Feds need to put the fizz in FISMA

Any cloud service provider worth its salt is rushing to claim compliance with the Federal Information Security Management Act of 2002, aka FISMA. The only problem is that FedRAMP, the government effort aimed at ensuring a safe move to cloud computing as part of the government’s “Cloud First” initiative, won’t be signing off on these certifications for another three or four months.

FISMA was meant to define a framework for protecting government information and operations against natural or man-made threats. Three levels of threat — low, moderate and high — were defined, based on the potential impact of a security breach. The latest action in the cloud comes as cloud providers lay claim to the “FISMA moderate” designation, meaning that the threat of a breach could result in “moderate” damage in terms of loss of “confidentiality, integrity or availability.”

Gaining a “FISMA moderate” designation is an important checklist item that would make cloud services more palatable to government agencies that want to move to the least expensive deployment option but also protect their data. Virtustream is the latest cloud vendor to hoist the FISMA moderate flag, saying Monday that its Vienna, Va., data center earned the moderate level FISMA authorization and accreditation certificate. It already held the FISMA “Low” accreditation. To attain moderate ranking, it had to show sufficient “physical controls and procedures to ensure that the site is secure via biometrics and other controls and is highly available through redundancy,” according to a Virtustream statement.

Amazon Web Services (s amzn) claimed the FISMA moderate mantle in September. As AWS evangelist Jeff Barr wrote at the time:

After receiving our FISMA Low level certification and accreditation, we took the next step and started to pursue the far more stringent FISMA Moderate level. This work has been completed, and the door is now open for a much wider range of US Government agencies to use AWS as their cloud provider. Based on detailed security baselines established by the National Institute of Standards and Technology (NIST), FISMA Moderate certification and accreditation required us to address an extensive set of security configuration and controls.

There’s nothing wrong with these FISMA claims; it’s just that they’re not really official — yet. FedRAMP will take another three or four months to review and generate a list of compliant companies, said a spokesman for the U.S. General Services Administration (GSA).

One thing is clear: the race is on to win government cloud business, said John Pescatore, Internet security analyst and VP at Gartner. “There’s definitely going to be money in direct sales to the government but also sales to companies like defense contractors that do business with the government.” Being on that FISMA-approved list will be non-negotiable to most high-tech companies.

Already there have been some nasty, revenue-driven vendor spats over FISMA claims, such as when Microsoft (s msft) publicly questioned Google’s claim of FISMA compliance for Google (s goog) Apps.

Sorry states: FedRAMP for feds only

One problem is that while FedRAMP pertains to federal cloud deployments only, many worry that budget-constrained states and cities will read any FISMA certification as some sort of safety guarantee. (The TechAmerica Foundation last week released its own set of best practices and guidelines for cloud deployment.)

Jeff Gould, president of Peerstone Inc., warned of this issue. “FISMA is a federal standard, but you also have a lot of state and local governments wanting to save money. Many will point to the FISMA badge as justification, although it is irrelevant to them,” he said. “We’ve got a race to the bottom where CIOs in smaller government entities are looking for any excuse to get the cheapest thing. The danger is that the vendors will take this FISMA certification as a blanket label to say ‘I’m the safe and secure cloud.'”

There’s little doubt that, over time, more of the government’s data and workloads will move to the cloud. But there’s no substitute for due diligence — which is what the FedRAMP effort proposes. The last thing any of these constituencies — cloud vendors, agencies, integrators, the government itself — needs is a public snafu.

Photo courtesy of Flickr user g_kovacs.