MCP External Access FedRAMP Readiness Review - TerrenceMcGuinness-NOAA/global-workflow GitHub Wiki
MCP External Access (Path B) β FedRAMP Readiness Review
Prepared for the AWS Summit DC FedRAMP review session β June 30, 2026
This page rolls up a FedRAMP / NIST 800-53 readiness review of the mcp-external-access spec (Path B β Cognito JWT authorizer on the existing AgentCore Runtime). It complements the engineering design at MCP-External-Access-Design-Path-B and the broader scaling proposal at MCP-Access-Architecture-Proposal, viewing the same architecture through a federal-authorization lens.
Scope note. The subject spec is design-complete but not yet implemented β every implementation task (Task 0 onward) is still open. This is a review of the architecture, which is the right time to surface FedRAMP issues before code is written.
Executive summary
Path B exposes the 51-tool MDC MCP RAG server to two new external consumer classes β GitHub Actions CI and HPC user sessions (Hera, Orion, Hercules, Gaea, Ursa) β by attaching a Cognito-issued JWT authorizer to the existing AgentCore Runtime. The developer SigV4 path is preserved byte-identical. Path C (AgentCore Gateway + Cedar tool-level policy) is explicitly deferred.
The authorization model is sound and maps cleanly onto NIST 800-53: least-privilege IAM, no long-lived CI secrets (GitHub OIDC), server-side scope-to-tool enforcement, structured per-call audit, and everything-in-CDK with drift detection. The principal risk is foundational, not architectural: the feature runs on Bedrock AgentCore in commercial us-east-1, and AgentCore does not appear to be in any FedRAMP boundary yet.
The gating question: service authorization & region
Everything in this spec targets commercial us-east-1 on Bedrock AgentCore Runtime. From public AWS sources (verify against the live FedRAMP Marketplace and AWS services-in-scope):
| Service | FedRAMP status (public sources) | Implication |
|---|---|---|
| Amazon Bedrock | High β GovCloud (US-West) only (AWS, Aug 2024) | Commercial-region authorization not established |
| Bedrock AgentCore | New service (Cedar engine GA 2026-03-03); no FedRAMP evidence found | Likely not in any authorized boundary yet |
| Amazon Cognito | FedRAMP-authorized in US East/West commercial (AWS P-ATO) | The auth layer is on solid ground |
So the authentication layer (Cognito) is FedRAMP-ready in commercial us-east-1, but the hosting runtime almost certainly is not.
Reframing the design's gate. The design (Β§2 AD-2) treats "is the public endpoint reachable under VPC mode" as the go/no-go before implementation. From a FedRAMP standpoint that is the wrong gate β the real gate is "is AgentCore in an authorized boundary at all, and in which region/baseline." That reframing should be settled before the reachability test matters.
Three asks for AWS
- What is the FedRAMP authorization roadmap for Bedrock AgentCore (Runtime, Gateway, Identity) β baseline, region, and timeline?
- If unauthorized, does this system need to move to GovCloud, and what is the AgentCore GovCloud timeline?
- Confirm Cognito's commercial-region FedRAMP Moderate authorization still covers our intended use.
What will land well with an assessor
| Area | Control(s) | Why it's strong |
|---|---|---|
| Least-privilege IAM | AC-6 | Token_Broker scoped to one Lambda ARN; Secrets read scoped to one secret; OIDC role sub allowlisted to specific repo+ref |
| No long-lived CI secrets | IA-5 | GitHub OIDC federation; Property P8 statically forbids any static key in the CI path |
| Least functionality | AC-3, CM-7 | Server-side scopeβtool enforcement with a single source of truth (allowedToolSets.js); CI locked out of all mutation tools; guarded by ESLint + CODEOWNERS |
| Audit & accountability | AU-2, AU-3 | One structured JSONL entry per call with attributable identity (incl. GitHub run_id/repo/ref), payloads deliberately excluded |
| Config management | CM-2, CM-6, CA-7 | All resources in CDK; cdk diff gate; nightly drift detector; RETAIN policies on stateful resources |
| Data-plane isolation | AC-4, SC-7 | Neptune and OpenSearch stay VPC-private; only the AWS-managed MCP edge is public |
Gaps an assessor will raise (prioritized)
- MFA β IA-2(1), IA-2(11), M-22-09. Cognito MFA is
OPTIONALand OTP-based for human HPC users; not phishing-resistant. Fix already in the design's back pocket: federate Cognito to NOAA SSO (AD-1 option c) so PIV/CAC and central account lifecycle (AC-2) apply. Recommend elevating from "future enhancement" to baseline for the human path. - FIPS crypto β SC-13, SC-8(1). Endpoints are commercial (non-FIPS); R8.1 also permits TLS 1.2. Specify FIPS 140-validated modules and FIPS endpoints (or note GovCloud is FIPS-by-default).
- Encryption at rest with CMK β SC-28, SC-12. DynamoDB stash is
AWS_MANAGED; KMS is only conditional (R9.3). Use customer-managed KMS for the audit log group, the CI secret, and the claims stash, with documented rotation. - DoS / boundary on the public edge β SC-5, SC-7. The public MCP endpoint is AWS-managed; no customer WAF/rate-limit is possible in Path B. This is a genuine argument for Path C (Gateway) β be ready to explain the interim posture.
- External connections β CA-3, SA-9. GitHub-hosted runners are outside the authorization boundary; assessors often require self-hosted runners in-boundary plus an interconnection writeup for the GitHub OIDC trust.
- Audit retention β AU-11. Design says 90 days (Β§4.6) but 365 days (Β§9.2). Reconcile to one documented value that meets the obligation.
- Data classification. State plainly that the indexed corpus is public NOAA-EMC open-source code + public docs β no CUI crosses the public edge. One sentence defuses much boundary scrutiny.
Minor: pin the GitHub Action to a commit SHA rather than @v4 (SA-12/RA-5); the refreshTokenValidity on the client-credentials CI client is dead config (that grant issues no refresh token).
NIST 800-53 control mapping (summary)
Legend β β addressed Β· β οΈ partial Β· β gap Β· β depends on service authorization.
| Family | Control | Status | Note |
|---|---|---|---|
| AC | AC-2 Account Management | β οΈ | Cognito-native lifecycle manual; SSO federation centralizes it |
| AC | AC-3 Access Enforcement | β | Scopeβtool middleware, single source of truth (R5) |
| AC | AC-4 Information Flow | β | Data stores VPC-private (R8) |
| AC | AC-6 Least Privilege | β | Scoped Lambda/secret/OIDC role (R3) |
| AC | AC-12 Session Termination | β οΈ | Justify 1-day HPC refresh token |
| IA | IA-2(1)/(2) MFA | β | Optional OTP β set REQUIRED or federate SSO |
| IA | IA-2(11) Phishing-resistant MFA | β | Needs PIV/CAC via NOAA SSO |
| IA | IA-5 Authenticator Mgmt | β | No long-lived CI secrets (P8) |
| IA | IA-8 Non-org users | β οΈ | Document GitHub OIDC trust |
| AU | AU-2 / AU-3 Audit | β | One JSONL entry/call, attributable (R6) |
| AU | AU-9 Protect Audit | β οΈ | Add CMK on log group |
| AU | AU-11 Retention | β οΈ | Reconcile 90 vs 365 days |
| SC | SC-5 DoS | β οΈ | No WAF on public edge until Path C |
| SC | SC-7 Boundary | β οΈ | Customer WAF needs Path C Gateway |
| SC | SC-8(1) Transmission | β οΈ | Require FIPS TLS |
| SC | SC-12 / SC-13 Crypto | β οΈ/β | FIPS modules + required CMK |
| SC | SC-28 Encryption at Rest | β οΈ | CMK for stash/secret/logs |
| CM | CM-2 / CM-6 Baseline | β | CDK + diff gate + RETAIN (R9) |
| CM | CM-7 Least Functionality | β | CI excluded from mutation + GitHub tools |
| CA | CA-7 Continuous Monitoring | β | Drift detector (Task 13) |
| CA/SA | CA-3 / SA-9 External Connections | β οΈ | GitHub runners outside boundary |
| SA/RA | SA-12 / RA-5 Supply Chain | β οΈ | Pin Action to SHA |
| β | Service in FedRAMP boundary | β | Primary risk β confirm AgentCore |
| β | Data classification | β | Public NOAA-EMC code/docs, no CUI |
The full table with per-control "where the spec addresses it" detail and POA&M-style follow-ups lives in the source repo at docs/reports/2026-06-30-mcp-external-access-fedramp-control-mapping.md.
Recommended follow-ups (priority order)
- Confirm AgentCore FedRAMP status / region before further build (gating).
- Elevate NOAA SSO federation to the baseline human-auth path β resolves IA-2(1), IA-2(11), AC-2 together.
- Specify FIPS endpoints + FIPS-validated crypto across all service calls (SC-13, SC-8(1)).
- Require customer-managed KMS on audit log group, CI secret, claims stash + rotation (SC-28, SC-12, AU-9).
- Reconcile audit retention to one documented value (AU-11).
- Document the GitHub interconnection (CA-3 / SA-9); evaluate self-hosted in-boundary runners.
- State interim DoS/boundary posture for the public MCP edge pending Path C (SC-5 / SC-7).
References
- Subject spec:
.kiro/specs/mcp-external-access/(requirements R1βR11, design, tasks) - Control mapping detail:
docs/reports/2026-06-30-mcp-external-access-fedramp-control-mapping.md - Engineering design: MCP-External-Access-Design-Path-B
- Scaling / CI-CD proposal with Gateway-path FedRAMP mappings: MCP-Access-Architecture-Proposal
- AWS β Bedrock achieves FedRAMP High (GovCloud)
- AWS β Cognito FedRAMP P-ATO (US East/West)
- AWS β Services in scope for FedRAMP
This page is an analysis aid, not an authorization artifact. Control determinations must be validated by the system's 3PAO and reflected in the SSP/POA&M. Service-authorization facts change β verify against the live FedRAMP Marketplace before relying on them.