Cloud security and compliance can be challenging for the public sector and other industries that are highly regulated. FedRAMP, Defense Federal Acquisition Regulation Supplement (DFARS), and Payment Card Industry (PCI) are some examples of security frameworks that traditionally require complex paths to compliance. The AWS Security Automation Orchestration (SAO) methodology addresses the broad needs and unique compliance requirements encountered by those in regulated markets.

ATO on AWS is a partner-driven process that helps organizations converge common security frameworks to be secure and address compliance requirements at the same time.

About ATO on AWS

CIS and other partners worked with AWS to develop the AWS SAO methodology, which enables AWS customers to constrain, track, and publish continuous risk treatments (CRT). CRT is a process and technology approach using AWS services and partner solutions to detect, maintain, and in most cases correct security, compliance, and threats.

AWS SAO configures and assimilates DevOps routines like continuous integration (CI) and continuous delivery (CD) into a “Type Accredited” secure AWS architecture. This architecture is configured to converge common security frameworks such as FedRAMP, DoD CC SRG, PCI-DSS, IRS 1075, etc. through the use of security as code practices.

See all ATO partnersArrow

Key Benefits

Following the SAO methodology accelerates Authority to Operate (ATO) for AWS customers and creates an automated capability to maintain accreditations of their workloads. Other benefits include:

Fast Track Cloud Deployment
A secure automation deployment for regulated workloads in AWS (e.g. FedRAMP, DoD CC SRG, IRS 1075, PCI, etc.).

Increase Speed
Assimilate SecOps and DevOps practices into a Governance as Code (GoC) approach for secure operations and orchestration. This keeps accreditation baselines in place as you become more agile in your adoption of AWS.

Type Accredit
Pre-audit automation package builds through APN Consulting Partners and FedRAMP 3PAOs.

AWS Marketplace Availability
Distribution of AWS services, partner solutions, and documentation library as single procurement (Result: AWS SAO Trust Boundary in a Box).

CIS Hardened Images

Using CIS Hardened Images is one part of ATO on AWS. CIS Hardened Images are virtual machine images that are pre-configured to meet the security recommendations of the CIS Benchmarks™, consensus-based configuration standards for more than 100 CIS Benchmarks across 25+ vendor product families.

CIS Benchmarks can be utilized in place of Security Technical Implementation Guidelines (STIGs) that are the configuration standards for DoD IA and IA-enabled devices/systems. The DoD Cloud Computing Security Requirements Guide, ver 1, Rel 3 states:

“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry standard baselines such as those provided by the Center for Internet Security (CIS) benchmarks are an acceptable alternative to the STIGs and SRGs.”

CIS Hardened Images, configured according to the CIS Benchmarks, meet these security requirements.

Hardened Images Workflow


Learn more about CIS Hardened Images