Amazon Web Services (AWS) has earned Federal Information Security Management Act (FISMA) Moderate Authorization and Accreditation, which illustrates that AWS and its cloud plays are suitable for federal, state and local governments.
FISMA, a certification granted by the U.S. General Services Administration (GSA), requires federal agencies to develop, document and implement an information security system for its data and infrastructure. Amazon achieving FISMA certification for its cloud computing offerings means government entities can now use AWS' cloud infrastructure services and maintain the security requirements necessary for applications that demand strict security practices at the FISMA Moderate level.
According to Amazon, the FISMA certification covers Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3) and Amazon Virtual Private Cloud (VPC), along with the infrastructure upon which they run. AWS's FISMA Moderate certification adds to the cloud titan's security and compliance framework, which also covers PCI DSS Level 1, FIPS 140-2, ISO 27001 and SAS-70 type II, all security standards that govern most federal cloud services. AWS also enables businesses to comply with HIPAA regulations.
FISMA Moderate Authorization and Accreditation requires that AWS implement and operate an extensive set of security configurations and controls, including documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure as well as conducting third party audits.
"By meeting the Federal government's requirements for FISMA Moderate, agencies can rapidly expand their cloud computing footprint, deploying sensitive government data and applications on AWS while continuing to comply with the government's unique and rigorous security requirements." said AWS Chief Information Security Officer Stephen Schmidt in a statement.
Amazon said a host of government organizations are already using AWS for their cloud computing environments, including Recovery.gov, the Department of Treasury's Treasury.gov, the Federal Register 2.0 at the National Archives, the Supplemental Nutrition Assistance Program at USDA and the Jet Propulsion Laboratory at NASA. The company said it plans to continue to the security certifications necessary to ensure secure cloud infrastructure for customers.
Along with Amazon achieving FISMA Moderate certification, AWS solution provider and reseller URS-Apptis was awarded an Infrastructure-as-a-Service blanket purchase agreement (BPA) from the GSA. Under the agreement, AWS is the exclusive technology provider and government agencies can procure on-demand cloud resources using the GSA IaaS BPA.
Amazon joins a list of cloud providers to achieve FISMA certifications as they battle for government cloud contracts. Earlier this year, Microsoft and Google became embroiled in a FISMA flap in which Microsoft claimed Google Apps for Government wasn't FISMA certified and therefore wasn't considered secure enough to be used by government agencies. Through the course of the FISMA fight, it was revealed that Microsoft itself was not FISMA certified in the cloud. Both Google and Microsoft have since achieved FISMA certifications.
Amazon's FISMA Moderate comes after Amazon launched AWS GovCloud, cloud services that add an extra layer of protection to meet the regulatory requirements necessary for the U.S. government. The AWS GovCloud Region targets federal, state and local governments to offer secured AWS services that comply with U.S. government regulations for data handling.
The heavy focus on federal cloud initiatives was born out of former Federal CIO Vivek Kundra's cloud-first policy that dictates the U.S. government will first investigate cloud computing options when making new technology purchases. The cloud first policy is a bid to save the government cash and trim its $80 billion IT budget.
Earlier this week, the National Institute of Standards and Technology (NIST), the U.S. government's lead technical agency, this week launched a cloud computing standards roadmap and a cloud reference architecture to help guide federal agencies to cloud computing technologies.