Download - (GEN117) AWS Compliance Summit
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Summit
October 6, 2015
Financial Industry Regulatory Authority
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Using AWS in Healthcare and Life Sciences
Chad Woolf
Director of Risk and Compliance
Peter Spellman
Chief Technical Office & Co-Founder
The world’s largest track and trace
network for connecting the life
sciences supply chain and eliminating
counterfeit prescription drugs from the
global marketplace.
AWS Services We Use
Accomplishments in AWS
Regulated Workloads
1. Network-driven regulated workloads
195,000+ network entities generating tens of
millions of messages resulting in billions of
transactions
2. Serialized operations in production
at massive scale for global
compliance
3. Automated IQ, OQ, crowd-sourced
PQ (moving to automated)
EC2
RDS
Elasticache
CloudWatch
CloudTrail
Trusted Advisor
SQS
SNS
S3
DynamoDB
Route 53
CloudFormation
IAM
Kinesis
CloudSearch
Redshift
Data Translation
Distributed Network Tenancy
Pharma
Companies
Wholesale
DistributorsDispensers
Repackagers
3PLs
CMOs/CPOs
Business Collaboration
B2B Relationship
Platforms
Dan Dziadiw
Director of IT Compliance & Risk Management
We are committed to improving
health and well-being around the
world. From developing new
therapies that treat and prevent
disease to helping people in need,
we are guided by a rich legacy and
inspired by a shared vision.
AWS Services We Use
250+ Applications supported by AWS
Infrastructure
1000+ EC2 Instances
617TB of S3 Storage
2TB of EBS Storage across our Merck
VPCs in 3 AWS regions (US, Ireland,
Singapore)
Accomplishments in AWS
Regulated Workloads How Did We Do It?
By Integrating ‘Cloud’ into:
• SDLC & Cloud Guidance
• Security Controls and Design
• Info Risk, Privacy & Data Mgmt
• Supplier Mgmt Considerations
1. Regulated R&D Application
running on AWS
2. Qualified AWS Infrastructure
per our SDLC Policies
Bruce Kratz
Vice President of Research and Development
Quality
Professional
s
• Independent Software Vendor
• Leader in Enterprise Quality
Management Solutions
• Serving Highly Regulated Industries
• Driving Control, Compliance & Product
Safety
Top 35 Pharma
Companies
Top 13 out
of 15
Medical
Device
Companies
700 Implementations
Over
650,000 Users
Over
30 Countries Across the World
More Than
Partner Eco-System
CMO
CRO
CMOCRO
Quality Management
System
Quality Management
System
Quality Management
System
CMOCRO
Quality Management
System
Quality Management
System
The Quality Network
CMO
Quality Management
System
<QDX> QUALITY DATA EXCHANGE
The Quality Network
CMO
Quality Management
System
<QDX> QUALITY DATA EXCHANGE
Why AWS
• AWS Focus on Life
Sciences
• Proven Compliant
Validated Workloads
• Better Understanding of
Virtualization by the Audit
Community
• Life Sciences
Cooperation re: how to
respond to FDA requests
• Long History of
Innovation
EC2
S3
VPC
KMS / IAM
CloudWatch
CloudTrail
RDS
Glacier
Route 53
CloudFormation
Config
AutoScaling
AWS Services
Industry Factors
• Faster Time to Market
• Constant Innovation
• World-Wide Scalability
• Cost Advantages
Business Advantages
Bruce KratzVP Research & Development
Ivan LatanisionVP Product Management & Strategy
We Help Protect Millions of Lives Everyday
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Whalley
Compliance Program Manager
October 6, 2015
Using AWS in HCLS SystemsHealthcare and Life Sciences
What to Expect from the Session
Session for executives, quality & security
assurance managers, and other stakeholders.
Focus on using AWS cloud products.
Lessons learned from organizations who are already
using AWS in HCLS systems.
How is Compliance in AWS Different?
Traditional AWS
Infrastructure Devices Hardware Code
Delivery Processes Manual Automated
Software Architecture Embedded Distributed
Access Controls and
LoggingDisparate Harmonized
System UpdatesLarger &
Infrequent
Smaller &
Continuous
Monitoring in ProductionPeriodic Polls of
Selected Samples
Real-Time Alarms on
Full Population
Considerations Using AWS in HCLS Systems
Purchasing Controls
Organization and Personnel
Design Controls
Validation
Production Environment Controls
Records and Reports
Auditing
Traditional P.O. Purchasing
1. Specify Server Requirements
2. Source server & OS
3. Submit request to Purchasing
4. Submit P.O. to vendor
5. Receive server shipment
6. Install server & OS
7. Configure OS
8. Qualify server & OS
9. Pay Invoice and depreciate asset as
CapEx
Purchasing Controls
Purchasing in AWS
1. Specify Server Requirements
2. Select matching EC2 Instance Type
& BYO qualified OS image
3. Launch Instance with your qualified
image with automatic logging
4. Pay for what you use as OpEx
PROMPT> ec2-run-instances ami-978d91fe
-k my-key-pair --instance-type t2.micro
< 5
minutes
> 2
weeks
Organization and Personnel
Awareness Training
Training per se
Employee
Qualification
Online Documentation
Self-paced Labs
Foundational Courses
Role-based Courses
Associate and Professional
Certifications
Update job
descriptions and
training plans for
cloud skills.
Developers
DBAs
Network & Security
Engineers
Business Analysts
Auditors
QA/RA Managers
Design Controls
HC
LS
Opera
tions
Elastic Load
Balancing
Availability Zone B
Availability Zone A
HCLS
System End
User
DB
Server
Web
Server
App
Server
Define User
Requirements
Define
System SLA
Define App
Requirements
Define Data
Requirements
Select AZs for
Availability
SLA
Architect Ability
to Fail Over for
SLA
Architect Data +
Replication
Match App to
EC2 Instance
Type
HCLS
System
Engineer
Validation
Hardware Era Cloud EraVirtualization Era
Protocol-Driven
Manual Activities
Procedure-Driven
Manual Activities
Code-Driven
Automated Activities
Production Environment Controls
Automate deployment to
production with tools like
AWS CodePipeline.
Establish and monitor
control parameters
programmatically using
Amazon CloudWatch
alarms.
Record and justify
deviations from
automated processes.
Create end user SLAs
and support channels,
then feed their requests
into engineering.
HCLS end usersHCLS engineers
Records and Reports
Logs in CloudTrail and
CloudWatch
CloudFormation Templates
and custom code
Application validation records
Virtual infrastructure
qualification records
HCLS end user account info &
training records
HCLS engineer account info &
training records
AWS technical support cases
• Automated Logging vs
• Manual CreationGenerate
• Review
• Analyze
• Act, Present, or SubmitUse
• Keep originals or true copies
• Define retention schedule & locations
• Ensure protection & retrievabilityRetain
• Record destruction authorizationDispose
Auditing
Review your…
AWS account credentials
IAM users
IAM groups
IAM roles
IAM providers for SAML and
OpenID Connect
Mobile apps
Amazon EC2 security
configurations
Resource-based policies in
other services like S3
Monitor activity in your AWS
account
Training records
In Summary
Infrastructure as Code is fundamentally transforming
HCLS IT compliance
Automation and shorter change cycles require rethinking
traditional SDLCs
Cloud skills are the new job skills qualifications
HCLS organizations are achieving more control with less
effort than ever before
Upcoming Sessions This Week
ARC305 - Self-service Cloud Services: How J&J Is Managing AWS at Scale for
Enterprise Workloads
ARC311 – Decoding the Genetic Blueprint of Life on a Cloud Connected Ecosystem,
ThermoFisher
BDT316 – Offloading ETL to Amazon EMR, Amgen
SEC304 - Architecting for HIPAA Compliance on AWS, Emdeon
SEC310 - Splitting the Check on Compliance and Security: Keeping Developers and
Auditors Happy in the Cloud
SEC312 - Reliable Design and Deployment of Security and Compliance
SEC313 – Security and Compliance at Petabyte Scale: Lessons from the National
Cancer Institute's Cancer Genomics Cloud Pilot
Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: [email protected]
AWS Loft New York: Audit Days
Security By Design: https://aws.amazon.com/compliance/security-by-design
Thank you!
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
October 6, 2015
Using AWS in Financial Services
Chad Woolf
Director of Risk and Compliance
Tony Spinelli
Senior Vice President, Chief Information Officer
.
Largest direct bank
4th largest credit card issuer in the U.S.:
• $310.5 billion in assets
• $209.7 billion in loans
• $208.8 billion in deposits
• 65+ million accounts
• 46,000+ associates
• A FORTUNE 500 Company - #124
• Experimentation: e.g. mobile pilots,
hackathons
• Development & Test: e.g. online
banking, stream data processing
• Production: e.g. mobile banking app,
core banking platform
Accomplishments in AWS
Regulated Workloads
AWS Services We Use• Compute: EC2, ELB,
• Storage: EBS, S3
• Database: RDS
• Network: VPC, DirectConnect,
Route53
• Admin & Security: IAM, CloudTrail,
CloudWatch, Config, CloudHSM,
KMS
• Deployment & Management:
CloudFormation
• Application & Mobile: SQS, SNS
How Did We Do It?
• Due diligence service-based
assessment
• Governance model and standards
playbook
• Security by design for workloads,
including in-house and third party
developed tools
Daniel Schaefer
DevOps Team Lead
We provide faster payment
connections to financial
institutions
We provide features and controls
to businesses that make the
payments system easier
Accomplishments in AWS
Regulated Workloads
1. Strong Authentication (MFA)
2. Identity Access Management
3. Segmentation/isolation of resources
IAM - Users, Access Policies
EC2, ECS - Scalability, Auto recovery
S3, RDS, ElastiCache - Storage,
Caching, Search
Redshift, EMR - Big Data, Data
Warehouse, Reporting
VPC, Route 53 - Isolation, Firewall,
Subnets
CloudFormation - Automation
How Did We Do It?
● Infrastructure as code - changes have clear
audit trail
● Iterative approach to infrastructure -
Evolved over time, kept up to date with
leading practices.
● Defined mapping of integrated compliance
requirements
● Avoid theater - Evaluate the
security/compliance goal and develop a
process that accomplishes goal while
allowing for rapid and easy development.
AWS Services We Use
Miles Wellesley
Head of Business Development
Our mission is to democratize access to the financial markets and inspire a new generation of
investors.
OUR MISSION
Robinhood is the first financial services
firm to win an Apple Design Award.
SNS
Auto Scaling
Direct Connect
EC2
IAM
Lambda
Elasticache
EBS
S3
ELB
VPC
RDS
Data Pipeline
Redshift
Route 53
CloudWatch
Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)]
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
Systems must be secure, redundant, and available
Innovative workflows: Documents associated with user profiles (S3)]
Security: Security through encryption and narrow permissions scoping (IAM)
Redundancy / Business Continuity: Backups and snapshots
Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)
THANK YOU
Nicki Sonpar
Director of Data Platforms
About Intake Ecosystem
As part of its regulatory mission, FINRA requests and
receives information from broker-dealers
In addition to Market Big Data, millions of documentssubmitted each year - documents can be up to 100’s of
gigabytes
Customers are uploading more and larger documents –
20% YoY submission growth
All document uploads must be auditable in case of
litigation
Requirements
Centralize all document intake into Unified Data Catalog leveraged by FINRA
users and applications
Leverage proven cloud-based services such as storage, security and network
infrastructure to deliver business functionality
FINRA must manage and control encryption in transit and at rest
Maintain focus on FINRA’s key mission of analyzing data while minimizing
operational overhead
Approach
Build a large file service which uses S3, KMS, and IAM policies to ensure
compliance with FINRA policies
Firms directly submit data to AWS with temporary write-only access to a fixed
location
Data is always encrypted, in transit and final destination
Leveraged FINRA’s Data Manager which provides a Unified Data Catalog and usage tracking on top of AWS Storage
Large File
Service
Large File
Service
Lessons Learned
Refine and review architecture with your Security Team and AWS SME’s
Gigabyte uploads require security token refresh during the upload process
KMS keys are not replicated across regions, therefore a duplicate object in
another region requires re-encryption – this is on AWS’ roadmap!
Partner with your AWS Pro Serv and internal product teams to build your service layer
Future
Migrate all documents which are less than 5
years old to S3 and Glacier
Unified Data Catalog gives us new opportunities to
apply data mining, machine learning and
pattern-recognition across all documents
Move all existing Data Intake platforms and
applications to the cloud
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jodi Scrofani
Global Financial Services Compliance Strategist
October 6, 2015
Strengthening Your GRCFinancial Services
What to Expect from the Session
- AWS services and tools gives financial services customers transparency
into AWS services and security configurations.
- AWS services and tools offer financial services customers ease of
audibility and streamline compliance requirements.
Risk Measures Critical to Moving to the Cloud(Direct Customer Feedback)
GLBA
National Regulations
PCI-DSS
Corporate Governance
Data Protection
Basel 3
No published guidance
Third-Party Relationships: Risk Management (2013)
Initial cybersecurity guidelines (2014)
Technology-related risk management considerations –(2003/2012)
U.S. Regulatory Guidelines that Apply to the Cloud
Simplifying ComplianceEnabling Evidencing and Transparency
AWS Trusted Advisor
AWS IAM
AWS Config
Workbooks
Training
The Next Big Thing in GRC
1. The right Security By Design tech - AWS
2. SbD Whitepaper
3. AWS GoldBase
4. FFIEC & OCIE Audit Guides
5. IT Auditor Days & Training Courses
AWS
CloudTrailAWS
CloudHSM
AWS IAMAWS
KMS
AWS
Config
FFIEC & SEC Audit GuidesNew
The Next Big Thing in GRC
1. The right Security By Design tech - AWS
2. SbD Whitepaper
3. AWS GoldBase
4. FFIEC & OCIE Audit Guides
5. IT Auditor Days & Training Courses
AWS
CloudTrailAWS
CloudHSM
AWS IAMAWS
KMS
AWS
Config
IT Auditor Days
Customer
June 3, 2015
“I appreciated the firsthand view of the controls (access
management, logging/auditing) available for governance. The
training would not only be helpful for technology, but for
risk/compliance and internal audit teams as well.”
Coming soon to San Francisco, London, and Berlin
RegulatorsNew
IT AUDITOR DAY FOR U.S. FINANCIAL SERVICES REGULATORS
Thursday, December 3, 2015
AWS Loft | 350 West Broadway | New York, NY 10005
Amazon Web Services (AWS) offers a number of tools that allow customers transparency and ease
of auditability of their AWS environment. AWS also recognizes that the regulatory community is
critical to the auditing process of its customers.
That is why we are offering a free invitation-only seminar to U.S. financial services regulators that
includes an introduction to and auditing of AWS's services. This hands -on training will introduce AWS
services and apply practical exercises to demonstrate how AWS can enable customers to implemen t
industry best practices for security and fulfill audit objectives related to Organizational Governance,
Asset Configuration, Logical Access Controls, Operating Systems, Databases and Applications
Security Configurations.
By the end of the day, you will understand how customers are using AWS and the technical control
features of AWS that can demonstrate a repeatable, reportable, and auditable architecture, and the
evidence supplied to demonstrate it.
WORKSHOP DETAILS
WHEN: Thursday, December 3, 2015
TIME: 10:30 AM TO 5:00 PM (EST)
WHERE: AWS Loft, 350 West Broadway, New York, NY 10013
TO RSVP: Click here
WHO SHOULD ATTEND
U.S. financial services regulators who are responsible for auditing financial services organizations
who are AWS customers.
This is a closed event for U.S. Financial Services Regulators Only: the Federal Reserve, the
Federal Reserve of New York, the Securities Exchange Commission, the Office of the
Comptroller of the Currency, the U.S. Commodity Futures Trading Commission, the Federal
Deposit Insurance Corporation, the Consumer Financial Protection Bureau, the National Credit
Union Administration, and the National Association of Insurance Commissioners.
PREREQUISITES
We recommend, but do not require, that attendees of this cours e have some familiarity with general
December 3, 2015
Related Sessions
• SEC 312 - Reliable Design and Deployment of
Security and Compliance (1:30 p.m.
Wednesday/Delfino 4005)
• SEC 302 - IAM Best Practices to Live By (1:30 p.m.
Wednesday – see the replay)
• SEC 324 –Security Insights into Your Application
Deployments (5:30 p.m. Wednesday)
• SEC305 - How to Become a Policy Ninja in 60
Minutes or Less (11:00 p.m. Thursday)
• SEC314 - Full Configuration Visibility and Control
with AWS Config (5:30 p.m. Thursday/Palazzo K)
Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: [email protected]
AWS Loft New York: Audit Days
Security By Design: https://aws.amazon.com/compliance/security-by-design
Thank you!
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Using AWS in Public Sector
Chad Woolf
Director of Risk and Compliance
Justin Ewald
IT Architecture / Infrastructure Manager
City of Houston, Public Works
& Engineering
AWS Services We Use
Accomplishments in AWS Regulated Workloads
1. Utility billing system for 500,000 customers and $1.2 billion in annual
revenue.
2. Collect and store 3.7 billion water meter reads annually.
3. Advanced analytics provide early leak detection, conserving water.
4. AWS PCI Compliance ensures that a system of this magnitude is
secure.
5. Additional initiatives moved to AWS: ReBuild Houston, Electronic
Plan Review.
• Amazon EC2
• Amazon VPC
• Amazon Access Control
Albert "Scotty" Ellis, CISSP
Assistant Director, Center for Collaborative and
Interactive Technologies
GIVING LIFE TO POSSIBLE
EC2
VPC
IAM
CloudTrail
CloudWatch
Glacier
Accomplishments in AWS
Regulated Workloads How Did We Do It?
An interlocking combination of the
services and personnel training.
Making distinct compliance levels
our infrastructure as per our various
site/application requirements.
AWS Services We Use
1. Better security. Better
functionality. A win-win.
2. Easier planning, better cost
control, more automation.
3. Faster feature development.
EBS
AWS CLI
SES
SNS
RDS
Route 53
Albert "Scotty" Ellis, CISSP
Assistant Director, Center for Collaborative and Interactive
Technologies
Baylor College of Medicine
Email: [email protected]
Noah Kunin
Infrastructure Director
Rajat Ravinder Varuni
Information Systems Security Officer
Bureaucracy hacking our
way to the cloud
Let's ship it!
Or not.
This isn't rocket science
Is the launch checklist working?
The U.S. Government's
Digital Launch Checklist
Records Management
Records Schedule
Privacy Act
Paperwork Reduction Act
Section 508 and Accessibility Standards
Federal Acquisition Regulation
Anti-deficiency Act
Economy Act
E-Government Act
Computer Matching Act
National Cyber Protection System
Guidance for Agency Use of Third-Party Websites and Applications
Social Media and Web-Based Interactive Technologies
Office of Management Budget Circular A-130 Appendix 3
Federal Information Security and Management Act
Federal Information Processing Standard (FIPS) 199
Federal Information Processing Standard (FIPS) 200
Federal Information Processing Standard (FIPS) 140-2
Special Publication 800-37
Special Publication 800-53 Revision 4
Special Publication 800-60 Volume 1
Special Publication 800-60 Volume 2
Special Publication 800-18
Special Publication 800-137
Special Publication 800-171
Special Publication 800-133
Special Publication 800-95
EINSTEIN Compliance
FedRAMP
OMB Guidance on third party websites and applications
OMB Memo M-14-04
OMB Memo M-15-01
Trusted Internet Connection 2.o Reference Architecture
Pages in total:
4006
My friend, you can clearly see
the intention of FIPS 140-2
Annex A was to deprecate
SHA-1 on the lunar new
year...
How long is this going to take?
6 - 14 months to ship
Speed is the new security.
Rajat Ravinder VaruniInformation Systems Security
Officer
Lessons Learned
Information Systems can be TIC complaint
by leveraging native AWS services.
AWS
Config
TIC Operations: ✓ Inventories
✓ Ownership and
awareness
✓ Configuration + change
mgmt
AWS
VPC
TIC Services: ✓ Framework for packet
filtering
✓ Ensures network
segmentation
✓ Feeds monitoring engine
What's next?
More alerts
"Game day"
planning
Visualize the data
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jenn Gray
October 6, 2015
Using AWS to Enforce TIC
AWS/18F FedRAMP-TIC Overlay Pilot
What to Expect from the Session
• What is the AWS/FedRAMP –TIC Overlay Pilot?
• What can I use to build my TIC overlay
assessment using AWS?
• How can I audit and capture flow logs to ease
satisfying more than one TIC Capability?
• How can I automate enforcing TIC Capabilities
using AWS?
What is the Trusted Internet Connection (TIC)?
As outlined by OMB Memorandum M-08-05
• Optimize and standardize
• Reduce & consolidate
• Enhanced monitoring and situational awareness of external network
connections.
Proposed Draft FedRAMP – TIC Overlay
Use AWS/TIC Overlay Shared Responsibility Matrix
72
6055
43
12
0
10
20
30
40
50
60
70
80
Total
AWS Shared Responsibility for TIC Capabilities
TIC Capabilities Met by AWS FedRAMP ATO Adjusted Shared Customer
Use AWS/TIC Overlay Test Plans
Use VPC flow logs and other AWS audit sources to ease
satisfying more than one TIC Capability with a single
configuration change
AWS CloudTrailAmazon
CloudWatchAWS VPC Amazon S3AWS Elastic Load
Balancing
Look for Upcoming AWS Customer Resources
AWS/TIC Overlay Use Case and Whitepaper
Gold Base
TIC Connection Scenarios using AWS
Customer’s
Network
Amazon
Web Services
Cloud
Subnets
Isolated AWS Customer
Resources
Amazon VPC Architecture
RouterVPN
Gateway
Private
Private
PrivateInternet
TIC
Provider
Secure
CircuitSecure VPN
Connection over
the Internet or
Direct Connect
Customer’s
Network
Amazon
Web Services
Cloud
Subnets
Isolated AWS Customer
Resources
Amazon VPC Architecture
Router
Private
Private
PrivateInternet
TIC
Provider
Secure
Circuit
Secure VPN
Connection over
the Internet or
Direct Connect
VPN
Gateway
Success!
“AWS answered the call of the Department of Homeland Security (DHS)
Trusted Internet Connections (TIC) Program Management Office (PMO)
and FedRAMP PMO for CSPs to participate in their FedRAMP - TIC
Overlay Pilots in order to help develop a solution towards data security and
network connections between federal agency networks and cloud service
providers.
AWS successfully completed the pilot and provided their assessment of
addressing the controls identified in the Draft FedRAMP-TIC Overlay to
DHS TIC and FedRAMP PMO to develop further guidance on TIC Ready
CSP solution.”
Matthew Goodrich, FedRAMP Director, US General Services Administration
Sara Mosely, Branch Chief, US Department of Homeland Security, Trusted Internet Connection
Want More Info?
Email: [email protected]
Subject: AWS/FedRAMP -TIC Overlay Pilot
Copy of Draft FedRAMP-TIC Overlay
https://www.fedramp.gov/draft-fedramp-tic-overlay/
Thank you!