Feds need to put the fizz in FISMA

From: Gigaom

By Barb Darrow

Any cloud service provider worth its salt is rushing to claim compliance with the Federal Information Security Management Act of 2002, aka FISMA. The only problem is that FedRAMP, the government effort aimed at ensuring a safe move to cloud computing as part of the government’s “Cloud First” initiative, won’t be signing off on these certifications for another three or four months.

FISMA was meant to define a framework for protecting government information and operations against natural or man-made threats. Three levels of threat — low, moderate and high — were defined, based on the potential impact of a security breach. The latest action in the cloud comes as cloud providers lay claim to the “FISMA moderate” designation, meaning that the threat of a breach could result in “moderate” damage in terms of loss of “confidentiality, integrity or availability.”

Gaining a “FISMA moderate” designation is an important checklist item that would make cloud services more palatable to government agencies that want to move to the least expensive deployment option but also protect their data. Virtustream is the latest cloud vendor to hoist the FISMA moderate flag, saying Monday that its Vienna, Va., data center earned the moderate level FISMA authorization and accreditation certificate. It already held the FISMA “Low” accreditation. To attain moderate ranking, it had to show sufficient “physical controls and procedures to ensure that the site is secure via biometrics and other controls and is highly available through redundancy,” according to a Virtustream statement.

Amazon Web Services claimed the FISMA moderate mantle in September. As AWS evangelist Jeff Barr wrote at the time:

After receiving our FISMA Low level certification and accreditation, we took the next step and started to pursue the far more stringent FISMA Moderate level. This work has been completed, and the door is now open for a much wider range of US Government agencies to use AWS as their cloud provider. Based on detailed security baselines established by the National Institute of Standards and Technology (NIST), FISMA Moderate certification and accreditation required us to address an extensive set of security configuration and controls.

There’s nothing wrong with these FISMA claims; it’s just that they’re not really official — yet. FedRAMP will take another three or four months to review and generate a list of compliant companies, said a spokesman for the U.S. General Services Administration (GSA).

One thing is clear: the race is on to win government cloud business, said John Pescatore, Internet security analyst and VP at Gartner. “There’s definitely going to be money in direct sales to the government but also sales to companies like defense contractors that do business with the government.” Being on that FISMA-approved list will be non-negotiable to most high-tech companies.

Already there have been some nasty, revenue-driven vendor spats over FISMA claims, such as when Microsoft publicly questioned Google’s claim of FISMA compliance for Google Apps.

Sorry states: FedRAMP for feds only

One problem is that while FedRAMP pertains to federal cloud deployments only, many worry that budget-constrained states and cities will read any FISMA certification as some sort of safety guarantee. (The TechAmerica Foundation last week released its own set of best practices and guidelines for cloud deployment.)

Jeff Gould, president of Peerstone Inc., warned of this issue. “FISMA is a federal standard, but you also have a lot of state and local governments wanting to save money. Many will point to the FISMA badge as justification, although it is irrelevant to them,” he said. “We’ve got a race to the bottom where CIOs in smaller government entities are looking for any excuse to get the cheapest thing. The danger is that the vendors will take this FISMA certification as a blanket label to say ‘I’m the safe and secure cloud.’”

There’s little doubt that, over time, more of the government’s data and workloads will move to the cloud. But there’s no substitute for due diligence — which is what the FedRAMP effort proposes. The last thing any of these constituencies — cloud vendors, agencies, integrators, the government itself — needs is a public snafu.


22 responses to “Feds need to put the fizz in FISMA”

  1. This article will help the internet viewers for building up new web site or even a
    weblog from start to end.

  2. Thanks for the good writeup. It in reality was once a
    leisure account it. Glance complex to far introduced agreeable from you!
    However, how can we keep in touch?

  3. Hi there to every , for the reason that I
    am actually keen of reading this webpage’s post to be updated daily.
    It carries good material.

  4. Betty says:

    Very soon this site will be famous among all blog viewers, ddue to it’s nice posts

  5. my blog says:

    I was more than happy to discover this great site.
    I want to to thank you for ones time for this
    particularly fantastic read!! I definitely enjoyed every little bit
    of it and I have you book marked to check out new stuff in your web site.

  6. trener says:

    Hi to every body, it’s my first visit of this web site; this website
    carries amazing and genuinely good stuff for visitors.

  7. I have read so many posts on the topic of
    the blogger lovers except this article is genuinely a pleasant article, keep it up.

  8. Thanks designed for sharing such a good thinking, paragraph
    is pleasant, thats why i have read it entirely

  9. Amazing things here. I’m very happy to look your post.

    Thank you a lot and I am having a look ahead to contact you.

    Will you please drop me a mail?

  10. new raybans says:

    I blog quite often and I genuinely appreciate your information.
    This great article has really peaked my interest.

    I’m going to book mark your site and keep checking for new details about once a
    week. I subscribed to your Feed too.

  11. forex forum says:

    Thanks , I’ve just been looking for information approximately this subject for ages and yours is
    the greatest I have found out so far. However, what about the bottom line?
    Are you certain in regards to the source?

  12. Tilly says:

    Hello, the whole thing is going fikne here and ofcourse every
    one is sharing facts, that’s truly excellent, keep uup writing.

  13. I’m amazed, I have to admit. Seldom do I come across a blog that’s equally educative and amusing, and without a doubt, you have hit the nail on the head.
    The problem is an issue that not enough men and women are
    speaking intelligently about. I’m very happy I found this
    in my hunt for something regarding this.

  14. cineblog01 says:

    Very soon this web page will be famous amid all blog users, due to it’s nice articles

  15. Very rapidly this web page will be famous amid all blog people, due to it’s pleasant posts

  16. Simply wish to say your article is as astonishing.
    The clarity in your post is just nice and i can assume you’re an expert on this subject.
    Well with your permission allow me to grab your feed to keep up to date with forthcoming post.
    Thanks a million and please keep up the gratifying work.

Leave a Reply

Your email address will not be published.

Please Answer: *