Summit 7 Team Blogs

Compliance Decisions – Platforms (Part 2): Does Amazon Web Services (AWS) Meet DFARS, NIST and ITAR Security Requirements?

I have worked with over 150 Aerospace and Defense contractors during the last three years in an effort to help them improve their security and compliance posture in the face of increasing government regulatory requirements, such as DFARS 252-204.7012 and the new Cybersecurity Maturity Model Certification (CMMC). These organizations must defend against continual attempts to compromise their systems and gain access to the CUI / CDI / ITAR content that they maintain. 

As part of that experience, I have researched and documented many different platforms to help customers get the most from their implementations and achieve their goals with the most comprehensive and cost-effective technology possible. These platforms range from traditional on-premises architectures to the various cloud platforms like Office 365, Google G Suite, Microsoft Azure and Amazon Web Services.

This is the second of three blogs (the first) which will breakdown common platforms and what they offer in terms of security and compliance features.  Feel free to check out my previous blogs on building security and compliance solutions using Microsoft Office 365, Office 365 Government Community Cloud and Azure Gov.

Typically, one of the first discussions I have with customers is about their current system or platform and what the process entails to become DFARS 252.204-7012 and NIST 800-171 compliant on that respective platform. A thorough evaluation often reveals surprising vulnerabilities, which typically leads to a change in platform and/or infrastructure. Below is a quick look at Amazon/AWS and how it performs against the technical requirements of federal regulations such as DFARS, NIST 800-171, and ITAR.

Geography/Data Centers and DFARS 7012 Requirements

DoD contracts require compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  To summarize, DFARS specifically strives to protect  24 categories of CUI data by ensuring compliance with cloud computing standards (FedRAMP Moderate), security controls (NIST 800-171) and cyber incident reporting for CUI data associated with government contracts. AWS Gov Cloud offerings meet FedRAMP High standards and can be configured to NIST 800-171, though some security products lack maturity - such as labeling of information and documents. Some of these shortcomings would require third-party security tools - adding cost and complexity.

On another front, DFARS paragraphs C-G define the cyber incident reporting requirements, and AWS can meet these requirements unlike Google's cloud offerings. AWS Gov Cloud has the ability to properly report incidents to the government with detailed information including a forensic image of the breached system. It is important to clarify that the AWS US, or commercial IaaS and PaaS, will not be able to respond to government requests for data in case of an incident. Only the Gov Cloud offerings meet this requirement, much like Microsoft's Azure Commercial and Azure Government offerings.

Content, Collaboration, and Communication Applications are After Thoughts

Let's start with mail and modern communication. Amazon WorkMail is a commercial email platform service that is hosted on a public cloud and only provides a web client. Some of the selling points for WorkMail found on the product page:

  1. Compatible with Microsoft Outlook
  2. Integration with your existing Microsoft Active Directory
  3. Interoperability with Microsoft Exchange Server
  4. Ability to synchronize mailboxes with Windows Phone devices... Windows Phone devices

The offering is practically held together by a glue of Microsoft products. Amazon offers encryption services; however, there is no native data loss prevention or equivalent tool to stop the flow of CUI or ITAR data to external sources via email.

Then there's Amazon Chime. The product has no native functionality or additional Amazon-provided security offering to stop the flow of CUI or ITAR data. In addition, the mobile application is under supported, underutilized, and requires a third party Mobile Application Management product to control it from a security standpoint.

Apple App Store Reviews... 

Amazon Chime Reviews

Amazon does not offer a team collaboration or communication suite to rival Slack and Microsoft Teams. Regardless, there is no way for your users to communicate and collaborate around CUI or ITAR data on Amazon's email/chat offerings without the use of third party security products. Amazon's CloudTrail can shore up some of the monitoring, auditing, logging, and incident response elements of NIST 800-171 for email activity; yet, not every control can be satisfied. Last and most importantly - Chime, WorkMail, and WorkDocs are not available in AWS GovCloud and do not have FedRAMP Moderate or High certifications.

Identity Management and Security Products

AWS does not have its own Identity Management solution like Microsoft's Azure Active Directory. To be fair, AWS does have Directory Services and Identity Federation. However, these services rely Microsoft's Active Directory product to function. Additionally, AWS does not have a native Multi-factor Authentication application and relies on Google, Authy and Microsoft for authentication apps - with the former two not being compliant with DFARS 7012. AWS also does not currently support SMS for MFA. Therefore, if an organization decides to  go the route of AWS, they would need to use a third-party hardware device for MFA or a third-party app.

On the brighter side, many of the AWS security products are self sustaining and assist in meeting NIST 800-171. For example, Amazon GuardDuty serves as an Advanced Threat Protection (ATP) to detect anomalies and send alerts in the event of an attack. Amazon Macie functions similarly to Azure Information Protection (AIP) to manually or automatically label sensitive data and documents in your environment. Yet, certain critical elements are missing. AWS, for example, does not have a Mobile Device Management (MDM) or Mobile Application Management (MAM) offering to manage the access and flow of CUI on mobile devices. This gap would require the purchase of yet another third party security tool.

Thoughts and Risks to Consider 

AWS serves as a great IaaS solution, and is one of the strongest players in the cloud market for commercial businesses. However, the lack of native and mature security solutions will force Aerospace and Defense companies needing to meet DFARS 252.204-7012 and NIST 800-171 to take on more risk and complexity with third-party tools. Adding to this complexity is the need to give your enterprise the tools users need to communicate and collaborate efficiently. With AWS, your organization will likely need to look to third-party solutions, and these solutions will likely have their own issues meeting DFARS and NIST.

Bottom line: You can meet compliance requirements by building and maintaining your information systems with AWS GovCloud, but you will need third party tools to shore up several deficiencies in the platform - adding risk and complexity.

If you're looking to build an information system that will handle CUI and export controlled content on a solely IaaS and PaaS environment, then AWS can be a great solution. However, if you are looking for a fully integrated SaaS, IaaS, and PaaS solution for your information system - you may want to take a deeper look at Microsoft's Government Cloud offerings that include Office 365 GCC High and Azure Government as an integrated solution.


Subscribe Here!

Recent Posts

Posts by Topic

see all