility and scalability, which are key attributes in the fast-paced field of cloud computing.

FedRAMP is obligatory for federal agency cloud deployments. Other non-federal entities, including private companies, can also choose to comply with FedRAMP as a best practice.

FedRAMP Requirements in Brief

FedRAMP compliance revolves around meeting a set of requirements designed to ensure secure cloud services. These requirements are broadly grouped into two categories:

  • Procedural requirements: These deal with the processes and policies that need to be in place for managing cloud services, including areas like incident response, contingency planning, and system maintenance. The goal is to ensure that the organization has well-defined, effective processes for managing potential risks.
  • Technical requirements: These are concerned with specific technical measures that need to be implemented to secure cloud services. These include encryption standards, access controls, and audit logging. The objective is to ensure that the organization is leveraging the best technology to protect against cybersecurity threats.

FedRAMP Levels: High, Medium, Low

The FedRAMP compliance framework categorizes cloud services into three risk levels: low, medium, and high. These levels are based on the potential impact of a security breach on the operations and assets of an organization.

  • Low-risk services are those where a security breach would have a limited adverse effect on an organization’s operations, assets, or individuals. 
  • Medium-risk services are those where the impact would be serious. 
  • High-risk services are those where the impact would be severe or catastrophic for U.S. government agencies or national security.

Each risk level has a corresponding set of FedRAMP requirements, known as FedRAMP Low, FedRAMP Medium, and FedRAMP High. The higher the risk level, the more stringent the requirements. This graded approach ensures that resources are appropriately allocated to address the most significant threats.

Does AWS Have Authority to Operate (ATO) Under FedRAMP?

AWS, as a Cloud Service Provider (CSP), provides Cloud Service Offerings (CSOs) that are subject to the FedRAMP authorization process. However, it’s important to understand that FedRAMP itself does not grant an Authority to Operate (ATO) for AWS. Instead, the process results in what is known as a Provisional Authority to Operate (P-ATO). This P-ATO serves as a preliminary approval for Federal Agencies or the Department of Defense (DoD) to use the CSOs offered by AWS.

The P-ATO is a critical step in the procurement process for Federal Agencies or the DoD. However, the P-ATO does not automatically convert into an ATO. Federal Agencies must follow their own Risk Management Framework (RMF) process to obtain an ATO. The ATOs are exclusively issued by Federal Agency or DoD Authorizing Officers (AOs) as part of their RMF process, not by FedRAMP.

To summarize, while AWS has a Provisional Authority to Operate from FedRAMP, Federal Agencies must additionally obtain Authority to Operate, to use Amazon’s cloud services.

Levels of FedRAMP Compliance with AWS 

Let’s look at some of the FedRAMP compliance levels achieved by AWS

FedRAMP Moderate in US East and US West Regions

AWS has several services authorized at the FedRAMP Moderate level in the US East and US West regions. These services include Amazon EC2, Aurora, DynamoDB, Elastic File System (EFS), and Elastic Kubernetes Service (EKS). This means that these services have been assessed and found to meet the stringent security requirements of FedRAMP Moderate.

In addition to Federal agencies, many state and local governments, as well as private sector organizations, find that the security requirements at the Moderate level meet their needs.

FedRAMP High in GovCloud

The FedRAMP High baseline is reserved for sensitive, critical government operations. AWS GovCloud (US) has a range of services authorized at the FedRAMP High baseline, including all the services listed above. However, some services are not available at the FedRAMP High level: these include Amazon Connect, CloudFront, Macie, AWS Budgets, and AWS Cloud9.

FedRAMP High authorization means that these services can handle and protect data that, if breached, could have severe or catastrophic effects on organizational operations or assets, individuals, or national security.

AWS GovCloud (US) is an isolated AWS region designed to host sensitive data and regulated workloads in the cloud, helping customers to support their U.S. government compliance requirements, including FedRAMP High.

See a full list of AWS services in scope for FedRAMP Moderate and High.

What Is the Process for US Government Agencies to Use Amazon FedRAMP Authorization? 

To use Amazon Web Services (AWS) under FedRAMP authorization, U.S. Federal Agencies and the Department of Defense (DoD) need to consider AWS Cloud Service Offerings (CSOs) as foundational elements for their cloud-based solutions. Each CSO has been authorized for Federal and DoD use, a process overseen by FedRAMP and the Defense Information Systems Agency (DISA). This authorization is captured in a Provisional Authority to Operate (P-ATO), which represents pre-procurement approval, allowing Federal or DoD organizations to consider the use of these CSOs.

Federal Agencies and DoD organizations can access AWS FedRAMP Security Packages to review necessary documentation, including details on shared responsibilities. This review is a critical step in enabling an agency’s Authorizing Official (AO) to make an informed, risk-based decision to grant an Agency Authority to Operate (ATO) to AWS. While AWS provides the underlying cloud infrastructure and services, the responsibility of issuing an ATO for these services rests with the agencies themselves. They are also accountable for the overall authorization of the system components they deploy on AWS. For more information, agencies are directed to contact the ATO on AWS team.

The Cloud Native Experts
"The Cloud Native Experts" at Aqua Security specialize in cloud technology and cybersecurity. They focus on advancing cloud-native applications, offering insights into containers, Kubernetes, and cloud infrastructure. Their work revolves around enhancing security in cloud environments and developing solutions to new challenges.