Red Hat OpenShift Service on AWS with hosted control planes in AWS GovCloud is FedRAMP High Authorized

After much anticipation, Red Hat OpenShift Service on AWS (ROSA) with hosted control planes in AWS GovCloud is now authorized against the FedRAMP High baseline controls in accordance with the Rev 5 authorization path. This means that customers are now able to use the hosted control plane architecture with ROSA in the AWS Government Community Cloud (GovCloud). 

The hosted control plane architecture, based on the HyperShift project, streamlines ROSA in AWS GovCloud classic architecture by providing a more effective and efficient use of customer resources, which can lead to improved security posture, operational efficiency, and cost savings. 

As part of the FedRAMP Authorization Act of 2022, the Federal Risk and Authorization Management Program (FedRAMP) was codified into law after 11 years of operation as a program. With this change, the FedRAMP Program Management Office (PMO) was empowered to find ways to accelerate procurement of commercial cloud service products to the federal government. While the experimental FedRAMP 20-X path to authorization comes into development, the traditional agency authorization path is now known as a “Rev 5 Authorization” in alignment with NIST 800-53 rev. 5, upon which it’s based. 

Since becoming authorized and listed on the FedRAMP Marketplace in 2024, Red Hat has continued to evolve to meet the demands of U.S. government agencies and their partners. ROSA with hosted control planes is the latest iteration of that journey. 

Some of the key customer benefits include:

• Improved security posture: Since the control plane is hosted in a Red Hat-owned AWS service account, site reliability engineers (SREs) at Red Hat do not require broad permissions to manage those resources within the customer's AWS environment.
• Enhanced operational reliability: Red Hat manages the underlying hosted control plane infrastructure, freeing you from operational overhead and reducing the chance of accidental misconfiguration or deletion of resources.
• Reduced costs: ROSA with hosted control planes reduces the overall infrastructure footprint compared to ROSA on AWS classic deployments by eliminating the need for provisioning the infrastructure, leading to lower operational costs.
• Faster cluster lifecycle management: You can quickly spin up or tear down clusters to optimize resources and reduce costs by only paying for what you use.

The second point is especially critical for anyone operating under FedRAMP requirements. With Red Hat managing the infrastructure entirely, software providers are able to reduce the scope of their own FedRAMP assessment even further than before. By taking advantage of the FedRAMP-Authorized ROSA with hosted control planes in AWS GovCloud, customers can see their own assessment scope reduced by up to approximately 70% of the FedRAMP High baseline controls. 

Not only will the initial assessment be faster, but because Red Hat is managing the infrastructure the monthly continuous monitoring requirements are also reduced in scope. This helps alleviate the Day 2 operational burden that those offering FedRAMP services often underestimate. This means customers can focus on delivering high quality products faster and more efficiently to their customers.

Additional resources 

• Get started by submitting the FedRAMP access request form
• See the latest incremental addition, Red Hat OpenShift Service on AWS with hosted control planes in the FedRAMP marketplace
• Read the press release about Red Hat OpenShift Service on AWS with hosted control planes in AWS GovCloud