Amazon's cloud services get approval under FISMA
- By Kevin McCaney
- Sep 16, 2011
The General Services Administration has put its stamp of approval on Amazon Web Services to provide cloud services in compliance with the Federal Information Security Management Act.
The accreditation covers Amazon Elastic Compute Cloud (EC2), Simple Storage Service (S3) and Virtual Private Cloud (VPC), along with their underlying infrastructure, the company said in a release.
Amazon Web Services joins Google Apps for Government and Microsoft’s Business Productivity Online Suite among cloud services that can say they’re certified under FISMA.
AWS’ accreditation covers FISMA’s low and moderate levels, the company said. Moderate Authorization and Accreditation requires a set of security configurations and controls that includes documenting the management, operational and technical processes used in securing physical and virtual infrastructure, and a requirement for third-party audits.
With federal agencies moving increasingly to the cloud, providers have been racing to claim FISMA accreditation and/or certification, even if the term is something of a misnomer.
Microsoft and Google had a war of words in April over Google’s claim of certification for Google Apps for Government, which eventually was settled when GSA backed Google’s claim. Shortly afterward, BPOS also got GSA’s blessing.
But as GCN’s William Jackson pointed out, FISMA doesn’t require certification of products or services, and doesn’t apply to vendors. It sets security requirements for federal IT systems.
That’s where GSA and the National Institute of Standards and Technology come in. Having to accredit each federal system that moves to the cloud would overwhelm agencies and defeat the purpose of cloud computing, which aims to increase efficiency and cut costs. So GSA, using NIST-developed standards, accredits products and services for governmentwide use.
The Federal Risk and Authorization Management Program, better known as FedRAMP, sets baseline security requirements, coordinates and manages authorization, and provides risk assessments. Among its goals is increasing agencies’ trust in the cloud.
Kevin McCaney is a former editor of Defense Systems and GCN.