How to Run AI Models on AWS GovCloud for FedRAMP Compliance
Federal agencies and their contractors are under increasing pressure to adopt AI capabilities while maintaining strict compliance with the Federal Risk and Authorization Management Program. FedRAMP exists to standardize security assessment, authorization, and continuous monitoring for cloud products used by the federal government. Running AI workloads within this framework is not optional for organizations that handle federal data -- it is a contractual and legal requirement.
The challenge is that AI workloads introduce unique security and architectural considerations that traditional FedRAMP-authorized applications do not face. Large language models require GPU-intensive compute, handle sensitive training data, and produce outputs that themselves may need classification controls. AWS GovCloud provides the infrastructure to meet these requirements, but deploying AI within it demands careful architectural planning that goes well beyond spinning up a SageMaker endpoint.
Understanding FedRAMP Impact Levels for AI Workloads
FedRAMP categorizes systems by impact level based on the potential consequences of a security breach. For AI deployments, understanding which impact level applies to your workload determines virtually every architectural decision that follows.
Impact Level 2 (IL2) covers publicly releasable information and low-impact data. AI workloads processing non-sensitive public data -- such as a model that summarizes publicly available policy documents -- may qualify at this level. Standard AWS commercial regions can support IL2 workloads with a FedRAMP Moderate authorization.
Impact Level 4 (IL4) covers Controlled Unclassified Information (CUI). This is where most enterprise AI deployments for federal contractors land. Processing contract documents, internal communications, personnel records, or any data marked CUI requires IL4 controls. AWS GovCloud holds FedRAMP High authorization, which satisfies IL4 requirements.
Impact Level 5 (IL5) covers mission-critical CUI and National Security Systems. AI workloads that process defense-related data, intelligence community information, or systems designated as national security systems must operate at IL5. AWS GovCloud supports IL5 workloads with additional configuration requirements including dedicated tenancy and enhanced network isolation.
Impact Level 6 (IL6) covers classified information up to Secret. AI workloads at this level require AWS Secret Region infrastructure, which is physically separated from GovCloud and accessible only through classified networks. Deploying LLMs at IL6 involves air-gapped infrastructure and is architecturally distinct from GovCloud deployments.
The classification of your AI workload depends not just on the data it processes but also on the data it was trained on, the outputs it generates, and the decisions those outputs inform. An AI model trained on unclassified data but used to generate recommendations that inform classified decision-making may itself need to operate at a higher impact level. Get this classification right at the start -- reclassifying and migrating a running AI system is significantly more expensive than deploying to the correct impact level initially.
AWS GovCloud AI and ML Services
AWS GovCloud provides a subset of AWS services that have been assessed and authorized under FedRAMP High. For AI workloads, the relevant services include Amazon SageMaker, Amazon EC2 P-series and G-series GPU instances, Amazon EKS for container orchestration, and supporting services like S3, CloudWatch, and IAM.
Amazon SageMaker in GovCloud provides managed infrastructure for training, fine-tuning, and deploying machine learning models. SageMaker endpoints can host custom models including open-source LLMs, and SageMaker supports model versioning, A/B testing, and auto-scaling. However, SageMaker in GovCloud does not include all features available in commercial regions. Features like SageMaker JumpStart -- which provides pre-built model deployments -- may have limited model availability in GovCloud. Always verify feature parity against current GovCloud documentation before designing your architecture around a specific SageMaker capability.
EC2 P-series and G-series instances provide raw GPU compute for organizations that need more control than SageMaker offers. P4d and P5 instances with NVIDIA A100 and H100 GPUs are suitable for training and inference of large language models. G5 instances with NVIDIA A10G GPUs handle inference workloads at lower cost. Instance availability in GovCloud is more constrained than in commercial regions, so capacity planning and reserved instances are essential for production workloads.
Amazon EKS in GovCloud enables Kubernetes-based deployment of AI workloads, which is the preferred approach for organizations running inference frameworks like vLLM, Text Generation Inference, or Triton Inference Server. EKS provides the flexibility to run multiple models with independent scaling policies, implement blue-green deployments, and integrate with existing container-based CI/CD pipelines.
Deploying Open-Source LLMs in GovCloud
Open-source models are the natural choice for FedRAMP-compliant AI deployments. Commercial API-based models like those from OpenAI or Anthropic require sending data to third-party infrastructure, which creates data sovereignty challenges that are often incompatible with federal data handling requirements. Open-source models run entirely within your authorization boundary.
The deployment process for an open-source LLM in GovCloud follows a specific pattern. First, model weights must be transferred into the GovCloud environment. Since GovCloud environments typically restrict or eliminate internet egress, you cannot simply download model weights from Hugging Face at deployment time. Model artifacts need to be pre-downloaded, scanned for integrity and potential supply chain compromise, and staged in an S3 bucket within your GovCloud account. Establish a formal process for model ingestion that includes hash verification and provenance documentation.
Second, the inference runtime must be containerized and tested. Build container images that include your inference framework, model loading logic, and API layer in a build environment, then transfer those images to Amazon ECR within GovCloud. Every component in your container image becomes part of your authorization boundary and must be documented in your system security plan.
Third, deploy the model using either SageMaker endpoints or EKS pods with GPU node groups. For most production workloads, EKS provides greater flexibility. Configure horizontal pod autoscaling based on GPU utilization and request queue depth. Implement health checks that verify not just container health but model loading status and inference capability.
Network Architecture: VPC, PrivateLink, and Zero Egress
Network architecture for FedRAMP-compliant AI deployments demands a zero-trust, zero-egress approach. The guiding principle is that no data -- including model inputs, outputs, intermediate results, or telemetry -- should traverse the public internet.
Start with a dedicated VPC for AI workloads, isolated from other workloads through separate accounts or at minimum separate VPCs with controlled peering. Place GPU compute instances in private subnets with no internet gateway or NAT gateway attached. All AWS service access should occur through VPC endpoints using AWS PrivateLink. This includes S3 endpoints for model artifact storage, CloudWatch endpoints for logging and monitoring, ECR endpoints for container image pulls, and STS endpoints for IAM credential management.
For AI workloads that need to serve inference requests from other systems within your environment, expose the inference API through an internal Application Load Balancer in a private subnet. If external access is required -- for example, from a separate authorization boundary that consumes AI inference results -- implement API Gateway with mutual TLS authentication and request signing.
Network flow logs must be enabled on all subnets and VPC endpoints. These logs become part of your continuous monitoring evidence and are routinely reviewed during FedRAMP assessments. Configure flow logs to stream to CloudWatch Logs or S3 with appropriate retention periods that match your authorization requirements.
Encryption Requirements: At Rest and In Transit
FedRAMP High requires FIPS 140-2 validated encryption for data at rest and in transit. This requirement applies to every component of your AI deployment: model weights stored in S3, training data, inference inputs and outputs, log data, and any cached or temporary data generated during model inference.
For data at rest, use AWS KMS with customer-managed keys (CMKs) to encrypt S3 buckets containing model artifacts and training data, EBS volumes attached to GPU instances, and any RDS or DynamoDB tables used for metadata or prompt logging. Ensure that KMS keys are configured with appropriate key policies that restrict access to authorized IAM roles only and that key rotation is enabled.
For data in transit, enforce TLS 1.2 or higher on all connections. Configure your inference API endpoints to reject connections using older TLS versions. Within your VPC, even internal service-to-service communication should use TLS. This includes communication between your application layer and inference endpoints, between inference services and model artifact storage, and between GPU nodes in distributed inference configurations.
A frequently overlooked encryption requirement involves GPU memory. During inference, model weights and input data reside in GPU VRAM in unencrypted form. While FIPS 140-2 does not currently mandate GPU memory encryption, your system security plan should document this as a known condition and describe the mitigating controls -- specifically, physical security of the data center, instance isolation guarantees provided by AWS, and the ephemeral nature of GPU memory contents.
Logging, Audit, and Continuous Monitoring
FedRAMP continuous monitoring requirements are extensive, and AI workloads add additional logging dimensions that traditional applications do not have. Your logging architecture must capture infrastructure events, application events, and AI-specific events.
AWS CloudTrail must be enabled for all API calls within your GovCloud account. This captures every AWS API action including SageMaker endpoint invocations, EC2 instance lifecycle events, S3 object access, and IAM credential usage. Configure CloudTrail to deliver logs to a dedicated, immutable S3 bucket with log file integrity validation enabled.
Amazon GuardDuty provides threat detection across your GovCloud environment. For AI workloads, GuardDuty can identify anomalous API call patterns that might indicate unauthorized model access, unusual data exfiltration attempts, or compromised credentials being used to access model endpoints.
AI-specific logging goes beyond infrastructure monitoring. You should log every inference request and response, including timestamps, request source identifiers, input token counts, output token counts, model version, and latency metrics. This logging serves dual purposes: it satisfies FedRAMP audit requirements for system activity monitoring, and it provides the data needed for model performance monitoring and drift detection.
Establish log retention policies that comply with your authorization requirements -- typically a minimum of one year for online access and three years for archived access. Implement automated alerting for security-relevant events including failed authentication attempts, unusual inference volume patterns, model endpoint errors, and any access from unexpected network sources.
Authorization Boundary Documentation
The authorization boundary defines exactly which components are within scope of your FedRAMP authorization. For AI deployments, the boundary must encompass every component involved in the AI lifecycle: model storage, inference compute, API layers, logging infrastructure, monitoring systems, and the CI/CD pipeline used to deploy model updates.
Your System Security Plan (SSP) must document the AI-specific components with sufficient detail for assessors to understand the data flows and security controls. This includes architectural diagrams showing how inference requests flow from client applications through API gateways to model endpoints. It includes data flow diagrams showing how model artifacts move from development environments into GovCloud. And it includes component inventories listing every software package, library, and framework included in your AI deployment containers.
Pay particular attention to documenting the model supply chain. Your SSP should describe where model weights originated, how they were validated before deployment, what fine-tuning was performed, and how model updates are tested and promoted to production. Assessors increasingly focus on AI supply chain security, and thorough documentation of model provenance significantly smooths the authorization process.
ITAR Considerations for AI Workloads
Organizations subject to the International Traffic in Arms Regulations face additional constraints on AI deployments. ITAR restricts access to defense-related technical data to U.S. persons, and this restriction extends to the infrastructure and personnel that operate AI systems processing ITAR-controlled data.
AWS GovCloud is designed to support ITAR workloads. It is physically located in the United States, operated by U.S. persons who have been vetted, and provides the access controls necessary to restrict data access to authorized U.S. persons. However, ITAR compliance requires more than just running on GovCloud. You must ensure that all personnel who administer, operate, or have access to the AI system are U.S. persons. Your IAM policies must enforce this restriction, and your organizational procedures must document how U.S. person status is verified and maintained.
For AI models specifically, ITAR introduces questions about model outputs. If a model is trained on ITAR-controlled technical data, the model weights themselves may be considered ITAR-controlled because they encode information derived from that data. This means the model artifacts cannot be exported or shared with non-U.S. persons, and the inference outputs may also be subject to ITAR controls depending on their content. Work with your export control counsel to classify your AI model artifacts and outputs before deployment.
Practical Deployment Checklist
Bringing all of these requirements together, a FedRAMP-compliant AI deployment on AWS GovCloud requires methodical execution across multiple workstreams. Before writing any infrastructure code, confirm your impact level classification and ensure your GovCloud account is provisioned and authorized at the appropriate level. Design your VPC architecture with private subnets, VPC endpoints, and zero internet egress. Establish your encryption strategy with KMS CMKs for all data stores and TLS for all communication paths.
Build and test your model deployment pipeline in a non-production environment before touching GovCloud. This pipeline should include model artifact ingestion with integrity verification, container image building and scanning, infrastructure deployment through infrastructure as code, and automated testing of inference endpoints. Document every component for your SSP as you build it -- retroactive documentation is both painful and error-prone.
Configure your logging, monitoring, and alerting infrastructure before deploying production workloads. Your continuous monitoring posture should be operational and generating baseline data before your first production inference request. Plan for ongoing assessments by maintaining your SSP as a living document and automating as much compliance evidence collection as possible.
Running AI on AWS GovCloud for FedRAMP compliance is demanding but achievable. The organizations that succeed treat compliance not as an obstacle to AI adoption but as a framework that enforces the security practices that should accompany any production AI deployment. The rigor required by FedRAMP -- boundary documentation, encryption, continuous monitoring, access controls -- results in AI deployments that are more secure, more auditable, and more operationally mature than their unregulated counterparts.