CYBEREYE

In Google-Microsoft dustup, what does 'FISMA-certified' mean?

FISMA doesn't require certification of products and services

The recent spitting match between Google and Microsoft over certification of Google Apps for Government left me a little confused. Google insisted its offerings are FISMA certified, and Microsoft said they aren’t.

The dispute turns on which version of the Google applications you are talking about and whether they are essentially different. But what confused me was the use of the term “FISMA certified.” The Federal Information Security Management Act of 2002 does not require certification of products and services, and although Google stoutly maintained that it is in compliance with FISMA, the law does not apply to vendors. It applies to (most) federal agencies and to the IT systems they operate.

The words “certify,” “certification” and “certificate” appear nowhere in the law; neither do the words “vendor,” “manufacturer,” “supplier” nor “seller.”


Related coverage:

No lie: GSA backs Google on FISMA certification


What the law does do is give the National Institute of Standards and Technology authority to establish standards and guidelines — that are not product- or technology-specific — to ensure a reasonable level of security in government systems. But NIST does not use the term FISMA certification, either.

As it turns out, what Google and Microsoft are fighting over is not FISMA certification, but the administrative process of certification and accreditation (usually referred to as C&A) developed to help ensure compliance with NIST standards and mandated by the Office of Management and Budget, which oversees FISMA compliance.

C&A is the much maligned process of agencies evaluating the security needs and controls of their IT systems (certification) and acknowledging and accepting residual risks and authorizing the systems to operate (accreditation). The process has been criticized as expensive, time-consuming and ineffective, and in NIST’s “Guide for Applying the Risk Management Framework to Federal Information Systems” (SP-800-37 Rev.1), C&A is moving to a continuous monitoring model of risk management rather than periodic assessments.

IT systems still need certification and an authority from the authorized official to operate, and this has created a problem with cloud computing. The Obama administration has made cloud computing an objective for government, and it promises greater flexibility and efficiency, along with cost savings. But these benefits could be mitigated by the requirements that each IT system receive an authority to operate.
 
“One of the most significant obstacles to the adoption of cloud computing is security,” David McClure, who heads the General Services Administration’s innovative technologies effort, told a House subcommittee last year. “Agencies are concerned about the risks of housing data off-site in a cloud if FISMA security controls and accountabilities are not in place.”

But obtaining certification and an authority to operate each time a cloud-based service is used would defeat the purpose of an agile, on-demand service. So GSA and NIST developed the Federal Risk and Authorization Management Program (FedRAMP) to provide a blanket C&A and authority to operate for cloud products offered through GSA’s apps.gov cloud storefront.

FedRAMP applies a governmentwide baseline of security requirements that are based on NIST’s “Recommended Security Controls for Federal Information Systems and Organizations” (SP 800-53 Rev. 3). The program coordinates and manages authorization, and provides ongoing risk assessments of the authorized systems.

Like the C&A process, FedRAMP has been criticized as inadequate, primarily because it does not focus enough on real-time monitoring. But whatever its strengths and weaknesses, it is the standard that cloud service providers must meet.

I don’t like the term “FISMA certification,” but that is a personal bias. It might be a legitimate shorthand for the C&A and authorization process that cloud vendors must undergo. Either way, it is helpful to understand just what the term refers to when it is being debated.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Sep 29, 2011 Jeff Griffin

I think Mr. Jackson is owned some thanks for his research and reporting on an oft-cited requirement. THANKS - This is great reporting!

Mon, Apr 18, 2011

The comments here are quite choice. Google does patch, but it's behind the scenes and your only testing is on your production work. Plenty of risk there. William is spot on in that FISMA follows federal information. As long as the governement is responsible for the information FISMA and the requirement for security authorization (C&A) applies. There seems to be some confusion here about FedRamp and GSA as well. FedRamp may be able to provide a common "certification" of compliance but only agencies can authorize/accredit systems for use.

Mon, Apr 18, 2011

No Government Institution should use this costly and insecure Microsoft products nowadays! Just save taxpayers money and switch to Open Source!!

Mon, Apr 18, 2011 william Washington, DC

I agree that there's no such thing as a "FISMA certification," but I disagree with your assertion that "the law does not apply to vendors. It applies to (most) federal agencies and to the IT systems they operate." Actually, according to the law the provisions apply to "information systems used or operated by an agency
or by a contractor of an agency or other organization on behalf of an agency. . . " Which means that if Google wants to sell services and run its systems on behalf of an agency, they should comply with FISMA. The FIPS standards also apply.

Sat, Apr 16, 2011

With Google Apps, no patches or updates are required. From GCN: Patch Tuesday to get 'ugly' with latest Microsoft security update http://gcn.com/articles/2011/04/07/microsoft-preparing-ugly-security-patch.aspx Looks like 17 security updates for the government to have to deal with this month which may be a record high costing even more money.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above