Government Cloud Solutions
stackArmor is certified Public Sector and AWS GovCloud competency partner with FISMA and FedRAMP Security Authorization and Accreditation (SA&A) experience with multiple US Federal, State & Local and Global Public Sector customers. The US Federal Government has announced the availability of Commercial Cloud Services that meet the FedRAMP High Baseline Requirements. Previously, the FedRAMP authorization process was only designed for low and moderate impact systems; however, with the introduction of a high baseline, even more federal agencies with sensitive data concerns can leverage cost-efficient cloud services from major commercial cloud providers such as Amazon Web Services (AWS) amongst others. The FedRAMP Joint Authorization Board (JAB), comprised of the CIOs of GSA, the Department of Defense, and Department of Homeland Security, have provisionally authorized Amazon Web Services GovCloud Region for FedRAMP High applications. The new FedRAMP High baseline applies to non-classified technology systems under the Federal Information Security Management Act (FISMA), with “High” characterized as if the loss of confidentiality, integrity, or availability of that data could be expected to have a severe or catastrophic effect on organizational operations, assets, or individuals. For example, these more sensitive workloads may include sensitive patient records, financial data, or law enforcement data.
The FedRAMP High authorization applies to the AWS GovCloud (US) Region, including Amazon Elastic Cloud Compute (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3),Amazon Identity and Access Management (IAM), and Amazon Elastic Block Store (EBS). Launched in 2011, the AWS GovCloud (US) is an exclusive region designed to host sensitive workloads in the cloud for government customers. In addition to FedRAMP, AWS GovCloud (US) adheres to U.S. International Traffic in Arms Regulations (ITAR), Criminal Justice Information Services (CJIS) requirements, as well as Levels 2 and 4 for DoD systems.
The certified AWS Solution Architects and Information Assurance Experts at stackArmor have assisted large US Federal Agencies and clients design and implement FedRAMP compliant hosting solutions that comply with the following security requirements and standards:
- National Institute of Standards and Technology (NIST) SP 800-53
- NIST SP 800-171
- The OMB Trusted Internet Connection (TIC) Initiative – FedRAMP Overlay (pilot)
- The DoD Cloud Computing Security Requirements Guide (SRG)
NIST SP 800-53 security controls are generally applicable to Federal Information Systems, “…operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.” These are typically systems that must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, based on the security category and impact level of the system (low, moderate, or high), and a risk determination. Security controls are selected from the NIST SP 800-53 Security Control Catalog, and the system is assessed against those security control requirements.
NIST SP 800-171 is generally applicable to Nonfederal Information Systems that store or process federal Controlled Unclassified Information (CUI), but must appropriately protect the confidentiality of the CUI data in accordance with CUI Federal Acquisition Regulation (FAR). These are typically businesses, educational institutions, and research organizations that legitimately store and process federal CUI on their own systems. NIST SP 800-171 and DFARS requires DOD and US Federal contractors and sub-contractors to meet 110 security controls. FedRAMP Moderate accredited cloud services can help accelerate compliance requirements at a reduced cost. Click here to learn more and download our Free eBook.
The OMB Trusted Internet Connection (TIC) Initiative is designed to reduce the number of United States Government (USG) network boundary connections, including Internet points of presence (POPs), to optimize federal network services, and improve cyber protection, detection, and response capabilities. In its current form, a TIC-compliant architecture precludes direct access to applications running in the cloud. However, the TIC program recently proposed a draft Federal Risk and Authorization Management Program (FedRAMP)–TIC Overlay that provides a mapping of NIST SP 800-53 security controls to the required TIC capabilities. In May 2015, GSA and DHS invited AWS to participate in a FedRAMP–TIC Overlay pilot. The purpose of the pilot was to determine whether the proposed TIC overlay on the FedRAMP moderate security control baseline was achievable. In collaboration with GSA and DHS, AWS assessed how remote agency users could use the TIC overlay to access cloud-based resources, and whether existing AWS capabilities would allow an agency to enforce TIC capabilities.
The DoD Cloud Computing Security Requirements Guide (SRG) provides security requirements and guidance for the use of cloud services by DoD mission owners. It provides security controls implementation guidance for cloud service providers (CSPs) that wish to have their cloud service offerings (CSOs) accredited for use by DoD components and mission owners. In August 2014, AWS became one of the first CSPs to be granted a Provisional Authorization to Operate (P-ATO) to store and process DoD Impact Level 4 data. DoD mission owners that operate their workloads on AWS can use our P-ATO as part of the supporting documentation that their authorizing official (AO) uses to grant the workload a system Authorization to Operate (ATO).
The engineers at stackArmor have designed AWS GovCloud solutions for security focused US Federal and DOD customers and incorporate the following components and features:
- AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles
- Network segregation with external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database
- Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data
- Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack
- Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application
- A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities
- Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database
- Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules
- Host-based protection to include preventing, monitoring, logging, and alerting for anti-malware, web reputation, file integrity, IPS/IDS, and host firewall
The diagram below provides an overview of a standard three-tier web architecture depicting integration with multiple VPCs.
You can download the NIST 800-53 Security Controls Mapping Excel workbook from AWS site by going to https://s3.amazonaws.com/quickstart-reference/enterprise-accelerator/nistv2/latest/docs/NIST-800-53-Security-Controls-Mapping.xlsx
Are you interested in a Free consultation with a stackArmor Solutions Architect on how you take advantage of the FedRAMP High Baseline on AWS GovCloud? We can help review your workload requirements, and also assist with your A&A package preparation including the SSP, and associated document. Contact us by sending us an email at solutions at stackarmor.com or fill our contact us form .