Recently the United States Department of Agriculture (USDA) granted Microsoft’s Business Productivity Online Suite—Federal (BPOS-F) the authorization to operate (ATO) under the Federal Information Security Management Act of 2002, more widely known as FISMA. This congressional legislation requires every agency within the United States Federal government to ensure the security and protection of Federal information and information systems. As part of the compliance to the law, each Federal agency must adhere to standards and guidelines that meet minimum security requirements and controls. Each agency has the freedom to select its software and hardware solutions, but there is a certification and accreditation process that must be obtained.
In mid-April there was a scuffle between not yet FISMA-accredited Microsoft and rival Google, as Microsoft called foul for Google Apps for Government being marketed as FISMA certified. It’s actually Google Apps Premier that is FISMA certified. The full expectation is that Google Apps for Government will gain certification, as it’s a modified version of Premier. However, Google assumed its own certification status, which is unfair misrepresentation of its Apps for Government.
About a week later, Microsoft’s BPOS-Federal received FISMA certification and accreditation—the USDA issued an ATO on April 19. BPOS-Federal, which includes Exchange Online, SharePoint Online, and Office Communications Online, is one of several messaging and collaboration solutions hosted by Microsoft Online Services.
“As cloud computing continues to gain traction across government, it’s the responsibility of cloud providers to deliver the same levels of security that agencies have come to expect from on-premise solutions,” notes Susie Adams, chief technology officer for Microsoft Federal. Adams believes the USDA validated its cloud security offer when it granted the ATO to Microsoft. Indeed the cloud does seem to be gaining converts in the original debate questioning if on-premises was more secure.
In her blog, Adams acknowledges the shift, stating: “Meeting the demands of a new computing environment poses security concerns, but the solutions are grounded in the same best practices we’ve been employing on behalf of government agencies for over 25 years.”
It is a complex process to achieve FISMA certification and involves third-party assessments of a wide variety of security features and policies. Yong-Gon Chon, CTO of SecureInfo Corporation, the third-party involved for Microsoft, gave an interesting account of what goes into a FISMA certification. He notes, “Our assessment was rigorous and required Microsoft to demonstrate effective implementation of approximately 160 different management, operational and technical controls to a team of subject matter experts with a combined total of 99 years of industry experience. Our testing included an extensive review of their policies and procedures, interviews with their key personnel involved in delivering and supporting BPOS-F, examination of security related configuration settings, vulnerability scans of all components included within the environment (operating systems, databases, and web applications) and penetration testing.”
In conjunction with Microsoft’s BPOS-Federal FISMA certification, Proofpoint’s Enterprise Archive solution was also granted an ATO by the USDA, which will use the solution for compliant email archiving. According to Proofpoint, Enterprise Archive is the first cloud-based archiving solution to be given the ATO by a Cabinet-level agency and—with its 120,000 Microsoft users spread throughout 21 departments—is the largest U.S. Federal government implementation of cloud-based enterprise email archiving technology to date.
“Many Federal agencies are looking to cloud-based services to help them meet the dual challenges of tightening budgets and more severe and frequent security breaches,” says Andres Kohn, vice president or archiving and eDiscovery solutions for Proofpoint. “By achieving FISMA certification for our email archiving solution in conjunction with Microsoft BPOS-Federal, Proofpoint is opening the door for more rapid adoption of cloud-based email solutions throughout the U.S. Federal community.”
Microsoft plans to pursue FISMA certification and accreditation for Office 365, its next generation cloud productivity suite, after it launches. Google is expecting FISMA certification and accreditation for Google Apps for Government “imminently.”