© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Chris Gile, Sr Manager AWS Security Assurance

November 28, 2016

AWS GovCloud (US) for

Highly Regulated Workloads

WWPS301

Security Assurance Programs OverviewAWS GovCloud (US)

DoD CJIS

FedRAMP Moderate

FedRAMP High

SRG Impact Level 4

CUI/NIST 800-171 ITAR/Export Controlled FIPS 140-2

FISMA

VPN

Connection

API

Direct Connect

US Persons Only

IRS Pub 1075

SRG Impact Level 2

US Federal

2016 Highlights

FedRAMP

High ImpactJoint Authorization

Board (JAB)Provisional

Authorization

Security & Identity

Storage & Content Delivery

Networking

Compute

Analytics

Database

DOD Cloud Computing

SRG Impact Level 4Provisional Authorization

9 Services FedRAMP Authorized

*Amazon DynamoDB, Amazon EMR, Amazon RDS, &

Amazon Redshift FedRAMP Moderate A-ATO

26Agency

Authorizationswww.fedramp.gov

US Federal - FedRAMP

26Agency Authorizations

www.fedramp.gov

“We do not need another application, we need a new

experience…”

- LaVerne Council, Assistant Secretary for IT &

Chief Information Officer of the Department of Veterans

Affairs

Under Ms. LaVerne Council and using AWS, the team at

the VA shortened their development cycle from 6

months to 3 months, reduced overhead by 80%, and

consolidated onto 1 change calendar and 1 release

calendar, versus the 60 previous ones.

https://www.cloudhealthtech.com/blog/what-you-missed-aws-public-sector-summit-2016

9Services FedRAMP

Authorized

FedRAMP High

(JAB P-ATO)

FedRAMP Moderate

(A-ATO)

Department of Defense

Authorizations

DOD CC SRG Impact Level 2

DOD CC SRG Impact Level 4

• Confidentiality of CUI

• NIST 800-171

• 14 control families, 109 requirements

• Maps to 131 NIST 800-53, Rev 4 Security

Controls

https://blogs.aws.amazon.com/security/post/Tx115XWF9J5G4MM/Need-NIST-

Compliance-in-the-AWS-Cloud-AWS-Compliance-Has-You-Covered-NIST-800-171

AWS: Catalyst for Rapid Performance Optimization

6

20 Nodes, 50 Nodes, 100 Nodes and 200

Nodes

State – Criminal Justice Information Systems

New

CJIS Security Policy

Workbook

“

CJIS Security Policy v5.5

US Persons

“The Oregon State Police (OSP) is pleased to

announce to the Oregon CJIS community that

OSP and Amazon have agreed to a security

control agreement that meets every

requirement of the FBI’s CJIS Security Policy.

This agreement gives Oregon agencies

additional hosting options that enhance

security, while meeting their business

requirements pertaining to Criminal Justice

Information (CJI),” said Major Tom M. Worthy,

CSO, Oregon State Police.

Education

Early last year, Stanford University students, Jason Su and Apaar Sadhwani, took the Project

in Mining Massive Data Sets course taught by Dr. Anand Rajaraman and Dr. Jeffrey

Ullman. The course gives students practical experience in data mining and machine learning

algorithms for analyzing large amounts of data. Students undertake team projects of their

own design with the mentorship of professors and the cloud computing power of Amazon

Web Services (AWS). AWS provided platform credits to the students and instructor as part of

the curriculum.

For Apaar, AWS makes research much easier. “It is difficult to get access to large computing

resources. AWS is so convenient to scale up and scale down. With AWS, we start small and

it gives the institution and professors the confidence that we should be investing more.”

https://aws.amazon.com/blogs/publicsector/an-eye-on-science-how-stanford-students-turned-classwork-into-their-lifes-work/

Financial Services

“Our goal is to enable safe

innovation for government

agencies, so they can take

advantage of technological

advances that increase operational

efficiencies while protecting the

critical nature of their missions,

data, and applications,” said Kevin

Henkener, VP of Engineering at

Sipree. “AWS GovCloud (US)

helps us achieve compliance in the

cloud for the most secure entities

in the world.”

https://globenewswire.com/news-release/2016/09/07/870142/0/en/Sipree-

Deploys-on-AWS-GovCloud-US-With-FedRAMP-High-Controls.html

Mandatory FTI

Req’t for Cloud

Responsibility

Notification of use Customer

Data isolation AWS/Customer

SLA Customer

Encryption in transit AWS/Customer

Encryption at rest AWS/Customer

Data deletion AWS/Customer

Risk assessment AWS/Customer

Security controls AWS/Customer

IRS Publication 1075

Health Care Life Sciences

“

The National Institutes of Health has awarded Vibrent Health a five-year, $74

million contract to supply a technology platform for NIH to enroll and engage

U.S. participants in the cohort program of the White House’s Precision Medicine

Initiative.

“Vibrent Health said …it will develop, test, maintain and update the platform for

the nationwide medical research effort using data hosting services from Amazon

Web Services’ GovCloud region.”

http://blog.executivebiz.com/2016/07/nih-picks-vibrent-health-platform-for-national-precision-medicine-study/

Services for 2016Security &

IdentityStorage &

Content

Delivery

NetworkingCompute AnalyticsDatabase

Amazon

DynamoDB

Amazon

RDS

Amazon

Redshift

Amazon

Glacier

Amazon

S3

Amazon

EC2

Amazon

VPC

Management

Tools

AWS

CloudFormation

Amazon

CloudWatch

AWS

CloudTrail

AWS IAM

AWS KMS

Amazon

EMR

Amazon Kinesis

Streams

Amazon

SQS

Amazon

SWF

Amazon

SNS

Amazon EBS

Application

Services

Security Assurance Links

https://aws.amazon.com/compliance

https://aws.amazon.com/security

https://aws.amazon.com/compliance/fedramp

https://aws.amazon.com/compliance/dod

https://aws.amazon.com/compliance/resources

https://aws.amazon.com/govcloud-us

https://aws.amazon.com/documentation

awscompliance@amazon.com

https://aws.amazon.com/compliance

https://aws.amazon.com/professional-

services/enterprise-accelerators/compliance-jumpstart/

Thank you!

Remember to complete

your evaluations!