Government Cloud FedRAMP Architecture

The Problem This Blueprint Solves

Your company won a federal contract that requires FedRAMP Moderate authorization for your cloud application. The System Security Plan template is 400 pages, the NIST 800-53 Rev 5 control catalog has 325 controls at the Moderate baseline, and your 3PAO assessment starts in 6 months. Your team has never navigated the FedRAMP process and does not know which AWS GovCloud services map to which NIST controls.

This blueprint is the FedRAMP Moderate architecture I built for a federal health IT contractor that achieved Authority to Operate through the Joint Authorization Board pathway, handling CUI and PII for 2.3M federal employees.

What You Get

• Architecture diagrams — FedRAMP authorization boundary, data flow diagrams (Level 3), network topology with FIPS 140-2 encryption points, and continuous monitoring architecture (Draw.io)
• Terraform modules — AWS GovCloud VPC with FIPS endpoints, Config rules mapped to NIST 800-53 controls, CloudTrail with FIPS-validated encryption, KMS with FIPS 140-2 Level 3 HSM backing, and Security Hub with NIST 800-53 standard
• SSP contribution package — Control implementation statements for all 325 Moderate baseline controls that are infrastructure-related, formatted for direct insertion into FedRAMP SSP templates
• ConMon (Continuous Monitoring) automation — Monthly vulnerability scan configuration, POA&M tracking spreadsheet, and automated deviation reporting

Key Architecture Decisions

• AWS GovCloud over Commercial AWS with compliance overlays — FedRAMP Moderate requires data residency in the US, FIPS 140-2 validated encryption endpoints, and personnel with US citizenship managing infrastructure. GovCloud provides all three as platform guarantees. Commercial AWS requires you to prove each requirement independently — possible but significantly more audit burden.
• FIPS 140-2 endpoints for all service access — Every AWS API call must use FIPS-validated TLS endpoints. The Terraform modules configure provider endpoints to use *.fips.us-gov-west-1.amazonaws.com patterns automatically. A single non-FIPS API call is an audit finding.
• Separate authorization boundary per application — Combining multiple applications into one FedRAMP boundary seems efficient but means any change to any application requires re-assessment of the entire boundary. Separate boundaries let teams move independently and limit the blast radius of audit findings.
• Config rules as continuous monitoring evidence — NIST CA-7 requires continuous monitoring. AWS Config with 800-53-mapped rules provides automated, continuous evidence collection. Your monthly ConMon report generates from Config data rather than manual checklist reviews.

Who This Blueprint Is For

• Cloud Architects building their first FedRAMP-authorized environment on AWS GovCloud
• Information System Security Officers filling out the System Security Plan
• Federal contractors who need FedRAMP Moderate ATO to fulfill contract requirements
• 3PAO assessors who want a reference architecture demonstrating NIST 800-53 implementation on AWS

Your First 48 Hours

Set up your AWS GovCloud account (requires a commercial AWS account to create). Deploy the VPC Terraform module and verify that all AWS API calls route through FIPS endpoints by checking CloudTrail logs for *.fips. in the API endpoint field. On day two, deploy the Config rules mapped to NIST 800-53 and run the initial compliance evaluation. The resulting report shows your control implementation status across all 325 Moderate baseline controls — this becomes the foundation for your SSP.

Limitations and Trade-offs

GovCloud has fewer services than commercial AWS — check the GovCloud service availability page before designing. Some services (Bedrock, newer AI services) are not available in GovCloud. FedRAMP authorization is a 12-18 month process minimum; this blueprint accelerates the technical implementation but does not replace the procedural requirements (3PAO selection, JAB prioritization, agency sponsorship). The SSP contribution package covers infrastructure controls only — application-level controls (AC-7 login attempts, AU-3 audit content) must be documented separately by your application team.