AWS Partner Network (APN) Blog
Authority to Operate on AWS Program Helps Public Sector Partners Accelerate Security and Compliance for Customers
By Tim Sandage, Senior Security Partner Strategist at AWS
Security and compliance are primary considerations for many Amazon Web Services (AWS) customers as they begin their cloud journey. Public sector customers, in particular, face obstacles and challenges using commercially available solutions that may not have an Authority to Operate (ATO).
To help customers overcome these obstacles, we are excited to announce the Authority to Operate on AWS program that provides resources to solution providers who need assistance pursuing a compliance authorization, including:
- Federal Risk and Authorization Management Program (FedRAMP)
- Defense Federal Acquisition Regulation Supplement (DFARS)
- Payment Card Industry Data Security Standard (PCI DSS)
- Criminal Justice Information Services (CJIS)
- As well as many other compliance programs >>
Solution providers running on AWS may encounter additional difficulties achieving an ATO due to complexity of both the process and technological barriers, uncertain time frames from start to finish, and unclear expectations of cost.
These challenges can result in an unintended barrier to entry and be a limiting factor in how well public sector customers can execute their mission, as the breadth of solutions available to them is not on par with companies operating in the commercial sector.
The ATO on AWS program connects customers to validated AWS Partner Network (APN) Partners who are members of the AWS Public Sector Partner Program.
Learn more about the Authority to Operate on AWS program >>
Program Benefits for AWS Customers
Authority to Operate on AWS helps solution providers running on AWS accelerate the security and compliance authorization process, reducing the time and cost it takes to achieve an ATO from their customers, which is required for production use (such as FedRAMP or CJIS).
The program provides resources to help solution providers build, implement, and optimize DevOps, SecOps, Continuous Integration and Continuous Delivery (CI/CD), and Continuous Risk Treatment (CRT) strategies and processes for their organization. It also provides access to managed solutions that minimize the work required to achieve such authorizations.
The ATO on AWS program consists of:
- Community of validated APN Consulting Partners and solutions from APN Technology Partners that are proven to be effective in helping solution providers meet and maintain regulatory compliance requirements. These organizations must meet the qualifications defined by the program and are verified by AWS program administrators.
. - Community-developed and verified resources, templates, tools, and guidance that help simplify the development of compliant infrastructure, provide a more consistent operating environment, and reduce the time and costs of achieving and maintaining a compliant infrastructure.
. - Support and guidance from highly-qualified AWS security and compliance strategists.
Program Requirements for APN Partners
APN Consulting Partners must be at the Select tier or above and be a member of the AWS Public Sector Partner Program with two (2) public sector practice customer references that are specific to completed ATO projects resulting in a customer certification or accreditation.
APN Technology Partner solutions must have two (2) AWS case studies specific to a single ATO on AWS solution under review. These solutions must be:
- An ATO on AWS solution, targeting one or more of the primary steps in achieving compliance through automation: product design, production design, production, and operations.
- Follow AWS best practices as defined in the AWS Well-Architected Framework.
- Clearly differentiated from existing solutions built by APN Partners.
Customer Success Stories
Here are some success stories ATO on AWS has had accelerated AWS customers through the compliance process on AWS.
SmartSheet
- Solution Provider: SmartSheet is a cloud-based collaboration software company seeking FedRAMP authorization.
- ATO on AWS Partner: Anitian, a security intelligence and compliance automation (CA) firm.
- Program Resources Leveraged: Anitian used many APN Partner solutions available through the ATO on AWS program, including GitHub, CIS, Yubico, Trend Micro, Puppet, Saint, and Barracuda. Anitian also collaborated with APN Consulting Partners Kratos for security documentation, and Coalfire as the FedRAMP 3PAO (Third-Party Assessment Organization).
- Outcomes: SmartSheet deployed a new workload in AWS GovCloud (US), developed a FedRAMP authorization package, and successfully navigated a formal 3rd Party FedRAMP assessment, all in less than 90 days.
Innovest Systems
- Solution Provider: Innovest Systems, LLC is a financial technology company seeking FedRAMP authorization.
- ATO on AWS Partners: Coalfire, a cyber-risk management and compliance services organization; Schellman & Company, an independent third-party assessment organization.
- Program Resources Leveraged: In addition to their consulting and engineering expertise, Coalfire leveraged both the AWS Security Automation and Orchestration (SAO) framework and technical solutions from several APN Technology Partners such as Palo Alto Networks, Splunk, GitHub, Trend Micro, and Puppet, to deploy preconfigured and FedRAMP compliant HashiCorp Terraform configurations to AWS GovCloud (US). Coalfire authored all of the requisite FedRAMP security documentation, while Schellman & Company completed the FedRAMP assessment in sync with the deployment.
- Outcomes: Innovest deployed their workload to AWS GovCloud (US) and achieved a FedRAMP Authorization to Operate (ATO) in under 10 months.
RedFlex
- Solution Provider: RedFlex is a developer of Intelligent Transport Systems (ITS) solutions and services.
- ATO on AWS Partner: Anitian, a security intelligence and compliance automation (CA) firm.
- Program Resources Leveraged: In collaboration with the ATO on AWS team, Anitian leveraged their own CA tool and Allgress’ compliance vision tool to deploy an automated, “audit ready” Criminal Justice Information Services Division (CJIS) security policy (version 5.7) architecture in AWS GovCloud (US), including documentation. This deployment leveraged a number of technical solutions from APN Partners, such as Trend Micro, Center for Internet Security (CIS), Puppet, GitHub, Allgress, Barracuda, Yubico, and Saint.
- Outcomes: The deployment of the RedFlex solution was completed within 30 days and is currently under assessment and awaiting migration of customer data to the environment.
Team Up with an ATO on AWS Partner
We are launching the Authority to Operate on AWS program with an established community of 24 APN Partners that can help customers with security and compliance:
- Allgress
- Anitian
- Barracuda Networks
- Center for Internet Security (CIS)
- CloudCheckr
- CloudHesive
- Coalfire
- ComplyUp
- Duo Security
- GitHub
- HashiCorp
- JHC Technology, Inc.
- Kratos Technology & Training Solutions
- McAfee
- Quzara
- Red Hat
- SAINT Corporation
- Schellman & Company
- Smartronix
- stackArmor
- Telos Corporation
- Trend Micro
- Yubico
- Zscaler
These validated APN Partners have demonstrated their expertise, suitability, and capability in helping customers achieve and maintain regulatory compliance requirements. They are committed to building the community resources and programs that assist all AWS customers and fellow APN Partners in meeting their compliance goals.
Get Started on Your Path to ATO
Solution providers interested in achieving a compliance authorization should visit the ATO on AWS website, or contact ATOonAWS@amazon.com for more information.
We are actively seeking more APN Partners to continue to expand this community and the resources available to customers in regulatory markets. If you are interested in joining us, please contact ATOonAWS@amazon.com.