The General Services Administration has awarded AWS' Elastic Compute Cloud (EC2), Simple Storage Service (S3), Virtual Private Cloud (VPC), as well as the infrastructure on which they run, Moderate Authorization and Accreditation with the Federal Information Security Management Act (FISMA), the company said Thursday. Created and maintained by the National Institute for Standards and Technology (NIST), FISMA is a key hurdle for companies to pass to ensure their solutions can meet the security needs of the federal government.
The move marks the first time AWS has received a FISMA Moderate authority to operate, and the company was required to implement and operate an extensive set of security configurations and controls to achieve it. They included documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure of cloud services, as well as conducting third-party audits of these activities, according to AWS.
"Security remains our top priority, and we continue to pursue certifications that provide our customers with the resources they need to confidently and securely deploy mission-critical applications in the AWS cloud," Stephen Schmidt, chief information security officer for Amazon Web Services, said in a press statement.
The federal government already is leveraging EC2 for some of its cloud moves. The Department of Treasury, for instance, earlier this year migrated four existing websites and hosted a new, revamped site on AWS' cloud infrastructure. The Federal Register 2.0 at the National Archives, the Supplemental Nutrition Assistance Program at the U.S. Department of Agriculture, and NASA's Jet Propulsion Laboratory also are AWS cloud customers, according to the company.
Indeed, cloud computing infrastructure providers like AWS, Microsoft, and Google have been competing mightily for federal business, and achieving FISMA certification is a key step for them to win the confidence of agencies in terms of security.
However, there has been contention over claims of FISMA compliance among them in the past. Last year, Microsoft accused Google of falsely claiming FISMA compliance for its Google Apps for Government cloud-based application suite, accusations Google denied.
Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)