# FedRAMP region and boundary decision matrix (AWS)

Pick **commercial US East/West** vs **AWS GovCloud (US)** by impact level, personnel
restrictions, and whether your SSP inherits AWS P-ATO or you need a full agency ATO.

> Reflects **July 2026** guidance: GovCloud (US) FedRAMP High JAB P-ATO, commercial
> US regions FedRAMP Moderate JAB P-ATO, default US-citizen GovCloud support (June 2026).

## 1. "What impact level is the data?"

| Data class | Typical examples | Default AWS boundary | Escalate when |
|------------|------------------|----------------------|---------------|
| Low / Moderate (FIPS 199) | Public-facing citizen portals, aggregated analytics | **Commercial US East/West** (FedRAMP Moderate P-ATO) | Agency mandates GovCloud for all workloads |
| High (CUI, PHI, PII at scale) | Defense subcontracts, federal health, criminal justice | **AWS GovCloud (US-East / US-West)** (FedRAMP High P-ATO) | Export-controlled (ITAR/EAR) — GovCloud + US-person support only |
| State / local (no FedRAMP mandate) | Municipal SaaS, state Medicaid interfaces | Commercial + HIPAA/SOC 2 controls | State RFP requires FedRAMP Moderate inheritance |

**Opinionated default:** If the contract cites **NIST SP 800-171** or **CMMC Level 2**, start in **GovCloud (US)** — commercial Moderate can work with a full 3PAO package, but GovCloud reduces inherited-control argument surface.

## 2. "Commercial vs GovCloud — when NOT to use GovCloud"

| Situation | Stay commercial |
|-----------|-----------------|
| No federal data, no CUI, no export-control clause | Commercial regions + standard Well-Architected |
| You need a service **not yet in GovCloud** | Commercial with compensating controls — document in SSP |
| Team cannot operate separate GovCloud accounts/IAM | Fix landing zone first — dual environments without guardrails fail audits |
| "GovCloud is more secure by default" | **False** — your configuration still must meet control baselines |

## 3. Inheritance vs full ATO

| Path | Timeline signal | Artifact you need |
|------|-----------------|-------------------|
| **Leverage AWS P-ATO** (most SaaS) | 3–6 months to agency ATO if controls mapped | Customer Responsibility Matrix (CRM) from AWS Artifact |
| **FedRAMP Agency ATO** | 9–18 months | Full SSP, POA&M, continuous monitoring plan |
| **StateRAMP / TX-RAMP** | Varies by state | State-specific overlay on Moderate baseline |

## 4. Personnel and support constraints

| Requirement | AWS answer (July 2026) |
|-------------|------------------------|
| US-person support only | GovCloud default US-citizen 24/7 support (no opt-in) |
| US soil data residency | GovCloud (US) regions — not commercial US alone for High |
| ITAR/EAR technical data | GovCloud + deny non-US-person admin roles in IAM |

## Related posts

- [NIST CSF 2.0 on AWS](/blog/nist-csf-2-0-aws-implementation-guide/)
- [Data residency and sovereignty](/blog/aws-data-residency-sovereignty-guide-2026/)
- [HIPAA on AWS checklist](/blog/hipaa-on-aws-complete-compliance-checklist/)
- [Enterprise governance guardrails](/blog/aws-enterprise-governance-guardrails-ou-taxonomy-2026/)
