News

Amazon Web Services Gets FISMA Approval

• By Kevin McCaney
• 09/16/2011

Amazon Web Services has received approval from the General Services Administration (GSA) to provide cloud services to government agencies in compliance with the Federal Information Security Management Act (FISMA).

Other major cloud vendors that are FISMA-certified include Google, for its Apps for Government suite, and Microsoft, for its Business Productivity Online Suite (BPOS).

According to an Amazon release, the FISMA accreditation covers Amazon Elastic Compute Cloud (EC2), Simple Storage Service (S3) and Virtual Private Cloud (VPC), along with their underlying infrastructure.

AWS' accreditation covers FISMA's low and moderate levels, the company said. Moderate Authorization and Accreditation requires a set of security configurations and controls that includes documenting the management, operational and technical processes used in securing physical and virtual infrastructure, and a requirement for third-party audits.

With federal agencies moving increasingly to the cloud, providers have been racing to claim FISMA accreditation or certification, even if the term is something of a misnomer.

Microsoft and Google had a war of words in April over Google's claim of certification for Google Apps for Government, which eventually was settled when GSA backed Google's claim. Shortly afterward, BPOS also got GSA's blessing. 

But as some analysts have pointed out, FISMA doesn't require certification of products or services, and doesn't apply to vendors. It sets security requirements for federal IT systems.

That's where GSA and the National Institute of Standards and Technology come in. Having to accredit each federal system that moves to the cloud would overwhelm agencies and defeat the purpose of cloud computing, which aims to increase efficiency and cut costs. So GSA, using NIST-developed standards, accredits products and services for governmentwide use.

The Federal Risk and Authorization Management Program (FedRAMP) sets baseline security requirements, coordinates and manages authorization, and provides risk assessments. Among its goals is increasing agencies' trust in the cloud.