AWS re:Inforce 2024
Dod Fedramp Equivalency on Aws Gsc221

Title: AWS re:Inforce 2024 - DoD FedRAMP Equivalency on AWS (GSC221)

Insights:

  • The session was led by Tim Sanage, a senior manager with AWS's Global Security and Compliance Acceleration Program, which helps partners achieve compliance and security certifications quickly across various industries and regions.
  • The program was originally named "ATO on AWS" but was rebranded to avoid confusion in international markets.
  • The focus of the session was on the first FedRAMP equivalency achieved by SecureIT and Prevail, an encrypted email service provider.
  • FedRAMP equivalency is particularly significant for cloud service providers and involves stringent requirements, including having no findings during audits.
  • The certification process for FedRAMP equivalency is more rigorous compared to other standards like NIST 853, requiring external approval from a certifying official.
  • The program aims to support partners through end-to-end solutions, including marketplace listings and bundled services that combine consulting, technology, and audit partners.
  • SecureIT, a founding partner of the program, specializes in FedRAMP audits and CMMC 171-type alignments, while Prevail focuses on encrypted email and file sharing.
  • The session highlighted the importance of having vetted and capable partners to help customers navigate complex compliance landscapes.
  • AWS has developed various resources, including compliance bundles and customer compliance guides, to assist partners and customers in achieving their compliance goals.
  • The program includes an intake process to qualify and align partners with the right resources and support, tailored to their specific compliance needs.
  • AWS continues to iterate and expand its compliance resources, including new services related to AI and data privacy, to keep up with evolving regulations and customer needs.
  • The session concluded with a mention of available resources, including websites, partner pages, and a YouTube channel with educational videos and case studies.

Quotes:

  • "We cover all different industries, financial, public sector, commercial, and so forth. And we cover all over the globe."
  • "This was really the first one that we could actually get a semi, if not a formal certification out of."
  • "You really can't have any findings, you know what I mean? That was one of the surprising things."
  • "This is really focused on cloud service providers, whereas if you're a defense industrial-based contractor, then it's 171 or CMMC or what have you."
  • "We actually do a lot of end-to-end bundles where we help partners and customers get marketplace listings and list their services end-to-end."
  • "It takes about 10 years for things to go into place. So you think about where the 171 services came out of. That was back in the Obama administration."
  • "We have a good group of vetted partners that can help through these different certifications and so forth."
  • "We continue to iterate those so that we're adding them not only for net new compliance frameworks but as new services come out."
  • "We put a lot of those five, 10 minute videos up there about what are some of our services and capabilities? What are some of our partners' services and capabilities?"
  • "One of the key things is turning a lot of our success into case studies."
Diversity and Accessibility in the Age of Generative Ai Abw101Driving Cost Effective Solutions to Reduce Carbon Footprints Cfs221