MCP External Access FedRAMP Readiness Review - TerrenceMcGuinness-NOAA/global-workflow GitHub Wiki

MCP External Access (Path B) β€” FedRAMP Readiness Review

Prepared for the AWS Summit DC FedRAMP review session β€” June 30, 2026

This page rolls up a FedRAMP / NIST 800-53 readiness review of the mcp-external-access spec (Path B β€” Cognito JWT authorizer on the existing AgentCore Runtime). It complements the engineering design at MCP-External-Access-Design-Path-B and the broader scaling proposal at MCP-Access-Architecture-Proposal, viewing the same architecture through a federal-authorization lens.

Scope note. The subject spec is design-complete but not yet implemented β€” every implementation task (Task 0 onward) is still open. This is a review of the architecture, which is the right time to surface FedRAMP issues before code is written.


Executive summary

Path B exposes the 51-tool MDC MCP RAG server to two new external consumer classes β€” GitHub Actions CI and HPC user sessions (Hera, Orion, Hercules, Gaea, Ursa) β€” by attaching a Cognito-issued JWT authorizer to the existing AgentCore Runtime. The developer SigV4 path is preserved byte-identical. Path C (AgentCore Gateway + Cedar tool-level policy) is explicitly deferred.

The authorization model is sound and maps cleanly onto NIST 800-53: least-privilege IAM, no long-lived CI secrets (GitHub OIDC), server-side scope-to-tool enforcement, structured per-call audit, and everything-in-CDK with drift detection. The principal risk is foundational, not architectural: the feature runs on Bedrock AgentCore in commercial us-east-1, and AgentCore does not appear to be in any FedRAMP boundary yet.


The gating question: service authorization & region

Everything in this spec targets commercial us-east-1 on Bedrock AgentCore Runtime. From public AWS sources (verify against the live FedRAMP Marketplace and AWS services-in-scope):

Service FedRAMP status (public sources) Implication
Amazon Bedrock High β€” GovCloud (US-West) only (AWS, Aug 2024) Commercial-region authorization not established
Bedrock AgentCore New service (Cedar engine GA 2026-03-03); no FedRAMP evidence found Likely not in any authorized boundary yet
Amazon Cognito FedRAMP-authorized in US East/West commercial (AWS P-ATO) The auth layer is on solid ground

So the authentication layer (Cognito) is FedRAMP-ready in commercial us-east-1, but the hosting runtime almost certainly is not.

Reframing the design's gate. The design (Β§2 AD-2) treats "is the public endpoint reachable under VPC mode" as the go/no-go before implementation. From a FedRAMP standpoint that is the wrong gate β€” the real gate is "is AgentCore in an authorized boundary at all, and in which region/baseline." That reframing should be settled before the reachability test matters.

Three asks for AWS

  1. What is the FedRAMP authorization roadmap for Bedrock AgentCore (Runtime, Gateway, Identity) β€” baseline, region, and timeline?
  2. If unauthorized, does this system need to move to GovCloud, and what is the AgentCore GovCloud timeline?
  3. Confirm Cognito's commercial-region FedRAMP Moderate authorization still covers our intended use.

What will land well with an assessor

Area Control(s) Why it's strong
Least-privilege IAM AC-6 Token_Broker scoped to one Lambda ARN; Secrets read scoped to one secret; OIDC role sub allowlisted to specific repo+ref
No long-lived CI secrets IA-5 GitHub OIDC federation; Property P8 statically forbids any static key in the CI path
Least functionality AC-3, CM-7 Server-side scope→tool enforcement with a single source of truth (allowedToolSets.js); CI locked out of all mutation tools; guarded by ESLint + CODEOWNERS
Audit & accountability AU-2, AU-3 One structured JSONL entry per call with attributable identity (incl. GitHub run_id/repo/ref), payloads deliberately excluded
Config management CM-2, CM-6, CA-7 All resources in CDK; cdk diff gate; nightly drift detector; RETAIN policies on stateful resources
Data-plane isolation AC-4, SC-7 Neptune and OpenSearch stay VPC-private; only the AWS-managed MCP edge is public

Gaps an assessor will raise (prioritized)

  1. MFA β€” IA-2(1), IA-2(11), M-22-09. Cognito MFA is OPTIONAL and OTP-based for human HPC users; not phishing-resistant. Fix already in the design's back pocket: federate Cognito to NOAA SSO (AD-1 option c) so PIV/CAC and central account lifecycle (AC-2) apply. Recommend elevating from "future enhancement" to baseline for the human path.
  2. FIPS crypto β€” SC-13, SC-8(1). Endpoints are commercial (non-FIPS); R8.1 also permits TLS 1.2. Specify FIPS 140-validated modules and FIPS endpoints (or note GovCloud is FIPS-by-default).
  3. Encryption at rest with CMK β€” SC-28, SC-12. DynamoDB stash is AWS_MANAGED; KMS is only conditional (R9.3). Use customer-managed KMS for the audit log group, the CI secret, and the claims stash, with documented rotation.
  4. DoS / boundary on the public edge β€” SC-5, SC-7. The public MCP endpoint is AWS-managed; no customer WAF/rate-limit is possible in Path B. This is a genuine argument for Path C (Gateway) β€” be ready to explain the interim posture.
  5. External connections β€” CA-3, SA-9. GitHub-hosted runners are outside the authorization boundary; assessors often require self-hosted runners in-boundary plus an interconnection writeup for the GitHub OIDC trust.
  6. Audit retention β€” AU-11. Design says 90 days (Β§4.6) but 365 days (Β§9.2). Reconcile to one documented value that meets the obligation.
  7. Data classification. State plainly that the indexed corpus is public NOAA-EMC open-source code + public docs β€” no CUI crosses the public edge. One sentence defuses much boundary scrutiny.

Minor: pin the GitHub Action to a commit SHA rather than @v4 (SA-12/RA-5); the refreshTokenValidity on the client-credentials CI client is dead config (that grant issues no refresh token).


NIST 800-53 control mapping (summary)

Legend β€” βœ… addressed Β· ⚠️ partial Β· ❌ gap Β· ❓ depends on service authorization.

Family Control Status Note
AC AC-2 Account Management ⚠️ Cognito-native lifecycle manual; SSO federation centralizes it
AC AC-3 Access Enforcement βœ… Scopeβ†’tool middleware, single source of truth (R5)
AC AC-4 Information Flow βœ… Data stores VPC-private (R8)
AC AC-6 Least Privilege βœ… Scoped Lambda/secret/OIDC role (R3)
AC AC-12 Session Termination ⚠️ Justify 1-day HPC refresh token
IA IA-2(1)/(2) MFA ❌ Optional OTP β€” set REQUIRED or federate SSO
IA IA-2(11) Phishing-resistant MFA ❌ Needs PIV/CAC via NOAA SSO
IA IA-5 Authenticator Mgmt βœ… No long-lived CI secrets (P8)
IA IA-8 Non-org users ⚠️ Document GitHub OIDC trust
AU AU-2 / AU-3 Audit βœ… One JSONL entry/call, attributable (R6)
AU AU-9 Protect Audit ⚠️ Add CMK on log group
AU AU-11 Retention ⚠️ Reconcile 90 vs 365 days
SC SC-5 DoS ⚠️ No WAF on public edge until Path C
SC SC-7 Boundary ⚠️ Customer WAF needs Path C Gateway
SC SC-8(1) Transmission ⚠️ Require FIPS TLS
SC SC-12 / SC-13 Crypto ⚠️/❌ FIPS modules + required CMK
SC SC-28 Encryption at Rest ⚠️ CMK for stash/secret/logs
CM CM-2 / CM-6 Baseline βœ… CDK + diff gate + RETAIN (R9)
CM CM-7 Least Functionality βœ… CI excluded from mutation + GitHub tools
CA CA-7 Continuous Monitoring βœ… Drift detector (Task 13)
CA/SA CA-3 / SA-9 External Connections ⚠️ GitHub runners outside boundary
SA/RA SA-12 / RA-5 Supply Chain ⚠️ Pin Action to SHA
β€” Service in FedRAMP boundary ❓ Primary risk β€” confirm AgentCore
β€” Data classification βœ… Public NOAA-EMC code/docs, no CUI

The full table with per-control "where the spec addresses it" detail and POA&M-style follow-ups lives in the source repo at docs/reports/2026-06-30-mcp-external-access-fedramp-control-mapping.md.


Recommended follow-ups (priority order)

  1. Confirm AgentCore FedRAMP status / region before further build (gating).
  2. Elevate NOAA SSO federation to the baseline human-auth path β†’ resolves IA-2(1), IA-2(11), AC-2 together.
  3. Specify FIPS endpoints + FIPS-validated crypto across all service calls (SC-13, SC-8(1)).
  4. Require customer-managed KMS on audit log group, CI secret, claims stash + rotation (SC-28, SC-12, AU-9).
  5. Reconcile audit retention to one documented value (AU-11).
  6. Document the GitHub interconnection (CA-3 / SA-9); evaluate self-hosted in-boundary runners.
  7. State interim DoS/boundary posture for the public MCP edge pending Path C (SC-5 / SC-7).

References

This page is an analysis aid, not an authorization artifact. Control determinations must be validated by the system's 3PAO and reflected in the SSP/POA&M. Service-authorization facts change β€” verify against the live FedRAMP Marketplace before relying on them.