aws govcloud (us) for highly regulated workloads | aws public sector summit 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Chris Gile, Senior Manager, AWS Security Assurance

June 20, 2016

AWS GovCloud (US) for Highly Regulated Workloads

Security assurance programs overview

AWS GovCloud (US)

FedRAMP-Mod SRG Level 4

FIPS 140-2US Persons

ITAR/Export Controlled

NIST 800-171DISA SRG L2/4

CJISFISMA

Connectivity (API, VPN, DX)

CJIS

Amazon EC2, Amazon S3, Amazon EBS, Amazon VPC, AWS Identity & Access Management (IAM), Amazon Redshift

Secure the cloud, with the cloud

AWS securityprotection and

certification

Security features in the customer environment

Customer security and compliance

• Advanced security protection

• Enhanced auditability• FedRAMP• FISMA• DoD RMF• Financial reporting• Healthcare/life

sciences• Local requirements

Amazon Inspector AWS WAF AWS Config

Rules

Identity management

Access control

Usage auditing

Key storage

Monitoring and logs

Security assurance programs: FedRAMP

AWS GovCloud (US)

FedRAMP-Mod

FIPS 140-2US Persons

EC2 | S3 | EBS | VPC | IAM | Amazon Redshift

Inherited:MAMPPA

FedRAMP continuous monitoring

3 AWS FedRAMP packages

AWS FedRAMP SSP template

Agency authorization requirements

https://aws.amazon.com/solutions/case-studies/finra/ https://aws.amazon.com/compliance/fedramp/

Security assurance programs: DoD SRG

AWS GovCloud (US)

SRG Level 4

FIPS 140-2US Persons

FedRAMP continuous monitoring

AWS FedRAMP package

AWS FedRAMP SSP template

DFARS

Inherited:MAMPPAEC2 | S3 | EBS | VPC | IAM

Agency authorization requirements

https://aws.amazon.com/government-education/defense/ https://aws.amazon.com/compliance/dod/

Security assurance programs: CJIS

AWS GovCloud (US)

FIPS 140-2US Persons

CJIS Security Policy v5.5

CJIS Security Policy Workbook

FedRAMP Assessments

Inherited:MAMPPAEC2 | S3 | EBS | VPC | IAM | Amazon Redshift

Agency Authorization Requirements

https://aws.amazon.com/blogs/publicsector/cjis/

CJIS

https://aws.amazon.com/compliance/cjis

NIST 800-171

• Confidentiality of CUI• 14 control families, 109 requirements• Maps to 131 NIST 800-53r4 controls

https://blogs.aws.amazon.com/security/post/Tx115XWF9J5G4MM/Need-NIST-Compliance-in-the-AWS-Cloud-AWS-Compliance-Has-You-Covered-NIST-800-171

IRS Pub 1075

Mandatory FTI Req’t for Cloud ResponsibilityNotification of use Customer

Data isolation AWS/Customer

SLA Customer

Encryption in transit AWS/Customer

Encryption at rest AWS/Customer

Data deletion AWS/Customer

Risk assessment AWS/Customer

Security controls AWS/Customer

http://aws.amazon.com/compliance/irs-1075/

Security Assurance Links

https://aws.amazon.com/compliancehttps://aws.amazon.com/securityhttps://aws.amazon.com/compliance/fedramphttps://aws.amazon.com/compliance/dodhttps://aws.amazon.com/compliance/resources https://aws.amazon.com/govcloud-ushttps://aws.amazon.com/documentation

awscompliance@amazon.comhttps://aws.amazon.com/compliancehttps://aws.amazon.com/professional-services/enterprise-accelerators/compliance-jumpstart/

Thank you!