AWS FedRAMP Revision 5 baselines transition update

On Might 20, 2023, the Federal Threat and Authorization Administration Program (FedRAMP) launched the FedRAMP Rev.5 baselines. The FedRAMP baselines have been up to date to correspond with the Nationwide Institute of Requirements and Know-how’s (NIST) Particular Publication (SP) 800-53 Rev. 5 Catalog of Safety and Privateness Controls for Info Programs and Organizations and SP 800-53B Management Baselines for Info Programs and Organizations. AWS is transitioning to the up to date safety necessities and helping prospects by making new sources obtainable (extra data on these sources under). AWS safety and compliance groups are analyzing each the FedRAMP baselines and templates, together with the NIST 800-53 Rev. 5 necessities, to assist guarantee a seamless transition. This publish particulars the high-level milestones for the transition of AWS GovCloud (US) and AWS US East/West FedRAMP-authorized Areas and lists new sources obtainable to prospects.

Background

The NIST 800-53 framework is an data safety customary that units forth minimal necessities for federal data techniques. In 2020, NIST launched Rev. 5 of the framework with new management necessities associated to privateness and provide chain threat administration, amongst different enhancements, to enhance safety requirements for business companions and authorities businesses. The Federal Info Safety Modernization Act (FISMA) of 2014 is a legislation requiring the implementation of data safety insurance policies for federal Government Department civilian businesses and contractors. FedRAMP is a government-wide program that promotes the adoption of safe cloud service choices throughout the federal authorities by offering a standardized strategy to safety and threat evaluation for cloud applied sciences and federal businesses. Each FISMA and FedRAMP adhere to the NIST SP 800-53 framework to outline safety management baselines which can be relevant to AWS and its company prospects.

Key milestones and deliverables

The timeline for AWS to transition to FedRAMP Rev. 5 baselines shall be predicated on transition steerage and necessities issued by the FedRAMP Program Administration Workplace (PMO), our third-party evaluation (3PAO) schedule, and the FedRAMP Provisional Authorization to Function (P-ATO) authorization date. Under you will see an inventory of key paperwork to assist prospects get began with Rev. 5 on AWS, in addition to timelines for the AWS preliminary authorization schedule.

Key Rev. 5 AWS paperwork for patrons:

AWS FedRAMP Rev5 Buyer Accountability Matrix (CRM) – Made obtainable on AWS Artifact September 1, 2023 (attachment throughout the AWS FedRAMP Buyer Bundle).
AWS Buyer Compliance Guides (CCG) V2 – AWS Buyer Compliance Guides at the moment are obtainable on AWS Artifact. CCGs are mapped to NIST 800-53 Rev. 5 and 9 extra compliance frameworks.

AWS GovCloud (US) authorization timeline:

3PAO Rev. 5 annual evaluation: January 2024–April 2024
Estimated 2024 Rev. 5 P-ATO letter supply: This autumn 2024

AWS US East/West industrial authorization timeline:

3PAO Rev 5. annual evaluation: March 2024–June 2024
Estimated 2024 Rev. 5 P-ATO letter supply: This autumn 2024

The AWS transition to FedRAMP Rev. 5 baselines shall be accomplished in accordance with regulatory necessities as outlined in our current FedRAMP P-ATO letter, in line with the FedRAMP Transition Steerage. Be aware that FedRAMP P-ATO letters and Protection Info Programs Company (DISA) Provisional Authorization (PA) letters for AWS are thought of energetic via the transition to NIST SP 800-53 Rev. 5. This consists of via the 2024 annual assessments of AWS GovCloud (US) and AWS US East/West Areas. The P-ATO letters for every Area are anticipated to be delivered between Q3 and This autumn of 2024. Supporting documentation required for FedRAMP authorization shall be made obtainable to U.S. Authorities businesses and stakeholders in 2024 on a rolling foundation and based mostly on the timeline and conclusion of 3PAO assessments.

Learn how to contact us

For questions in regards to the AWS transition to the FedRAMP Rev. 5 baselines, AWS and its providers, or for compliance questions, contact aws-compliance-fedramp@amazon.com.

To study extra about AWS compliance applications, see the AWS Compliance Packages web page. For extra details about the FedRAMP venture, see the FedRAMP web site.

When you have suggestions about this publish, submit feedback within the Feedback part under. When you have questions on this publish, contact AWS Assist.

Need extra AWS Safety how-to content material, information, and have bulletins? Comply with us on Twitter.

Kevin Donohue

Kevin is a Senior Safety Companion Strategist on the AWS International Safety and Compliance Acceleration workforce, specializing in shared duty and regulatory compliance assist for AWS prospects and companions. Kevin started his tenure with AWS in 2019 with the AWS FedRAMP program, the place he created Buyer Compliance Guides to help U.S. authorities prospects with their evaluation and authorization tasks.