Federal Information Security Management Act (FISMA) certification requires federal agencies to develop and implement information security program based on risk-based assessments, including for work managed by a contractor.
The configurations and controls required by FISMA Moderate are “extensive,” according to Amazon, and include third-party audits and process documentation.
Public-sector customers — including Recovery.gov, Treasury.gov and the Federal Register — are using the Amazon Elastic Compute Cloud for flexible computing power, and also the online retailer’s private cloud and storage offerings. The company has established a partitioned “GovCloud” specifically for government customers.
With the addition of FISMA Moderate, Amazon Web Services now has PCI DSS Level 1, FIPS 140-2, ISO 27001, and SAS-70 type II certifications, the company said.
“By meeting the Federal government’s requirements for FISMA Moderate, agencies can rapidly expand their cloud computing footprint, deploying sensitive government data and applications on [Amazon Web Services] while continuing to comply with the government’s unique and rigorous security requirements,” said Stephen Schmidt, the company's chief information security officer, in a statement.
FISMA certification has become an important milestone in the burgeoning cloud computing market, as earlier this year Microsoft and Google got into a spat about which company’s products were truly FISMA-compliant.