Contents

Tiers of compliance

Regulatory Compliance in the Cloud

Compliance is a critical aspect of any organization’s operations, particularly when it comes to data security and privacy. In the realm of cloud computing, compliance requirements can be complex and varied, depending on the industry and regulatory environment. This note provides an overview of the different tiers of compliance, including FISMA, FedRAMP, and HIPAA, and outlines the specific control areas that organizations must address to achieve compliance. By understanding these requirements, organizations can ensure that their cloud infrastructure meets the necessary standards for data security and privacy.

FISMA Compliance

Control AreaFISMA LowFISMA ModerateFISMA High
Identity & Access Management- Basic IAM policies
- MFA for privileged users
- Regular access reviews.
- More stringent IAM policies
- MFA for all users
- Role-based access control
- Regular access audits
- Temporary credentials for short-term access
- Enhanced user monitoring
- Continuous access auditing
- Additional access restrictions
- Session duration limitations
- Just-In-Time (JIT) access
Data Encryption- Encryption at rest (KMS, S3, EBS)
- Encryption in transit (TLS)
- More stringent encryption key management
- Automated key rotation
- Dedicated KMS Customer Master Keys (CMKs)
- Enhanced encryption algorithms
- Hardware security modules (HSM) integration
- Stronger key management policies
- Key access and usage logging
Network Security- Basic VPC setup
- Security groups
- Network ACLs
- Enhanced VPC isolation
- WAF
- Network traffic monitoring
- Intrusion detection
- VPN or Direct Connect for hybrid environments
- Advanced network protection
- Anomaly detection
- More comprehensive traffic analysis
- Micro-segmentation of network resources
- PrivateLink for service access
Logging & Monitoring- Basic CloudTrail and CloudWatch setup
- Log storage and retention
- Extended logging (S3, Lambda, RDS, etc.)
- More granular monitoring
- Regular audits
- AWS Config for resource tracking
- Real-time continuous monitoring
- Advanced analytics (Amazon Elasticsearch, Kinesis)
- Automated response capabilities (Lambda, Step Functions)
- Centralized logging across accounts and regions
Patch Management & Vulnerability Scanning- Regular patching and updates
- Basic vulnerability scanning
- Rigorous patch management
- Regular vulnerability scanning (Amazon Inspector)
- Remediation processes and tracking
- Continuous vulnerability scanning
- More aggressive patch management processes
- Integration with security information and event management (SIEM) tools
Backup & Disaster Recovery- Basic backup (S3, EBS, RDS)
- Recovery processes
- More frequent backups
- Enhanced recovery processes
- Regular testing
- Cross-region replication for backups
- High availability and redundancy
- Multi-region deployment
- Shorter recovery time objectives (RTO) and recovery point objectives (RPO)
- Versioning and backup validation
Incident Response- Basic incident response plan
- Notification and escalation processes
- Enhanced incident response plan
- Regular testing and updates
- Incident response team and training
- Advanced incident response capabilities
- Automated response (Lambda, Step Functions)
- Continuous improvement based on lessons learned
- Integration with external threat intelligence sources
Compliance Validation- Regular audits and assessments
- Compliance with FISMA Low requirements
- More comprehensive audits and assessments
- Compliance with FISMA Moderate requirements
- AWS Artifact for compliance documentation
- Rigorous audits and assessments
- Continuous validation
- Compliance with FISMA High requirements
- Third-party assessments and certifications

FedRAMP Compliance

Control AreaFedRAMP LowFedRAMP ModerateFedRAMP High
Identity & Access Management- Basic IAM policies
- MFA for privileged users
- Regular access reviews.
- More stringent IAM policies
- MFA for all users
- Role-based access control
- Regular access audits
- Temporary credentials for short-term access
- Enhanced user monitoring
- Continuous access auditing
- Additional access restrictions
- Session duration limitations
- Just-In-Time (JIT) access
Data Encryption- Encryption at rest (KMS, S3, EBS)
- Encryption in transit (TLS)
- More stringent encryption key management
- Automated key rotation
- Dedicated KMS Customer Master Keys (CMKs)
- Enhanced encryption algorithms
- Hardware security modules (HSM) integration
- Stronger key management policies
- Key access and usage logging
Network Security- Basic VPC setup
- Security groups
- Network ACLs
- Enhanced VPC isolation
- WAF
- Network traffic monitoring
- Intrusion detection
- VPN or Direct Connect for hybrid environments
- Advanced network protection
- Anomaly detection
- More comprehensive traffic analysis
- Micro-segmentation of network resources
- PrivateLink for service access
Logging & Monitoring- Basic CloudTrail and CloudWatch setup
- Log storage and retention
- Extended logging (S3, Lambda, RDS, etc.)
- More granular monitoring
- Regular audits
- AWS Config for resource tracking
- Real-time continuous monitoring
- Advanced analytics (Amazon Elasticsearch, Kinesis)
- Automated response capabilities (Lambda, Step Functions)
- Centralized logging across accounts and regions
Patch Management & Vulnerability Scanning- Regular patching and updates
- Basic vulnerability scanning
- Rigorous patch management
- Regular vulnerability scanning (Amazon Inspector)
- Remediation processes and tracking
- Continuous vulnerability scanning
- More aggressive patch management processes
- Integration with security information and event management (SIEM) tools
Backup & Disaster Recovery- Basic backup (S3, EBS, RDS)
- Recovery processes
- More frequent backups
- Enhanced recovery processes
- Regular testing
- Cross-region replication for backups
- High availability and redundancy
- Multi-region deployment
- Shorter recovery time objectives (RTO) and recovery point objectives (RPO)
- Versioning and backup validation
Incident Response- Basic incident response plan
- Notification and escalation processes
- Enhanced incident response plan
- Regular testing and updates
- Incident response team and training
- Advanced incident response capabilities
- Automated response (Lambda, Step Functions)
- Continuous improvement based on lessons learned
- Integration with external threat intelligence sources
Compliance Validation- Regular audits and assessments
- Compliance with FedRAMP Low requirements
- More comprehensive audits and assessments
- Compliance with FedRAMP Moderate requirements
- AWS Artifact for compliance documentation
- Rigorous audits and assessments
- Continuous validation
- Compliance with FedRAMP High requirements
- Third-party assessments and certifications

HIPAA Compliance