How and Why to Leverage AWS GovCloud for Compliance and Regulation
Generally speaking, GovCloud is not the most well-known service on AWS. But if you work for, or do business with, a U.S. government agency, GovCloud is an essential resource. This post explains how GovCloud works and how your business can leverage it.
GovCloud is an isolated region of Amazon Web Services (AWS) that is in compliance with U.S. government security requirements. If you are a U.S. government agency, do business with one in a way that requires you to be in compliance with federal security or other regulations, or if you are in an industry that is subject to federal regulations, GovCloud can help you to more easily meet your compliance needs.
What GovCloud Offers
Before we take a look at the compliance and regulations side of GovCloud, it is important to understand what GovCloud offers from a technical point of view. AWS GovCloud offers all of the major enterprise-level features which AWS offers in a non-governmental setting. These include major backend and office applications, high-volume database and storage features, performance-oriented services, and a wide range of options for developing and deploying your own applications.
GovCloud is not a limited subset of AWS. It is, rather, a protected region of full-featured AWS, with limited access.
GovCloud Security Features
Access to GovCloud is limited to users falling into the category of vetted U.S. persons. Its servers are located on United States soil, and it is managed and operated by United States citizens. These and other security-related features bring it into full compliance with a wide range of United States government security and restricted-access regulations.
These regulations and standards include:
Federal Risk and Authorization Management Program (FedRAMP)
Defense Federal Acquisition Regulation Supplement (DFARS)
Department of Defense Security Requirements Guide (SRG) through level 5
U.S. International Traffic in Arms Regulations (ITAR)
Department of Justice Criminal Justice Information Service Security Policy
A variety of information distribution and security requirements.
These requirements cover not only national security, but also law-enforcement information security, and protection of personal, financial, and medical information for individuals. They apply to such things as compliance with federal technical standards, and export of sensitive intellectual property.
Secure GovCloud Use
How secure is GovCloud? Currently, the U.S. Air Force's Next Generation GPS system is running in GovCloud, as is the General Services administration's Cloud.gov, which serves as a cloud platform within the federal government. In addition, agencies such as the Justice Dept. and the Department of Veterans' Affairs make extensive use of GovCloud for both internal operations, and for public-facing services. GovCloud compliance features include data safety and access control based on identity, including control down to the API level.
Who Uses GovCloud?
Besides key federal agencies, a wide range of major government contractors and enterprise- level corporations in federally regulated industries make good use of GovCloud.
Motorola's missing persons recognition and detection platform, for example, uses GovCloud to stay in compliance with the FBI's Criminal Justice Information Services requirements. Many law enforcement agencies and contractors serving those agencies use GovCloud to securely handle sensitive data.
Lockheed Martin uses GovCloud to keep track of such things as compliance with International Traffic in Arms Regulations (ITAR), a major concern not only of aerospace and defense contractors, but also of the companies which provide them with supplies and technical services.
Health-related businesses and agencies, such as FIGmd, use GovCloud to achieve full compliance with federal regulations regarding medical records security and patient access to medical information.
Do You Need GovCloud?
If your business is involved in such fields as defense or law enforcement, or in health information services, it is probably clear at this point that you should at least look into the services that GovCloud has to offer.
But what about other fields? Many enterprises, after all, offer services and products to such a wide range of clients that it is not always easy to know which regulatory environments you must operate in. To determine whether your enterprise could benefit from GovCloud, it may be useful to examine your operations in terms of the following areas:
Do you operate in a business domain that falls under federal regulations? If you are involved in energy production, for example, you may need to comply with the requirements of the Federal Energy Regulatory Commission (FERC), as well as the Nuclear Regulatory Commission (NRC). This was the case with Talen Energy, which uses GovCloud to stay in compliance with applicable regulations.
If your enterprise is involved in other regulated fields, such as investment banking, medical research, or even data processing and storage services for clients in a regulated field, GovCloud may be a way to solve compliance needs before they come to the attention of regulators.
Security-Related Products and Services
If a major focus of your enterprise is information security, there's a very good chance that your products or services will fall under United States government regulations, even if you are not providing those products or services to government clients. If, for example, you provide security-related products to government contractors handling sensitive data, you are likely to fall under compliance requirements.
By using GovCloud, you can guarantee that your products and services are in compliance. This gives you an added level of protection in the event of a security-related incident on the part of one of your clients. It can also open new markets by making your products available to clients with strict federal security requirements.
Non-Regulated Products Used by Government Agencies
If you do not operate in a regulated industry, and if your products and services do not involve security, there may still be times when you will benefit from using GovCloud. If you sell products and services to United States government agencies, or to state or local agencies falling under federal regulations, sooner or later you are likely to find that you need to comply with federal requirements in order to do business with those agencies.
This was the case, for example, with Blackboard, a leading provider of learning software. In order to comply with federal requirements when supplying its software to government agencies, Blackboard uses GovCloud.
GovCloud Makes it Easy
Whether you are currently a government contractor, or you count government contractor agencies among your clients, or you are simply thinking of selling products to government agencies or contractors, GovCloud may be just what you need to eliminate current or future compliance concerns.