Overview - Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US)


The Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) solution enables you to quickly deploy a secure, scalable, multi-account environment in AWS GovCloud (US) based on AWS best practices. This solution is architected to follow the Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) for hosting Impact Level (IL) 4 and 5 workloads in the cloud. Using this solution, you can quickly deploy an architecture baseline that accommodates U.S. federal and Department of Defense (DoD) requirements to rapidly achieve Authority to Operate (ATO).

In addition to U.S. federal and DoD customers, this solution is also architected to support defense industrial base customers to achieve Cybersecurity Maturity Model Certification (CMMC) readiness. For more information about CMMC, refer to the Compliance section of this guide.

This guide provides instructions to aid in the preparation and deployment of the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) solution. Due to the large number of design choices, setting up a multi-account environment can take a significant amount of time and require a deep understanding of AWS services. This solution helps you by automating and accelerating the setup of an initial cloud environment, suitable for hosting these secure workloads.

This solution also provides the following:

  • complimentary functionality, including tenant account creation and management

  • identity and access management

  • data security and governance

  • core networking

  • centralized logging


This solution will not, by itself, make you DoD CC SRG or CMMC compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated. The information contained in this solution implementation guide is not exhaustive. You must review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to ensure that you comply with all requirements. Most of the requirements under the DoD CC SRG or CMMC are administrative and not technical (that is, people- and process-oriented). Although this solution discusses both the technical and administrative requirements, this solution does not help you comply with the non-technical administrative requirements.