IT departments and MSPs that work with US government agencies and contractors must comply with strict security requirements about where and how data is stored, as well as who is involved in the process of hosting and managing it. AWS GovCloud (US) addresses this by providing two isolated, sovereign regions that are operated on US soil by vetted US citizens.
This article outlines how you can secure backup and recovery solutions with AWS GovCloud when dealing with data or clients covered by regulations, including ITAR, CJIS, FedRAMP, and DFARS. It covers infrastructure planning, compliance requirements, tooling recommendations, and operational best practices for supporting US public sector and defense workloads.
What is AWS GovCloud (US), and how does it differ from commercial cloud?
AWS GovCloud (US) consists of two isolated AWS regions (data centers in a physical geographic location), which are staffed only by US citizens. This allows you to use the cloud infrastructure located in this region to process and store sensitive data that is covered by special requirements for US government data.
This differentiates it from other commercial public cloud offerings that may be staffed by non-US citizens, located outside of the United States, or that are not physically and logically isolated from other infrastructure that does not meet the same security standards.
The primary features offered by AWS GovCloud (US) include:
- Physically and logically isolated infrastructure
- Controlled and staffed by US citizens on US soil
- Support for US government regulations protecting sensitive data, including FedRAMP High, ITAR, CJIS, and DoD SRG IL4 and DoD SRG IL5
- Compatibility with AWS EC2, S3, RDS, Lambda, and backup integrations
To use these services, you must be eligible: Federal contractors, DoD subcontractors, state and local agencies requiring CJIS compliance, and other contractors, cloud service providers (CSPs), or managed service providers (MSPs) serving US federal, state, local, tribal, or defense-related agencies must validate their eligibility through AWS, and demonstrate their compliance scope and user vetting.
Compliance and security alignment
The following compliance frameworks are explicitly supported by AWS GovCloud (US):
| Compliance Framework | AWS GovCloud (US) Support |
|---|---|
| FedRAMP High | Supported (government-wide ATO) |
| ITAR | Fully compliant with export control restrictions when correctly configured |
| CJIS | Meets FBI Criminal Justice security policies |
| DFARS/NIST 800-171 | Enables DoD contractor compliance with careful implementation |
| DoD SRG IL4/DoD SRG IL5 | Supported with proper workload configuration |
When designing your backup policies, it is best to align them with the specific agency requirements, and ensure that all compliance measures and technical safeguards are documented.
Building an MSP backup strategy in GovCloud
Before you design and implement an AWS GovCloud-based backup solution, make sure you fully understand your customer’s data classification (such as CUI, ITAR, FCI, or classified IL4–IL6), and which regulations apply to them. Then, you can build your backup solution to meet these requirements.
While GovCloud provides infrastructure that helps you stay compliant with US government security requirements and laws, it is vital that you consult with legal and technical experts who are familiar with this landscape throughout the planning and implementation process. Contacting the vendors of specific products is a recommended first step, as they will have an understanding of how their products meet compliance, and will have experience onboarding other customers with similar requirements.
Step 1: Select a compatible backup tool
The backup tools you use must be compatible with storage hosted in AWS GovCloud, as well as identity and access management (IAM) for access control. Products must also support WORM storage (write once, read many, ie, data cannot be changed once written) and versioning for compliance.
Backup solutions that support integration with AWS GovCloud (US) include Dropsuite, Veeam, and Commvault.
Step 2: Configure data sovereignty settings
For data sovereignty, all data must remain within the United States and not leave the AWS GovCloud Region. For this to be effective, data replication must be disabled for all backup tools for all non-GovCloud destinations.
Encryption is also a requirement. Encryption key management can be performed using AWS KMS with customer-managed keys (CMKs) from within GovCloud.
Step 3: Automate backup and retention policies
Automation ensures compliance is not affected by human error. Schedule backups based on your recovery time objectives (RTO) and recovery point objectives (RPO), and apply lifecycle policies. Tiered storage (e.g., S3 Standard and S3 Glacier) can be leveraged for cost-effective and compliant backups.
Assess and implement AWS storage features that enable compliance, such as S3 Object Lock to create immutable backups and versioning for creating historical backups that are storage-efficient.
Step 4: Audit logs and secure access
You must be able to prove compliance when requested by a government body. CloudTrail should be configured within your AWS GovCloud region for change tracking, so that all relevant user and API activity is logged.
Multi-factor authentication (MFA) for all administrators (and ideally, all users) should be implemented, and IAM roles should be scoped to only the tasks each user or service requires to perform their given tasks, following the principle of least privilege.
Integration with Microsoft GCC High
If you use Microsoft 365 GCC High, a similar cloud service targeting US government contractors, you must back up the data stored in it to a service that has compliance parity. This limits options for backing up data covered by US government data protection frameworks.
AWS GovCloud (US) helps you overcome this hurdle, providing compliant infrastructure that can be used as a backup location in a multi-cloud deployment, avoiding pairing compliant Microsoft 365 infrastructure with backups stored in the public cloud, in violation of regulations.
Additional data security considerations and best practices for MSPs and CSPs
There are several additional considerations and best practices that multi-tenant MSPs and CSPs can enhance the use of AWS GovCloud, and help ensure compliance with data protection laws:
- Separate client data
- Encrypt data and restrict access using role-based access control (RBAC) and enact the principle of least privilege (PoLP)
- Ensure your backup system offers audit logs, legal holds, and chain-of-custody functionality
- Educate staff on how to handle regulated data, and make them aware of their responsibilities, including export controls and client-specific SLA needs
You should regularly test your recovery process, and verify that your backups contain all the required data, meet compliance standards, and that RTO are met.
Compliance across your IT management toolchain
Maintaining the legal compliance necessary to work as a US government contractor or subcontractor is complex, requiring adherence to multiple stringent security standards across your IT infrastructure and processes.
Choosing tools that assist with this compliance is key to an efficient operation that lets you handle multiple clients that operate in government-regulated environments. Using AWS GovCloud (US) is one of these measures, ensuring data sovereignty and that the required technical safeguards are in place.
Managing your IT infrastructure, and that of your clients, also requires compliance. NinjaOne offers a unified IT management platform, including backup, remote monitoring and management (RMM), mobile device management (MDM), and customer support tools. We’re compliant with a number of US government data protection frameworks out of the box (with more to come), and our tools can be configured to store data on AWS GovCloud to meet higher compliance needs.
If you’re an MSP operating in the public sector and want to streamline your IT operations and scale faster, contact a NinjaOne representative to discuss your security and compliance requirements.
