Security and Compliance Mandates

The CJIS Security Policy outlines the “appropriate controls to protect the full lifecycle of CJI (Criminal Justice Information), whether at rest or in transit,” irrespective of the underlying information technology model. By using solutions built on AWS, agencies can manage and secure their applications and data in the AWS cloud.

A growing number of military customers are adopting AWS’s utility-based cloud services to process, store, and transmit all types of unclassified Department of Defense (DoD) data. AWS enables DoD and its contractors to leverage the secure AWS environment to meet critical mission needs in supporting the security and welfare of our country.

AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process.

A growing number of military customers are adopting AWS services to process, store, and transmit US Department of Defense (DoD) data. AWS enables defense organizations and their business associates to create secure environments to process, maintain, and store DoD data.

AWS GovCloud (US) supports compliance with United States International Traffic in Arms Regulations (ITAR). As a part of managing a comprehensive ITAR compliance program, companies that are subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons, and by restricting physical location of protected data to the US.

The National Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems.

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information.

Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance for US government agencies and their agents to protect Federal Tax Information (FTI).

GxP is an acronym that refers to the regulations and guidelines applicable to life sciences organizations that make food and medical products such as drugs, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions.

The Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls.

A growing number of healthcare providers, payers, and IT professionals are using AWS's utility-based cloud services to process, store, and transmit protected health information (PHI).

AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information.