© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Compliance Summit

October 6, 2015

Financial Industry Regulatory Authority

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Using AWS in Healthcare and Life Sciences

Chad Woolf

Director of Risk and Compliance

Peter Spellman

Chief Technical Office & Co-Founder

The world’s largest track and trace

network for connecting the life

sciences supply chain and eliminating

counterfeit prescription drugs from the

global marketplace.

AWS Services We Use

Accomplishments in AWS

Regulated Workloads

1. Network-driven regulated workloads

195,000+ network entities generating tens of

millions of messages resulting in billions of

transactions

2. Serialized operations in production

at massive scale for global

compliance

3. Automated IQ, OQ, crowd-sourced

PQ (moving to automated)

EC2

RDS

Elasticache

CloudWatch

CloudTrail

Trusted Advisor

SQS

SNS

S3

DynamoDB

Route 53

CloudFormation

IAM

Kinesis

CloudSearch

Redshift

Data Translation

Distributed Network Tenancy

Pharma

Companies

Wholesale

DistributorsDispensers

Repackagers

3PLs

CMOs/CPOs

Business Collaboration

B2B Relationship

Platforms

Questions?

Peter@Tracelink.com

Dan Dziadiw

Director of IT Compliance & Risk Management

We are committed to improving

health and well-being around the

world. From developing new

therapies that treat and prevent

disease to helping people in need,

we are guided by a rich legacy and

inspired by a shared vision.

AWS Services We Use

250+ Applications supported by AWS

Infrastructure

1000+ EC2 Instances

617TB of S3 Storage

2TB of EBS Storage across our Merck

VPCs in 3 AWS regions (US, Ireland,

Singapore)

Accomplishments in AWS

Regulated Workloads How Did We Do It?

By Integrating ‘Cloud’ into:

• SDLC & Cloud Guidance

• Security Controls and Design

• Info Risk, Privacy & Data Mgmt

• Supplier Mgmt Considerations

1. Regulated R&D Application

running on AWS

2. Qualified AWS Infrastructure

per our SDLC Policies

Bruce Kratz

Vice President of Research and Development

Quality

Professional

s

• Independent Software Vendor

• Leader in Enterprise Quality

Management Solutions

• Serving Highly Regulated Industries

• Driving Control, Compliance & Product

Safety

Top 35 Pharma

Companies

Top 13 out

of 15

Medical

Device

Companies

700 Implementations

Over

650,000 Users

Over

30 Countries Across the World

More Than

Partner Eco-System

CMO

CRO

CMOCRO

Quality Management

System

Quality Management

System

Quality Management

System

CMOCRO

Quality Management

System

Quality Management

System

The Quality Network

CMO

Quality Management

System

<QDX> QUALITY DATA EXCHANGE

The Quality Network

CMO

Quality Management

System

<QDX> QUALITY DATA EXCHANGE

Why AWS

• AWS Focus on Life

Sciences

• Proven Compliant

Validated Workloads

• Better Understanding of

Virtualization by the Audit

Community

• Life Sciences

Cooperation re: how to

respond to FDA requests

• Long History of

Innovation

EC2

S3

VPC

KMS / IAM

CloudWatch

CloudTrail

RDS

Glacier

Route 53

CloudFormation

Config

AutoScaling

AWS Services

Industry Factors

• Faster Time to Market

• Constant Innovation

• World-Wide Scalability

• Cost Advantages

Business Advantages

Bruce KratzVP Research & Development

bruce.kratz@spartasystems.com

Ivan LatanisionVP Product Management & Strategy

Ivan.latanision@spartasystems.com

We Help Protect Millions of Lives Everyday

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Chris Whalley

Compliance Program Manager

October 6, 2015

Using AWS in HCLS SystemsHealthcare and Life Sciences

What to Expect from the Session

Session for executives, quality & security

assurance managers, and other stakeholders.

Focus on using AWS cloud products.

Lessons learned from organizations who are already

using AWS in HCLS systems.

How is Compliance in AWS Different?

Traditional AWS

Infrastructure Devices Hardware Code

Delivery Processes Manual Automated

Software Architecture Embedded Distributed

Access Controls and

LoggingDisparate Harmonized

System UpdatesLarger &

Infrequent

Smaller &

Continuous

Monitoring in ProductionPeriodic Polls of

Selected Samples

Real-Time Alarms on

Full Population

Considerations Using AWS in HCLS Systems

Purchasing Controls

Organization and Personnel

Design Controls

Validation

Production Environment Controls

Records and Reports

Auditing

Traditional P.O. Purchasing

1. Specify Server Requirements

2. Source server & OS

3. Submit request to Purchasing

4. Submit P.O. to vendor

5. Receive server shipment

6. Install server & OS

7. Configure OS

8. Qualify server & OS

9. Pay Invoice and depreciate asset as

CapEx

Purchasing Controls

Purchasing in AWS

1. Specify Server Requirements

2. Select matching EC2 Instance Type

& BYO qualified OS image

3. Launch Instance with your qualified

image with automatic logging

4. Pay for what you use as OpEx

PROMPT> ec2-run-instances ami-978d91fe

-k my-key-pair --instance-type t2.micro

< 5

minutes

> 2

weeks

Organization and Personnel

Awareness Training

Training per se

Employee

Qualification

Online Documentation

Self-paced Labs

Foundational Courses

Role-based Courses

Associate and Professional

Certifications

Update job

descriptions and

training plans for

cloud skills.

Developers

DBAs

Network & Security

Engineers

Business Analysts

Auditors

QA/RA Managers

Design Controls

HC

LS

Opera

tions

Elastic Load

Balancing

Availability Zone B

Availability Zone A

HCLS

System End

User

DB

Server

Web

Server

App

Server

Define User

Requirements

Define

System SLA

Define App

Requirements

Define Data

Requirements

Select AZs for

Availability

SLA

Architect Ability

to Fail Over for

SLA

Architect Data +

Replication

Match App to

EC2 Instance

Type

HCLS

System

Engineer

Validation

Hardware Era Cloud EraVirtualization Era

Protocol-Driven

Manual Activities

Procedure-Driven

Manual Activities

Code-Driven

Automated Activities

Production Environment Controls

Automate deployment to

production with tools like

AWS CodePipeline.

Establish and monitor

control parameters

programmatically using

Amazon CloudWatch

alarms.

Record and justify

deviations from

automated processes.

Create end user SLAs

and support channels,

then feed their requests

into engineering.

HCLS end usersHCLS engineers

Records and Reports

Logs in CloudTrail and

CloudWatch

CloudFormation Templates

and custom code

Application validation records

Virtual infrastructure

qualification records

HCLS end user account info &

training records

HCLS engineer account info &

training records

AWS technical support cases

• Automated Logging vs

• Manual CreationGenerate

• Review

• Analyze

• Act, Present, or SubmitUse

• Keep originals or true copies

• Define retention schedule & locations

• Ensure protection & retrievabilityRetain

• Record destruction authorizationDispose

Auditing

Review your…

AWS account credentials

IAM users

IAM groups

IAM roles

IAM providers for SAML and

OpenID Connect

Mobile apps

Amazon EC2 security

configurations

Resource-based policies in

other services like S3

Monitor activity in your AWS

account

Training records

In Summary

Infrastructure as Code is fundamentally transforming

HCLS IT compliance

Automation and shorter change cycles require rethinking

traditional SDLCs

Cloud skills are the new job skills qualifications

HCLS organizations are achieving more control with less

effort than ever before

Upcoming Sessions This Week

ARC305 - Self-service Cloud Services: How J&J Is Managing AWS at Scale for

Enterprise Workloads

ARC311 – Decoding the Genetic Blueprint of Life on a Cloud Connected Ecosystem,

ThermoFisher

BDT316 – Offloading ETL to Amazon EMR, Amgen

SEC304 - Architecting for HIPAA Compliance on AWS, Emdeon

SEC310 - Splitting the Check on Compliance and Security: Keeping Developers and

Auditors Happy in the Cloud

SEC312 - Reliable Design and Deployment of Security and Compliance

SEC313 – Security and Compliance at Petabyte Scale: Lessons from the National

Cancer Institute's Cancer Genomics Cloud Pilot

Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

Compliance Center Website: https://aws.amazon.com/compliance

Security Center: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

AWS Audit Training: awsaudittraining@amazon.com

AWS Loft New York: Audit Days

Security By Design: https://aws.amazon.com/compliance/security-by-design

Thank you!

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

October 6, 2015

Using AWS in Financial Services

Chad Woolf

Director of Risk and Compliance

Tony Spinelli

Senior Vice President, Chief Information Officer

.

Largest direct bank

4th largest credit card issuer in the U.S.:

• $310.5 billion in assets

• $209.7 billion in loans

• $208.8 billion in deposits

• 65+ million accounts

• 46,000+ associates

• A FORTUNE 500 Company - #124

• Experimentation: e.g. mobile pilots,

hackathons

• Development & Test: e.g. online

banking, stream data processing

• Production: e.g. mobile banking app,

core banking platform

Accomplishments in AWS

Regulated Workloads

AWS Services We Use• Compute: EC2, ELB,

• Storage: EBS, S3

• Database: RDS

• Network: VPC, DirectConnect,

Route53

• Admin & Security: IAM, CloudTrail,

CloudWatch, Config, CloudHSM,

KMS

• Deployment & Management:

CloudFormation

• Application & Mobile: SQS, SNS

How Did We Do It?

• Due diligence service-based

assessment

• Governance model and standards

playbook

• Security by design for workloads,

including in-house and third party

developed tools

Daniel Schaefer

DevOps Team Lead

We provide faster payment

connections to financial

institutions

We provide features and controls

to businesses that make the

payments system easier

Accomplishments in AWS

Regulated Workloads

1. Strong Authentication (MFA)

2. Identity Access Management

3. Segmentation/isolation of resources

IAM - Users, Access Policies

EC2, ECS - Scalability, Auto recovery

S3, RDS, ElastiCache - Storage,

Caching, Search

Redshift, EMR - Big Data, Data

Warehouse, Reporting

VPC, Route 53 - Isolation, Firewall,

Subnets

CloudFormation - Automation

How Did We Do It?

● Infrastructure as code - changes have clear

audit trail

● Iterative approach to infrastructure -

Evolved over time, kept up to date with

leading practices.

● Defined mapping of integrated compliance

requirements

● Avoid theater - Evaluate the

security/compliance goal and develop a

process that accomplishes goal while

allowing for rapid and easy development.

AWS Services We Use

Miles Wellesley

Head of Business Development

Our mission is to democratize access to the financial markets and inspire a new generation of

investors.

OUR MISSION

Robinhood is the first financial services

firm to win an Apple Design Award.

SNS

Auto Scaling

Direct Connect

EC2

IAM

Lambda

Elasticache

EBS

S3

ELB

VPC

RDS

Data Pipeline

Redshift

Route 53

CloudWatch

Systems must be secure, redundant, and available

Innovative workflows: Documents associated with user profiles (S3)

Security: Security through encryption and narrow permissions scoping (IAM)

Redundancy / Business Continuity: Backups and snapshots

Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)

Systems must be secure, redundant, and available

Innovative workflows: Documents associated with user profiles (S3)

Security: Security through encryption and narrow permissions scoping (IAM)

Redundancy / Business Continuity: Backups and snapshots

Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)

Systems must be secure, redundant, and available

Innovative workflows: Documents associated with user profiles (S3)]

Security: Security through encryption and narrow permissions scoping (IAM)

Redundancy / Business Continuity: Backups and snapshots

Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)

Systems must be secure, redundant, and available

Innovative workflows: Documents associated with user profiles (S3)]

Security: Security through encryption and narrow permissions scoping (IAM)

Redundancy / Business Continuity: Backups and snapshots

Combating Fraud: Data Science without a Data Science Infrastructure Team (Redshift)

THANK YOU

Nicki Sonpar

Director of Data Platforms

About Intake Ecosystem

As part of its regulatory mission, FINRA requests and

receives information from broker-dealers

In addition to Market Big Data, millions of documentssubmitted each year - documents can be up to 100’s of

gigabytes

Customers are uploading more and larger documents –

20% YoY submission growth

All document uploads must be auditable in case of

litigation

Requirements

Centralize all document intake into Unified Data Catalog leveraged by FINRA

users and applications

Leverage proven cloud-based services such as storage, security and network

infrastructure to deliver business functionality

FINRA must manage and control encryption in transit and at rest

Maintain focus on FINRA’s key mission of analyzing data while minimizing

operational overhead

Approach

Build a large file service which uses S3, KMS, and IAM policies to ensure

compliance with FINRA policies

Firms directly submit data to AWS with temporary write-only access to a fixed

location

Data is always encrypted, in transit and final destination

Leveraged FINRA’s Data Manager which provides a Unified Data Catalog and usage tracking on top of AWS Storage

Large File

Service

Large File

Service

Lessons Learned

Refine and review architecture with your Security Team and AWS SME’s

Gigabyte uploads require security token refresh during the upload process

KMS keys are not replicated across regions, therefore a duplicate object in

another region requires re-encryption – this is on AWS’ roadmap!

Partner with your AWS Pro Serv and internal product teams to build your service layer

Future

Migrate all documents which are less than 5

years old to S3 and Glacier

Unified Data Catalog gives us new opportunities to

apply data mining, machine learning and

pattern-recognition across all documents

Move all existing Data Intake platforms and

applications to the cloud

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jodi Scrofani

Global Financial Services Compliance Strategist

October 6, 2015

Strengthening Your GRCFinancial Services

What to Expect from the Session

- AWS services and tools gives financial services customers transparency

into AWS services and security configurations.

- AWS services and tools offer financial services customers ease of

audibility and streamline compliance requirements.

Risk Measures Critical to Moving to the Cloud(Direct Customer Feedback)

GLBA

National Regulations

PCI-DSS

Corporate Governance

Data Protection

Basel 3

No published guidance

Third-Party Relationships: Risk Management (2013)

Initial cybersecurity guidelines (2014)

Technology-related risk management considerations –(2003/2012)

U.S. Regulatory Guidelines that Apply to the Cloud

Simplifying ComplianceEnabling Evidencing and Transparency

AWS Trusted Advisor

AWS IAM

AWS Config

Workbooks

Training

The Next Big Thing in GRC

1. The right Security By Design tech - AWS

2. SbD Whitepaper

3. AWS GoldBase

4. FFIEC & OCIE Audit Guides

5. IT Auditor Days & Training Courses

AWS

CloudTrailAWS

CloudHSM

AWS IAMAWS

KMS

AWS

Config

FFIEC & SEC Audit GuidesNew

The Next Big Thing in GRC

1. The right Security By Design tech - AWS

2. SbD Whitepaper

3. AWS GoldBase

4. FFIEC & OCIE Audit Guides

5. IT Auditor Days & Training Courses

AWS

CloudTrailAWS

CloudHSM

AWS IAMAWS

KMS

AWS

Config

IT Auditor Days

Customer

June 3, 2015

“I appreciated the firsthand view of the controls (access

management, logging/auditing) available for governance. The

training would not only be helpful for technology, but for

risk/compliance and internal audit teams as well.”

Coming soon to San Francisco, London, and Berlin

RegulatorsNew

IT AUDITOR DAY FOR U.S. FINANCIAL SERVICES REGULATORS

Thursday, December 3, 2015

AWS Loft | 350 West Broadway | New York, NY 10005

Amazon Web Services (AWS) offers a number of tools that allow customers transparency and ease

of auditability of their AWS environment. AWS also recognizes that the regulatory community is

critical to the auditing process of its customers.

That is why we are offering a free invitation-only seminar to U.S. financial services regulators that

includes an introduction to and auditing of AWS's services. This hands -on training will introduce AWS

services and apply practical exercises to demonstrate how AWS can enable customers to implemen t

industry best practices for security and fulfill audit objectives related to Organizational Governance,

Asset Configuration, Logical Access Controls, Operating Systems, Databases and Applications

Security Configurations.

By the end of the day, you will understand how customers are using AWS and the technical control

features of AWS that can demonstrate a repeatable, reportable, and auditable architecture, and the

evidence supplied to demonstrate it.

WORKSHOP DETAILS

WHEN: Thursday, December 3, 2015

TIME: 10:30 AM TO 5:00 PM (EST)

WHERE: AWS Loft, 350 West Broadway, New York, NY 10013

TO RSVP: Click here

WHO SHOULD ATTEND

U.S. financial services regulators who are responsible for auditing financial services organizations

who are AWS customers.

This is a closed event for U.S. Financial Services Regulators Only: the Federal Reserve, the

Federal Reserve of New York, the Securities Exchange Commission, the Office of the

Comptroller of the Currency, the U.S. Commodity Futures Trading Commission, the Federal

Deposit Insurance Corporation, the Consumer Financial Protection Bureau, the National Credit

Union Administration, and the National Association of Insurance Commissioners.

PREREQUISITES

We recommend, but do not require, that attendees of this cours e have some familiarity with general

December 3, 2015

Related Sessions

• SEC 312 - Reliable Design and Deployment of

Security and Compliance (1:30 p.m.

Wednesday/Delfino 4005)

• SEC 302 - IAM Best Practices to Live By (1:30 p.m.

Wednesday – see the replay)

• SEC 324 –Security Insights into Your Application

Deployments (5:30 p.m. Wednesday)

• SEC305 - How to Become a Policy Ninja in 60

Minutes or Less (11:00 p.m. Thursday)

• SEC314 - Full Configuration Visibility and Control

with AWS Config (5:30 p.m. Thursday/Palazzo K)

Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

Compliance Center Website: https://aws.amazon.com/compliance

Security Center: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

AWS Audit Training: awsaudittraining@amazon.com

AWS Loft New York: Audit Days

Security By Design: https://aws.amazon.com/compliance/security-by-design

Thank you!

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Using AWS in Public Sector

Chad Woolf

Director of Risk and Compliance

Justin Ewald

IT Architecture / Infrastructure Manager

City of Houston, Public Works

& Engineering

AWS Services We Use

Accomplishments in AWS Regulated Workloads

1. Utility billing system for 500,000 customers and $1.2 billion in annual

revenue.

2. Collect and store 3.7 billion water meter reads annually.

3. Advanced analytics provide early leak detection, conserving water.

4. AWS PCI Compliance ensures that a system of this magnitude is

secure.

5. Additional initiatives moved to AWS: ReBuild Houston, Electronic

Plan Review.

• Amazon EC2

• Amazon VPC

• Amazon Access Control

Albert "Scotty" Ellis, CISSP

Assistant Director, Center for Collaborative and

Interactive Technologies

GIVING LIFE TO POSSIBLE

EC2

VPC

IAM

CloudTrail

CloudWatch

Glacier

Accomplishments in AWS

Regulated Workloads How Did We Do It?

An interlocking combination of the

services and personnel training.

Making distinct compliance levels

our infrastructure as per our various

site/application requirements.

AWS Services We Use

1. Better security. Better

functionality. A win-win.

2. Easier planning, better cost

control, more automation.

3. Faster feature development.

EBS

AWS CLI

SES

SNS

RDS

Route 53

Albert "Scotty" Ellis, CISSP

Assistant Director, Center for Collaborative and Interactive

Technologies

Baylor College of Medicine

Email: alellis@bcm.edu

Noah Kunin

Infrastructure Director

Rajat Ravinder Varuni

Information Systems Security Officer

Bureaucracy hacking our

way to the cloud

Let's ship it!

Or not.

This isn't rocket science

Is the launch checklist working?

The U.S. Government's

Digital Launch Checklist

Records Management

Records Schedule

Privacy Act

Paperwork Reduction Act

Section 508 and Accessibility Standards

Federal Acquisition Regulation

Anti-deficiency Act

Economy Act

E-Government Act

Computer Matching Act

National Cyber Protection System

Guidance for Agency Use of Third-Party Websites and Applications

Social Media and Web-Based Interactive Technologies

Office of Management Budget Circular A-130 Appendix 3

Federal Information Security and Management Act

Federal Information Processing Standard (FIPS) 199

Federal Information Processing Standard (FIPS) 200

Federal Information Processing Standard (FIPS) 140-2

Special Publication 800-37

Special Publication 800-53 Revision 4

Special Publication 800-60 Volume 1

Special Publication 800-60 Volume 2

Special Publication 800-18

Special Publication 800-137

Special Publication 800-171

Special Publication 800-133

Special Publication 800-95

EINSTEIN Compliance

FedRAMP

OMB Guidance on third party websites and applications

OMB Memo M-14-04

OMB Memo M-15-01

Trusted Internet Connection 2.o Reference Architecture

Pages in total:

4006

My friend, you can clearly see

the intention of FIPS 140-2

Annex A was to deprecate

SHA-1 on the lunar new

year...

How long is this going to take?

6 - 14 months to ship

Speed is the new security.

Rajat Ravinder VaruniInformation Systems Security

Officer

Lessons Learned

Information Systems can be TIC complaint

by leveraging native AWS services.

AWS

Config

TIC Operations: ✓ Inventories

✓ Ownership and

awareness

✓ Configuration + change

mgmt

AWS

VPC

TIC Services: ✓ Framework for packet

filtering

✓ Ensures network

segmentation

✓ Feeds monitoring engine

What's next?

More alerts

"Game day"

planning

Visualize the data

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jenn Gray

October 6, 2015

Using AWS to Enforce TIC

AWS/18F FedRAMP-TIC Overlay Pilot

What to Expect from the Session

• What is the AWS/FedRAMP –TIC Overlay Pilot?

• What can I use to build my TIC overlay

assessment using AWS?

• How can I audit and capture flow logs to ease

satisfying more than one TIC Capability?

• How can I automate enforcing TIC Capabilities

using AWS?

What is the Trusted Internet Connection (TIC)?

As outlined by OMB Memorandum M-08-05

• Optimize and standardize

• Reduce & consolidate

• Enhanced monitoring and situational awareness of external network

connections.

Proposed Draft FedRAMP – TIC Overlay

Use AWS/TIC Overlay Shared Responsibility Matrix

72

6055

43

12

0

10

20

30

40

50

60

70

80

Total

AWS Shared Responsibility for TIC Capabilities

TIC Capabilities Met by AWS FedRAMP ATO Adjusted Shared Customer

Use AWS/TIC Overlay Test Plans

Use VPC flow logs and other AWS audit sources to ease

satisfying more than one TIC Capability with a single

configuration change

AWS CloudTrailAmazon

CloudWatchAWS VPC Amazon S3AWS Elastic Load

Balancing

Look for Upcoming AWS Customer Resources

AWS/TIC Overlay Use Case and Whitepaper

Gold Base

TIC Connection Scenarios using AWS

Customer’s

Network

Amazon

Web Services

Cloud

Subnets

Isolated AWS Customer

Resources

Amazon VPC Architecture

RouterVPN

Gateway

Private

Private

PrivateInternet

TIC

Provider

Secure

CircuitSecure VPN

Connection over

the Internet or

Direct Connect

Customer’s

Network

Amazon

Web Services

Cloud

Subnets

Isolated AWS Customer

Resources

Amazon VPC Architecture

Router

Private

Private

PrivateInternet

TIC

Provider

Secure

Circuit

Secure VPN

Connection over

the Internet or

Direct Connect

VPN

Gateway

Success!

“AWS answered the call of the Department of Homeland Security (DHS)

Trusted Internet Connections (TIC) Program Management Office (PMO)

and FedRAMP PMO for CSPs to participate in their FedRAMP - TIC

Overlay Pilots in order to help develop a solution towards data security and

network connections between federal agency networks and cloud service

providers.

AWS successfully completed the pilot and provided their assessment of

addressing the controls identified in the Draft FedRAMP-TIC Overlay to

DHS TIC and FedRAMP PMO to develop further guidance on TIC Ready

CSP solution.”

Matthew Goodrich, FedRAMP Director, US General Services Administration

Sara Mosely, Branch Chief, US Department of Homeland Security, Trusted Internet Connection

Want More Info?

Email: awscompliance@amazon.com

Subject: AWS/FedRAMP -TIC Overlay Pilot

Copy of Draft FedRAMP-TIC Overlay

https://www.fedramp.gov/draft-fedramp-tic-overlay/

Thank you!