In Google-Microsoft dustup, what does 'FISMA-certified' mean?
Connecting state and local government leaders
A recent dispute over whether Google Apps for Government is properly authorized has been clouded by term "FISMA certified." But it’s debatable whether there is any such thing.
The recent spitting match between Google and Microsoft over certification of Google Apps for Government left me a little confused. Google insisted its offerings are FISMA certified, and Microsoft said they aren’t.
The dispute turns on which version of the Google applications you are talking about and whether they are essentially different. But what confused me was the use of the term “FISMA certified.” The Federal Information Security Management Act of 2002 does not require certification of products and services, and although Google stoutly maintained that it is in compliance with FISMA, the law does not apply to vendors. It applies to (most) federal agencies and to the IT systems they operate.
The words “certify,” “certification” and “certificate” appear nowhere in the law; neither do the words “vendor,” “manufacturer,” “supplier” nor “seller.”
Related coverage:
No lie: GSA backs Google on FISMA certification
What the law does do is give the National Institute of Standards and Technology authority to establish standards and guidelines — that are not product- or technology-specific — to ensure a reasonable level of security in government systems. But NIST does not use the term FISMA certification, either.
As it turns out, what Google and Microsoft are fighting over is not FISMA certification, but the administrative process of certification and accreditation (usually referred to as C&A) developed to help ensure compliance with NIST standards and mandated by the Office of Management and Budget, which oversees FISMA compliance.
C&A is the much maligned process of agencies evaluating the security needs and controls of their IT systems (certification) and acknowledging and accepting residual risks and authorizing the systems to operate (accreditation). The process has been criticized as expensive, time-consuming and ineffective, and in NIST’s “Guide for Applying the Risk Management Framework to Federal Information Systems” (SP-800-37 Rev.1), C&A is moving to a continuous monitoring model of risk management rather than periodic assessments.
IT systems still need certification and an authority from the authorized official to operate, and this has created a problem with cloud computing. The Obama administration has made cloud computing an objective for government, and it promises greater flexibility and efficiency, along with cost savings. But these benefits could be mitigated by the requirements that each IT system receive an authority to operate.
“One of the most significant obstacles to the adoption of cloud computing is security,” David McClure, who heads the General Services Administration’s innovative technologies effort, told a House subcommittee last year. “Agencies are concerned about the risks of housing data off-site in a cloud if FISMA security controls and accountabilities are not in place.”
But obtaining certification and an authority to operate each time a cloud-based service is used would defeat the purpose of an agile, on-demand service. So GSA and NIST developed the Federal Risk and Authorization Management Program (FedRAMP) to provide a blanket C&A and authority to operate for cloud products offered through GSA’s apps.gov cloud storefront.
FedRAMP applies a governmentwide baseline of security requirements that are based on NIST’s “Recommended Security Controls for Federal Information Systems and Organizations” (SP 800-53 Rev. 3). The program coordinates and manages authorization, and provides ongoing risk assessments of the authorized systems.
Like the C&A process, FedRAMP has been criticized as inadequate, primarily because it does not focus enough on real-time monitoring. But whatever its strengths and weaknesses, it is the standard that cloud service providers must meet.
I don’t like the term “FISMA certification,” but that is a personal bias. It might be a legitimate shorthand for the C&A and authorization process that cloud vendors must undergo. Either way, it is helpful to understand just what the term refers to when it is being debated.
NEXT STORY: 4 agency apps highlight the power of mobile tech