Your SlideShare is downloading. ×
Practical Federal Compliance Strategies and Examples
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Practical Federal Compliance Strategies and Examples


Published on

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Practical Federal Compliance Strategiesand Examples Chad Woolf, AWS Compliance Officer
  • 2. Researcher Perspective“In 2011, we got real proof that the providers are at leastdoing their part [toward addressing security]. The leadingcloud providers earned key certifications (ISO 27001,20001, PCI-DSS, and FISMA), and nearly all providedstrong transparency to their operational practices. We alsosaw the leading clouds land local data centers in Europeand Asia while validating the proper handling of in-countrydata. And for the most part we saw enterprise customersawaken responsibilities for securing their use of clouds.There’s much progress to be made, but the excuses for notleaving the starting gate are no more.” Master 10 Trends For Your Cloud Journey Forrester Research, Inc., May 10, 2012
  • 3. 3Today’s Topics Discuss compliance in general and how it relates to business objectives Discuss three methods of using compliance mechanisms to respond to business objectives Address the different ways and methods to be compliant on AWS Use cases – FISMA, ITAR
  • 4. 4Compliance and Security Being compliant is related to but not always the same thing as being secure (and vice versa) Security focus: protecting information and systems (44 U.S.C. §3542) Compliance focus: the demonstration of adherence to policies, procedures, published standards, or other mandates (security related or otherwise)
  • 5. Compliance Simplified Business Objective Tracking of Activities those that drive activities the objective
  • 6. 6Key Concept: Shared Responsibility Moving IT infrastructure to AWS services creates a model of shared responsibility between the customer and AWS Moving to AWS can relieve burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security The customer assumes responsibility and management of the guest OS and the configuration of the AWS-provided security group firewall Understanding this thoroughly streamlines compliance efforts
  • 7. We’re In This Together: Shared Software Responsibility Firewalls/IDS/AV Application Customer Control & Customer Responsibility Data Guest Operating System Hypervisor AWS Control & Hardware AWS Responsibility Physical Infrastructure
  • 8. In Practice: Compliance with Security Standards
  • 9. 9Info Security Compliance Strategy Achieving information security compliance can be done:  In a detailed way (looking at individual controls)  In a general way (looking at an entire control environment, including subjective factors) When working with service providers, you also have options:  Require service provider to publish specific controls, with pass/fail audits  Require service providers to adhere to a broad standard, and rely on a process or security certification
  • 10. 10Examples of detailed vs. general validation General validation: ISO 27001 Detailed validation: SSAE 16/SOC1 (formerly SAS70) FISMA can be either (discussed next)
  • 11. 11Use Case: FISMA Federal Information Security Management Act Requires each federal agency to develop, document, and implement an agency-wide information security program for the data and information systems that support the agency, including those provided or managed by another agency, contractor, or other source. NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security
  • 12. Use Case: FISMA • Properly manage information assets • Comply with Business information security Objective legislationValidate that you andyour service providersare performing the Secure yourrequired activities environment in Tracking of Activities conformity with the those that drive law, including that part activities the objective of the environment managed by service providers
  • 13. 13FISMA – Which Strategy to Use? Security compliance strategy options:  In a detailed way (looking at individual controls)  In a general way (looking at an entire control environment, including subjective factors) Agency/entity strategy differences are centered around:  internal security requirements  historical practices  varied levels of focus of security elements and requirements  comfort on how reasonable assurance is obtained yrbyd
  • 14. 14FISMA – GSA BPA AWS and reseller URS-Apptis was awarded an IaaS blanket purchase agreement (BPA) from the GSA GSA-Associated agencies can now use AWS with low accreditation effort  ATO covers anything procured through the BPA  Complexity of agency systems may require a deep dive in the documentation
  • 15. 15Leveraging GSA BPA vs.Sponsoring an ATO Leverage Effort Greater Review the ATO docs Less Review pending actions (POA&M) Review assessment report (SAR) Review System Security Plan (SSP) Review test cases Less Integrate agency/AWS SSPs Greater Pursue an independent (unleveraged) agency ATO
  • 16. Example: CDC BioSense Centers for Disease Control and Prevention’s (CDC) BioSense Program is designed to establish an integrated system of nationwide biosurveillance for early detection and prompt assessment of potential bioterrorism-related illness  Approved: BioSense 2.0, was accredited and approved to operate on at FISMA-Moderate by the CDC  Backed up: BioSense 2.0 system information is backed-up by system administrators on a nightly basis and is reviewed on a monthly basis for completeness and correctness.  Durable: The Amazon S3 storage infrastructure employs multiple copies of data to ensure it can be recovered if necessary.  Secure: The BioSense 2 partitioned storage architecture makes use of AWS native infrastructure protections and authentication mechanisms are used to ensure that data is kept secure from unauthorized access.
  • 17. Example: Consumer Financial ProtectionBureau CFPB’s mission is to make markets for consumer financial products and services work for Americans by educating, enforcing and analyzing information. Consumer Bureau ensures that consumers get the information they need to make the financial decisions best for themselves and their families. Summary:  Currently using Office of the Thrift Supervision data center which has combined with Office of the Comptroller of the Currency within the Department of Treasury.  CFPB is using AWS by Shared Service through the Department of Treasury’s SharePoint environment for their website.  They have gone through the SSP read (3 full days in June) and have had a 3rd party independent assessor to review their internal C&A.  They are currently in the final stages of penetration testing and analyzing the results. They will be finished within weeks and planning to issue the ATO soon after.
  • 18. Example: DoD and DIACAP An Air Force customer received a DIACAP MAC III ATO in early April for 3 years ATO was based on reviewing the SSP, mapping to DIACAP requirements AWS has multiple DoD customers who are in various stages of the DIACAP accreditation process
  • 19. Use case: ITAR ITAR-International Traffic in Arms Regulations Prohibits the unlicensed export of defense articles, defense services, and related technical data A non-US person accessing data is an “export” A company managing ITAR articles and data must ensure US-person only access, end-to-end
  • 20. Use case: ITAR – AWS GovCloud (US) AWS GovCloud (US) provides a region restricted to US persons only Allows customers to store and process ITAR-restricted data Compliance efforts focus on security restrictions over GovCloud (US) resources AWS completed a comprehensive audit over US- persons access; publishes a letter of attestation Compliance greatly simplified for an entity: no need for separate audits of AWS, reduces compliance scope
  • 21. FISMA Compliance – Today FISMA –  AWS has customers operating in our environment under FISMA-Low & Moderate  Agencies may engage with AWS directly GSA IaaS BPA  Customers can purchase through the BPA now for U.S. East & West regions  3-year ATO was issued to Apptis/AWS in April 2012  Compliance documentation can be requested through the GSA
  • 22. FISMA Compliance – Soon Federal Risk and Authorization Management Program (FedRAMP)  A standard approach to assessing and authorizing cloud computing services/products  FedRAMP started accepting applications in June  AWS GovCloud compliance package currently under review by FedRAMP  GovCloud 3PAO assessment underway
  • 23. FedRAMP – Opportunities, Challenges Strongest value propositions: Leveragability, speed to ATO Aspects to be determined  Actual FedRAMP PATO process  100% compliance / compensating controls  Agency ATOs: what is the process for Agencies  Agency-specific controls  Protection of CSP information  Continuous Monitoring: Automatic data feeds (what data, how to deliver, applicability to customer, ability to interpret)  TIC monitoring requirements
  • 24. 24Takeaways Compliance validation strategies vary A broad ATO, like the GSA blanket agreement, can simplify compliance efforts FISMA Moderate: compliance is a reality today ITAR: another example of AWS reducing operational compliance effort for agencies FedRAMP is designed to simplify, streamline
  • 25. Thank You!! Chad Woolf