AWS compliance documentation is (in some cases?) protected under NDA. The content in the Control files in this repository may be in violation of that already.
While I have not dug into them myself, the AWS compliance packages likely dive into a lot of detail that is not directly needed by OpenControl users. The main use case of having a canonical set of AWS OpenControl Components is knowing what controls are fully inheritable, versus which have shared or full customer responsibility. Therefore, I would argue that it's not important that the control narrative includes any details about the implementation - it can simply say "Refer to the AWS FedRAMP package for details." Even so, I'm not sure if the list of controls implemented by AWS is considered proprietary information or not, or if they would be willing to release it in a non-restrictive way so they could be leveraged here.
Anyone have a contact at AWS to ask?
AWS compliance documentation is (in some cases?) protected under NDA. The content in the Control files in this repository may be in violation of that already.
While I have not dug into them myself, the AWS compliance packages likely dive into a lot of detail that is not directly needed by OpenControl users. The main use case of having a canonical set of AWS OpenControl Components is knowing what controls are fully inheritable, versus which have shared or full customer responsibility. Therefore, I would argue that it's not important that the control
narrativeincludes any details about the implementation - it can simply say "Refer to the AWS FedRAMP package for details." Even so, I'm not sure if the list of controls implemented by AWS is considered proprietary information or not, or if they would be willing to release it in a non-restrictive way so they could be leveraged here.Anyone have a contact at AWS to ask?