Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).

1. Practical Federal Compliance Strategies
and Examples
Chad Woolf, AWS Compliance Officer

2. Researcher Perspective
“In 2011, we got real proof that the providers are at least
doing their part [toward addressing security]. The leading
cloud providers earned key certifications (ISO 27001,
20001, PCI-DSS, and FISMA), and nearly all provided
strong transparency to their operational practices. We also
saw the leading clouds land local data centers in Europe
and Asia while validating the proper handling of in-country
data. And for the most part we saw enterprise customers
awaken responsibilities for securing their use of clouds.
There’s much progress to be made, but the excuses for not
leaving the starting gate are no more.”
Master 10 Trends For Your Cloud Journey
Forrester Research, Inc., May 10, 2012

3. 3
Today’s Topics
Discuss compliance in general and how it relates
to business objectives
Discuss three methods of using compliance
mechanisms to respond to business objectives
Address the different ways and methods to be
compliant on AWS
Use cases – FISMA, ITAR

4. 4
Compliance and Security
Being compliant is related to but not always the
same thing as being secure (and vice versa)
Security focus: protecting information and
systems (44 U.S.C. §3542)
Compliance focus: the demonstration of
adherence to policies, procedures, published
standards, or other mandates (security related or
otherwise)

5. Compliance Simplified
Business
Objective
Tracking of Activities
those that drive
activities the objective

6. 6
Key Concept: Shared Responsibility
Moving IT infrastructure to AWS services creates a
model of shared responsibility between the customer
and AWS
Moving to AWS can relieve burden as AWS operates,
manages and controls the components from the host
operating system and virtualization layer down to the
physical security
The customer assumes responsibility and
management of the guest OS and the configuration of
the AWS-provided security group firewall
Understanding this thoroughly streamlines compliance
efforts

7. We’re In This Together: Shared
Software
Responsibility
Firewalls/IDS/AV
Application
Customer Control &
Customer Responsibility
Data
Guest Operating System
Hypervisor
AWS Control &
Hardware
AWS Responsibility
Physical Infrastructure

8. In Practice: Compliance with
Security Standards

9. 9
Info Security Compliance Strategy
Achieving information security compliance can be
done:
 In a detailed way (looking at individual controls)
 In a general way (looking at an entire control
environment, including subjective factors)
When working with service providers, you also have
options:
 Require service provider to publish specific controls, with
pass/fail audits
 Require service providers to adhere to a broad standard,
and rely on a process or security certification

10. 10
Examples of detailed vs. general validation
General validation: ISO 27001
Detailed validation: SSAE 16/SOC1 (formerly SAS70)
FISMA can be either (discussed next)

11. 11
Use Case: FISMA
Federal Information Security Management Act
Requires each federal agency to develop, document,
and implement an agency-wide information security
program for the data and information systems that
support the agency, including those provided or
managed by another agency, contractor, or other
source.
NIST is responsible for developing standards,
guidelines, and associated methods and techniques
for providing adequate information security

12. Use Case: FISMA • Properly manage
information assets
• Comply with
Business information security
Objective legislation
Validate that you and
your service providers
are performing the Secure your
required activities environment in
Tracking of Activities conformity with the
those that drive law, including that part
activities the objective of the environment
managed by service
providers

13. 13
FISMA – Which Strategy to Use?
Security compliance strategy options:
 In a detailed way (looking at individual controls)
 In a general way (looking at an entire control
environment, including subjective factors)
Agency/entity strategy differences are centered
around:
 internal security requirements
 historical practices
 varied levels of focus of security elements and
requirements
 comfort on how reasonable assurance is obtained
yrbyd

14. 14
FISMA – GSA BPA
AWS and reseller URS-Apptis was awarded an IaaS
blanket purchase agreement (BPA) from the GSA
GSA-Associated agencies can now use AWS with low
accreditation effort
 ATO covers anything procured through the BPA
 Complexity of agency systems may require a deep dive
in the documentation

15. 15
Leveraging GSA BPA vs.
Sponsoring an ATO
Leverage Effort
Greater
Review the ATO docs
Less Review pending actions
(POA&M)
Review assessment report
(SAR)
Review System Security Plan
(SSP)
Review test cases
Less Integrate agency/AWS SSPs
Greater Pursue an independent
(unleveraged) agency ATO

16. Example: CDC BioSense
Centers for Disease Control and Prevention’s (CDC) BioSense
Program is designed to establish an integrated system of
nationwide biosurveillance for early detection and prompt
assessment of potential bioterrorism-related illness
 Approved: BioSense 2.0, was accredited and approved to operate on
at FISMA-Moderate by the CDC
 Backed up: BioSense 2.0 system information is backed-up by system
administrators on a nightly basis and is reviewed on a monthly basis
for completeness and correctness.
 Durable: The Amazon S3 storage infrastructure employs multiple
copies of data to ensure it can be recovered if necessary.
 Secure: The BioSense 2 partitioned storage architecture makes use of
AWS native infrastructure protections and authentication mechanisms
are used to ensure that data is kept secure from unauthorized access.

17. Example: Consumer Financial Protection
Bureau
CFPB’s mission is to make markets for consumer financial
products and services work for Americans by educating, enforcing
and analyzing information. Consumer Bureau ensures that
consumers get the information they need to make the financial
decisions best for themselves and their families.
Summary:
 Currently using Office of the Thrift Supervision data center which has
combined with Office of the Comptroller of the Currency within the
Department of Treasury.
 CFPB is using AWS by Shared Service through the Department of
Treasury’s SharePoint environment for their website.
 They have gone through the SSP read (3 full days in June) and have
had a 3rd party independent assessor to review their internal C&A.
 They are currently in the final stages of penetration testing and
analyzing the results. They will be finished within weeks and planning
to issue the ATO soon after.

18. Example: DoD and DIACAP
An Air Force customer received a DIACAP MAC III ATO in
early April for 3 years
ATO was based on reviewing the SSP, mapping to DIACAP
requirements
AWS has multiple DoD customers who are in various stages
of the DIACAP accreditation process

19. Use case: ITAR
ITAR-International Traffic in Arms Regulations
Prohibits the unlicensed export of defense articles,
defense services, and related technical data
A non-US person accessing data is an “export”
A company managing ITAR articles and data must
ensure US-person only access, end-to-end

20. Use case: ITAR – AWS GovCloud (US)
AWS GovCloud (US) provides a region restricted to US
persons only
Allows customers to store and process ITAR-restricted
data
Compliance efforts focus on security restrictions over
GovCloud (US) resources
AWS completed a comprehensive audit over US-
persons access; publishes a letter of attestation
Compliance greatly simplified for an entity: no need
for separate audits of AWS, reduces compliance scope

21. FISMA Compliance – Today
FISMA –
 AWS has customers operating in our environment under
FISMA-Low & Moderate
 Agencies may engage with AWS directly
GSA IaaS BPA
 Customers can purchase through the BPA now for U.S.
East & West regions
 3-year ATO was issued to Apptis/AWS in April 2012
 Compliance documentation can be requested through
the GSA

22. FISMA Compliance – Soon
Federal Risk and Authorization Management Program
(FedRAMP)
 A standard approach to assessing and authorizing cloud
computing services/products
 FedRAMP started accepting applications in June
 AWS GovCloud compliance package currently under
review by FedRAMP
 GovCloud 3PAO assessment underway

23. FedRAMP – Opportunities, Challenges
Strongest value propositions: Leveragability, speed to
ATO
Aspects to be determined
 Actual FedRAMP PATO process
 100% compliance / compensating controls
 Agency ATOs: what is the process for Agencies
 Agency-specific controls
 Protection of CSP information
 Continuous Monitoring: Automatic data feeds (what
data, how to deliver, applicability to customer, ability to
interpret)
 TIC monitoring requirements

24. 24
Takeaways
Compliance validation strategies vary
A broad ATO, like the GSA blanket agreement,
can simplify compliance efforts
FISMA Moderate: compliance is a reality today
ITAR: another example of AWS reducing
operational compliance effort for agencies
FedRAMP is designed to simplify, streamline

25. Thank You!!
Chad Woolf
cwoolf@amazon.com