Federal Compliance Deep Dive: FISMA, FedRAMP, and Beyond - AWS Symposium 2014 - Washington D.C.

2,558 views
2,203 views

Published on

Security is your number one priority and it is ours too. With customers around the world across all industries, it is our top priority to ensure the underlying cloud infrastructure is secure and compliant. This presentation will address our shared security/responsibility model, specific compliance requirements such as FedRAMP, DISA/DoD Cloud Security Models, and detail the specific AWS compliance programs that supports our customers in these compliance environments.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,558
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
109
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Federal Compliance Deep Dive: FISMA, FedRAMP, and Beyond - AWS Symposium 2014 - Washington D.C.

  1. 1. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Federal Compliance Deep Dive: AWS Public Sector Security Assurance Programs Chris Gile Senior Manager AWS Risk and Compliance cgile@amazon.com
  2. 2. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Shared Security Responsibility • AWS & Customers both have security/compliance obligations • Logical assessment & accreditation boundaries Cross-service Controls Service-specific Controls Managed by AWS Managed by Customer Compliance of the Cloud Compliance in the Cloud Cloud Service Provider Controls Optimized Network/OS/App Controls
  3. 3. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS FedRAMP Program • AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering: – All AWS US Regions (US East/West, & GovCloud (US)) – EC2, S3, EBS, VPC, IAM – New: Amazon Redshift (US East/West only) • Assessed against all FedRAMP-Moderate controls • Agency ATO packages have reciprocity with federal agencies • AWS will directly field FedRAMP package requests; agencies can still request AWS FedRAMP package from FedRAMP PMO – AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package cloud.cio.gov/fedramp/amazon
  4. 4. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Building Solutions on AWS • Partners & Agencies can leverage FedRAMP compliant AWS • AWS’s FedRAMP package covers AWS infrastructure and underlying management of services • Partner’s FedRAMP package includes inherited controls; shared controls documents partner’s application/service built on AWS • To support partners we can provide: – Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc. – SSP Template: Pre-populated with inherited control language, guidance on completing shared controls – ATO Letters as stand-alone documents – Support: Security Solutions Architects, Security Assurance Architects, Professional Services
  5. 5. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Documentation Support • AWS Package is specific to the AWS Infrastructure • Partner’s Package is specific to the Partner’s Application or managed services • Inherited v. Shared Controls
  6. 6. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS DoD CSM Program • 2/6/14 Provisional Authorization for Levels 1-2 • DISA-managed Cloud Security Model (CSM) • 70 additional control enhancements overlaid on FedRAMP Moderate • Partners have achieved MAC II Sensitive DIACAP ATOs
  7. 7. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Certifications & Compliance • AWS Environment – SOC 1/2/3 – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (up to Moderate) – AWS GovCloud (US) – ITAR compliant region • Customers have deployed various compliant applications – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA/FedRAMP (US Federal Government) – DIACAP – up to MAC II Sensitive – International Traffic in Arms Regulations (ITAR)
  8. 8. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Customer Resources • Whitepapers – Risk & Compliance Whitepaper – Overview of Security Processes – “Security at Scale” series • Governance in AWS • Logging in AWS • Template – FedRAMP SSP Template • Workbooks – FISMA-High – CJIS
  9. 9. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Other Compliance Programs • FISMA-High – Workbook available for partners under NDA – 84 additional control enhancements; 21 inherited, 54 shared, 9 customer • CJIS Workbook – Available under NDA – 121 security requirements; 10 inherited, 87 shared, and 24 customer-responsible requirements • Both are partner-based approaches to build a portfolio of authorizations
  10. 10. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Compliance & Security Centers • Answers to many security and compliance questions • Security whitepaper • Risk and Compliance whitepaper • Overview of Security Processes whitepaper • “Security at Scale” whitepaper series • Security bulletins • Customer penetration testing requests • Security best practices • Request more information by contacting us aws.amazon.com/security aws.amazon.com/compliance
  11. 11. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Additional AWS Security & Compliance References • https://aws.amazon.com/security • https://aws.amazon.com/compliance • https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs • https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam awscompliance@amazon.com
  12. 12. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Questions?
  13. 13. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Thank You Chris Gile cgile@amazon.com

×