Document Management on FedRAMP-Authorised AWS GovCloud Infrastructure — for Federal Workloads Requiring FedRAMP Compliance
Federal agencies and the contractors that serve them operate under a specific set of requirements for cloud-based information systems. FedRAMP (Federal Risk and Authorization Management Program) provides a standardised framework for security assessment, authorisation, and continuous monitoring of cloud services used by federal agencies. Organisations managing federal documents — contract deliverables, grant records, regulatory filings, constituent correspondence, and agency records — need document management infrastructure that operates on FedRAMP-authorised cloud services.
FormKiQ Core supports deployment on AWS GovCloud (US West) — a FedRAMP High-authorised AWS region designed for sensitive government workloads. Commercial editions (Essentials, Advanced, Enterprise) deploy on standard AWS commercial regions, which carry their own FedRAMP authorisations. This gives federal agencies and their contractors a path to governed document management on infrastructure that meets FedRAMP requirements.
What FedRAMP Requires
FedRAMP is based on NIST SP 800-53 security controls, organised into three impact levels that correspond to the sensitivity of the data being processed. Understanding which impact level applies to your workload determines which AWS infrastructure — and which FormKiQ deployment model — is appropriate:
| FedRAMP Impact Level | Data Sensitivity | Use Case | FormKiQ Deployment |
|---|---|---|---|
| Low | Public or non-sensitive federal data | Federal websites, publicly available data, non-sensitive agency operations | AWS commercial regions (FedRAMP Authorised) |
| Moderate | Controlled unclassified information (CUI), PII, law enforcement sensitive | Most federal agency operations, contractor-managed federal data | AWS commercial regions (FedRAMP Authorised) or GovCloud |
| High | Highly sensitive data — law enforcement, emergency services, healthcare, financial | National security-adjacent workloads, high-impact federal systems | AWS GovCloud (US West) — FedRAMP High Authorised |
FormKiQ on AWS GovCloud
What GovCloud Provides
| Capability | Description |
|---|---|
| FedRAMP High authorisation | AWS GovCloud is authorised at the FedRAMP High impact level — the highest FedRAMP baseline |
| US-only access | GovCloud access restricted to US-based entities with verified US identities |
| Physical isolation | GovCloud regions are physically and logically separated from commercial AWS regions |
| ITAR compliance | GovCloud supports International Traffic in Arms Regulations (ITAR) workloads |
| DoD Impact Levels | GovCloud supports DoD IL2, IL4, and IL5 workloads |
| CJIS compliance | GovCloud supports Criminal Justice Information Services (CJIS) security policy requirements |
What FormKiQ Adds on GovCloud
GovCloud provides the infrastructure-level authorisation. FormKiQ provides the application-level controls that federal document management requires — controls that operate at the individual document level rather than at the infrastructure level. Together, they create a document management environment where both the infrastructure and the application satisfy federal security requirements:
| FormKiQ Capability | FedRAMP Relevance |
|---|---|
| Document-level access controls (ABAC) | Supports NIST AC-3 (Access Enforcement), AC-6 (Least Privilege) — document visibility tied to role, clearance, programme, and sensitivity classification |
| Audit trails | Supports NIST AU-2 (Audit Events), AU-3 (Content of Audit Records) — every document access, modification, and disposition event logged |
| Encryption at rest (KMS) | Supports NIST SC-28 (Protection of Information at Rest) — customer-managed encryption keys for all documents |
| Encryption in transit (TLS) | Supports NIST SC-8 (Transmission Confidentiality) — all API and console communication encrypted |
| Document versioning and integrity | Supports NIST SI-7 (Software, Firmware, and Information Integrity) — version control with integrity verification |
| Retention and disposition | Supports NIST SI-12 (Information Handling and Retention) — configurable retention with defensible disposition |
| Antivirus scanning | Supports NIST SI-3 (Malicious Code Protection) — ClamAV scanning at the point of ingestion |
Federal Document Types Managed in FormKiQ
Federal agencies and their contractors manage a broad range of document types — each with its own governance framework, retention requirements, and access control needs. The common thread is that all of these documents must be managed within infrastructure that meets FedRAMP requirements, and all must be producible for oversight, audit, and legal proceedings:
| Document Category | Examples | Federal Governance Considerations |
|---|---|---|
| Agency records | Policy documents, procedures, directives, internal memoranda, operational records | Federal Records Act; NARA retention schedules; records management programme requirements |
| Constituent correspondence | Incoming and outgoing correspondence with citizens, businesses, and other agencies | Response tracking; FOIA applicability; retention per correspondence type |
| Procurement documentation | Contract files, statements of work, proposals, deliverables, invoices, performance reports | FAR/DFARS requirements; contract file retention; audit readiness |
| Grant administration | Applications, award agreements, compliance reports, financial documentation, closeout records | 2 CFR 200; Single Audit; programme-specific requirements |
| FOIA records | FOIA request files, responsive records, redaction documentation, response correspondence | FOIA processing workflows; redaction support; response tracking |
| Personnel records | Federal employee records, SF-86 materials, position descriptions, performance documentation | OPM requirements; security clearance documentation; retention per NARA schedules |
| Regulatory filings | Public comments, regulatory submissions, enforcement documentation, compliance records | Agency-specific regulatory requirements; public records obligations |
| Classified and CUI | Controlled unclassified information requiring handling markings and access restrictions | CUI Registry categories; NIST SP 800-171 controls; marking and access enforcement |
NIST SP 800-53 Control Mapping
FedRAMP baselines are derived from NIST SP 800-53 security controls. Organisations pursuing or maintaining an Authority to Operate (ATO) need to demonstrate that their information systems implement applicable controls. FormKiQ's document management capabilities contribute to control implementation across eight NIST control families — these are the controls where document management directly supports or satisfies the requirement, as distinct from the infrastructure-level controls that AWS itself provides:
| Control Family | Controls Supported | FormKiQ Implementation |
|---|---|---|
| Access Control (AC) | AC-2, AC-3, AC-5, AC-6 | ABAC at document level; role separation; least privilege enforcement; unique user identification |
| Audit and Accountability (AU) | AU-2, AU-3, AU-6, AU-7, AU-12 | Document-level audit logging; audit record content (who, what, when, where); audit review and analysis; audit reduction |
| Configuration Management (CM) | CM-2, CM-3, CM-8 | CloudFormation-managed deployment; configuration change control; system component inventory |
| Identification and Authentication (IA) | IA-2, IA-5, IA-8 | Amazon Cognito with SAML SSO; MFA support; identification of non-organisational users |
| Incident Response (IR) | IR-4, IR-5 | Incident documentation workflows; audit trail analysis for incident investigation |
| Media Protection (MP) | MP-5, MP-6 | Encrypted storage (KMS); secure deletion with audit trail |
| System and Communications Protection (SC) | SC-8, SC-12, SC-13, SC-28 | TLS in transit; KMS key management; cryptographic protection; encryption at rest |
| System and Information Integrity (SI) | SI-3, SI-7, SI-12 | Antivirus scanning; document integrity verification; retention and disposition controls |
Compliance with Related Federal Frameworks
Federal document management doesn't operate under FedRAMP alone. Agencies and contractors must simultaneously satisfy multiple overlapping frameworks — FISMA, NIST SP 800-171 for CUI, the Federal Records Act, FOIA, FAR/DFARS, and others. FormKiQ's architecture supports compliance across these frameworks because the same capabilities (access controls, encryption, audit trails, retention, and disposition) serve multiple regulatory requirements simultaneously:
| Framework | Relationship to FedRAMP | FormKiQ Support |
|---|---|---|
| FISMA | FedRAMP satisfies FISMA requirements for cloud services | Deployment on FedRAMP-authorised infrastructure (GovCloud or commercial) |
| NIST SP 800-171 | Protecting CUI in non-federal systems | ABAC, encryption, audit trails, access controls aligned with 800-171 requirements |
| NIST SP 800-53 | Security controls underlying FedRAMP baselines | Control mapping across AC, AU, CM, IA, SC, SI families (see table above) |
| Federal Records Act | Federal agency records management obligations | Retention scheduling, disposition workflows, NARA transfer support |
| FOIA | Public access to federal records | Search and retrieval, classification-based access, redaction support, response tracking |
| Section 508 | Accessibility requirements for federal information technology | API-first architecture supports accessible front-end implementations |
| FAR / DFARS | Federal acquisition and defence procurement requirements | Contract document management, procurement file governance, deliverable tracking |
| ITAR | Export control for defence articles and services | GovCloud deployment; US-only access controls; data residency enforcement |
Who Uses FedRAMP Document Management on AWS
FedRAMP requirements affect a wider range of organisations than just federal agencies. Contractors, integrators, federally funded research institutions, and state and local agencies that receive federal data all face FedRAMP requirements — either directly or through flow-down provisions in contracts and data sharing agreements:
| Organisation Type | Document Management Needs | Key Drivers |
|---|---|---|
| Federal civilian agencies | Agency records, constituent correspondence, regulatory filings, FOIA programmes, personnel records | Federal Records Act, FISMA, FOIA, NARA requirements |
| Department of Defence | Mission documentation, procurement files, personnel records, operational records | DoD IL requirements, DFARS, NARA, security classification |
| Intelligence community contractors | Classified and CUI handling, programme documentation, security documentation | NIST SP 800-171, CUI handling, ITAR, security clearance requirements |
| Federal contractors and integrators | Contract deliverables, compliance documentation, subcontractor records, proposal management | FAR/DFARS, FedRAMP requirements flow-down, CMMC |
| Federally funded research institutions | Research data, grant documentation, compliance records, collaboration materials | 2 CFR 200, FISMA for federally funded systems, research data management |
| State and local agencies receiving federal data | Federal data received through data sharing agreements, joint programme records | CJIS, FTI (Federal Tax Information) handling, NIST SP 800-53 flow-down |
FormKiQ Editions for FedRAMP Workloads
| Capability | Core | Essentials | Advanced | Enterprise |
|---|---|---|---|---|
| AWS GovCloud (US West) Deployment | ✓ | |||
| AWS Commercial Region Deployment | ✓ | ✓ | ✓ | ✓ |
| Document Storage (S3) & API | ✓ | ✓ | ✓ | ✓ |
| Tagging, Search & Classification | ✓ | ✓ | ✓ | ✓ |
| OCR (Tesseract) | ✓ | ✓ | ✓ | ✓ |
| OCR & IDP (Textract) | ✓ | ✓ | ✓ | |
| SSO (SAML — Entra, Google, Auth0) | ✓ | ✓ | ✓ | |
| Workflows, Queues & Rulesets | ✓ | ✓ | ✓ | |
| Encryption (KMS — in-transit & at-rest) | ✓ | ✓ | ✓ | |
| Document Control & Versioning | ✓ | ✓ | ✓ | |
| Antivirus & Anti-Malware | ✓ | ✓ | ✓ | |
| AI Processing & Analysis (Bedrock) | ✓ | ✓ | ||
| Document Generation | ✓ | ✓ | ||
| eSignature Integration | ✓ | ✓ | ||
| Document Gateway Modules | ✓ | ✓ | ||
| Enhanced Full-Text Search (OpenSearch) | ✓ | ✓ | ||
| Multi-Instance & Multi-Region Licensing | ✓ | ✓ | ||
| Vendor-Managed & Hybrid Deployment | ✓ | |||
| Custom SLAs & Compliance Consulting | ✓ | |||
| Support | Community (Slack & GitHub) | Support Portal (2-business-day SLA) | Private Slack + videoconference + 40 hrs onboarding | Rapid response (8-business-hour SLA) + strategic architecture support |
Note: GovCloud deployment is currently available for FormKiQ Core. Organisations requiring commercial edition capabilities on GovCloud should contact FormKiQ to discuss deployment options.
Deployment Models
| Model | Description | Availability |
|---|---|---|
| Customer-Managed AWS | Deploys directly into your AWS account (GovCloud or commercial) via CloudFormation. | All editions (GovCloud: Core) |
| Vendor-Managed | FormKiQ manages the AWS infrastructure on your behalf. | Enterprise (commercial regions) |
| Hybrid | You retain control of specific components while delegating operational management. | Enterprise (commercial regions) |
Getting Started
FormKiQ Core can be deployed to AWS GovCloud (US West) or any supported commercial region in fifteen to twenty minutes using a one-click install via AWS CloudFormation.
For federal agencies and contractors evaluating document management on FedRAMP-authorised infrastructure, FormKiQ offers a Proof-of-Value program — a three-month deployment providing full platform access in a non-production setting.
Frequently Asked Questions
Is FormKiQ FedRAMP-authorised?
FormKiQ deploys on FedRAMP-authorised AWS infrastructure. AWS GovCloud (US West) carries a FedRAMP High Provisional Authority to Operate (P-ATO). AWS commercial regions carry FedRAMP authorisations at various impact levels. FormKiQ as an application layer is not independently FedRAMP-authorised — it deploys within your own AWS account on FedRAMP-authorised infrastructure, and the resulting system's authorisation is part of your agency's or organisation's ATO process.
Which FormKiQ edition runs on GovCloud?
FormKiQ Core (open source, MIT licence) supports deployment on AWS GovCloud (US West). Commercial editions currently deploy on AWS commercial regions. Organisations requiring commercial edition capabilities on GovCloud should contact FormKiQ to discuss options.
Does FormKiQ support CUI handling?
FormKiQ's ABAC, encryption, audit trails, and access controls support the technical requirements for CUI handling under NIST SP 800-171. CUI marking, handling, and dissemination controls can be implemented through metadata schemas and access policies configured to CUI Registry categories.
How does FormKiQ support FOIA processing?
FormKiQ's full-text and metadata search enables identification and retrieval of responsive records. Classification-based access controls support redaction workflows and exemption marking. Response tracking workflows manage FOIA request timelines and production deadlines. All FOIA-related document events are audit-logged.
Can FormKiQ manage federal records under NARA retention schedules?
Yes. FormKiQ supports configurable retention policies that can be aligned with NARA General Records Schedules and agency-specific retention schedules. Disposition workflows provide audit-logged evidence of lawful disposition. Transfer-to-archive workflows support the transition of permanent records to NARA or agency archives.