The Federal Risk and Authorization Management Program (FedRAMP) is excited to release the FedRAMP High Baseline Requirements. The High Baseline is available on www.FedRAMP.gov. These security requirements will be used to protect some of the government’s most sensitive, unclassified data in cloud computing environments. This release allows agencies to use cloud environments for high-impact data, including data that involves the protection of life and financial ruin.
Why is this such a big deal? While 80% of Federal information is categorized at low and moderate impact levels, this only represents about 50% of Federal IT spend. Now that FedRAMP has set the requirements for high impact levels, that breaks open the remaining 50% of the $80 billion a year the US Government spends on IT that could potentially move to the cloud securely. That’s huge!
In addition to the High Baseline Requirements being released, the Joint Authorization Board has been busy piloting these requirements with vendors in order to ensure their practical applicability. As of 2018, only 3 vendors meet the high baseline requirements and are ready for agencies to review and leverage:
- CSRA / Autonomic Resources – ARC-P IaaS
- Microsoft – Azure Government
- Amazon Web Services – AWS GovCloud
Achieve FedRAMP High Compliance in the AWS GovCloud (US) Region
Address your most stringent regulatory and compliance requirements while meeting your mission, with AWS GovCloud (US).
AWS GovCloud (US) is an isolated AWS region designed to host sensitive data and regulated workloads in the cloud, helping customers support their US government compliance requirements, including the International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization Management Program (FedRAMP) requirements. AWS services the region with U.S. Persons, the region is built on U.S. soil, and only vetted U.S. Persons are permitted to hold root account credentials.
AWS’s FedRAMP High authorization, which includes over 400 security controls, gives U.S. government agencies the ability to leverage the AWS Cloud for highly sensitive workloads, including Personal Identifiable Information (PII), sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).
About the FedRAMP High Baseline & FISMA
GovCloud’s FedRAMP High baseline designation applies to non-classified technology systems under the Federal Information Security Management Act (FISMA), with “High” data and workloads characterized as “those which whereby the loss of confidentiality, integrity, or availability of that data would have a potential catastrophic effect on operations, assets, or individuals.”
What is FedRAMP High?
- FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- The new FedRAMP High baseline is mapped to National Institute of Standards and Technology (NIST) security controls, and includes over 400 security measures.
- The FedRAMP High baseline applies to non-classified technology systems under the Federal Information Security Management Act (FISMA), with “High” characterized as if the loss of confidentiality, integrity, or availability of that data could be expected to have a severe or catastrophic effect on organizational operations, assets, or individuals.
- It gives US government agencies the ability to leverage the AWS Cloud for workloads with sensitive data, including Personal Identifiable Information (PII), patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).
FedRAMP High Authorized Services in AWS GovCloud (US):This authorization applies to the AWS GovCloud (US) Region, including: Amazon Elastic Cloud Compute (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), Amazon Identity and Access Management (IAM), Amazon Elastic Block Store (EBS), Amazon RDS for MySQL, Oracle, and PostgresSQL, Amazon CloudWatch Logs, AWS CloudTrail, AWS CloudFormation, AWS Key Management Service (KMS), Amazon Glacier, Amazon Redshift, Amazon SQS, Amazon SNS, Amazon SWF, Amazon EMR and Amazon DynamoDB.
AWS GovCloud (US): Compliance without Compromise
AWS GovCloud (US) gives customers the flexibility to architect solutions that are in compliance with the FedRAMP High Baseline, CJIS, ITAR, HIPAA, and the Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Levels 2 and 4. From Personal Identifiable Information (PII), patient medical records, financial data, law enforcement records, and Controlled Unclassified Information (CUI), AWS GovCloud (US) can help you address compliance at every stage of your cloud journey.
Why AWS GovCloud (US)?
Control Access to Achieve Compliance: AWS GovCloud (US) allows agencies to adhere to US International Traffic in Arms Regulations (ITAR) regulations, the Federal Risk and Authorization Management Program (FedRAMP) requirements, and Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Levels 2 and 4.
Safeguard Sensitive Data: Protect sensitive unclassified data files with server side encryption in Amazon S3; store and manage security keys yourself with AWS CloudHSM or use our one-click AWS Key Management Service (KMS).
Improve Cloud Visibility: Audit access and use of sensitive data with your keys in Amazon CloudTrail— our API logging service, managed and operated by US Persons.
Strengthen Identity Management: Limit access to sensitive data by individual, time, location, and restrict which API calls that users are able to make with identity federation, easy key rotation, and other powerful access control testing tools that are available.
Interested in a Security Audit?
For those interested in a security audit of your AWS environment, please download the following questionnaire.