Compliance
AWS GovCloud (US) gives government customers and their partners the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.
FedRAMP
The US Federal Government is dedicated to delivering its services to the American
people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays
a key part in how the federal government can achieve operational efficiencies and
innovate on demand to advance their mission across the nation. That is why many federal
agencies today are using AWS cloud services to process, store, and transmit federal
government data. For more information, see https://aws.amazon.com/compliance/fedramp
DoD CC SRG
A growing number of military customers are adopting AWS services to process,
store, and transmit US Department of Defense (DoD) data. AWS enables defense
organizations and their business associates to create secure environments to
process, maintain, and store DoD data. For more information, see https://aws.amazon.com/compliance/dod
CMMC
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber
protection standards for companies in the DIB. It is designed to protect sensitive
unclassified information that is shared by the DoD with its contractors and
subcontractors. The program incorporates a set of cybersecurity requirements into
acquisition programs and provides the DoD increased assurance that contractors and
subcontractors are meeting these requirements. For more information, see https://aws.amazon.com/compliance/cmmc
ITAR
AWS GovCloud (US) supports compliance with United States International Traffic in
Arms Regulations (ITAR). As a part of managing a comprehensive ITAR compliance
program, companies that are subject to ITAR export regulations must control
unintended exports by restricting access to protected data to US Persons, and by
restricting physical location of protected data to the US. AWS GovCloud (US)
provides an environment that is physically located in the US, and access by AWS
personnel is limited to US Persons, thereby allowing qualified companies to use AWS
to transmit, process, and store protected articles and data subject to ITAR
restrictions. For more information, see https://aws.amazon.com/compliance/itar
CJIS
The CJIS Security Policy
IRS 1075
Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance for US
government agencies and their agents to protect Federal Tax Information (FTI). While
the IRS does not publish an official designation or certification for compliance
with Pub 1075, AWS supports organizations to protect FTI managed in AWS by aligning
our implementations of NIST 800-53 and FedRAMP security controls with the respective
IRS Pub 1075 security requirements. For more information, see https://aws.amazon.com/compliance/irs-1075
FIPS
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US and
Canadian government standard that specifies the security requirements for
cryptographic modules that protect sensitive information. For more information, see
https://aws.amazon.com/compliance/fips
ATO on AWS
The Authority to Operate (ATO) on AWS Program helps AWS Partners meet their
customers’ authorization needs, whether it be architecting, configuring, deploying, or
integrating tools and controls. AWS supports businesses globally that need to meet
security, privacy, and compliance requirements for healthcare, privacy, national
security, and financial sectors. ATO on AWS supports workloads for government
organizations such as FedRAMP, FISMA, the RMF, and CMMC in the U.S. For more
information, see https://aws.amazon.com/partners/programs/ato