By Susie Adams, Chief Technology Officer, Microsoft Federal

When I talk to federal CIOs about cloud computing, most of their questions focus on security and privacy.  Where is the data being hosted?  Who has access to it?  What controls are in place to protect my sensitive information?   In many cases the answers to these questions are difficult to obtain.  At Microsoft we take security and privacy very seriously and believe that the best way to answer these questions is to be open and transparent about our approach to certification and accreditation, risk management and day-to-day security processes.

Take our datacenters for example.  Datacenters are the foundation of any organization’s approach to cloud computing, and we’ve built our datacenters to comply with the strictest international security and privacy standards, including International Organization for Standardization (ISO) 27001, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act of 2002 and SAS 70 Type 1 and Type II.  

This week we’re extremely happy to announce that Microsoft’s cloud infrastructure also received its Federal Information Security Management Act of 2002 (FISMA) certification from a cabinet-level federal agency.  Adding FISMA to our existing list of accreditations provides even greater transparency into our security processes and further reinforces our commitment to providing secure cloud computing options to federal agencies.  The authorization was issued to Microsoft’s Global Foundation Services, the organization responsible for maintaining Microsoft’s cloud infrastructure for all of our enterprise cloud services - including the Business Productivity Online Services - Federal (BPOS-Federal) offering as well as our Office 365 suite of services.  Our BPOS cloud productivity offerings are also in the process of being FISMA certified, and we expect to announce full compliance at the FISMA-Moderate level very shortly. 

My colleague Mark Estberg posted a  blog entry yesterday that goes into more detail about what this means for government organizations considering cloud deployment.  When combined with our existing security policies and controls, FISMA compliance ensures that customers are benefiting from highly-focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.  We’ve incorporated the testing and continuous monitoring processes required by FISMA into our overall information security program, which is described in several white papers located on our Global Foundation Services website.   

Specifically I’d like to call out three papers that describe our comprehensive approach to information security and the framework for testing and monitoring the controls used to mitigate threats: Securing the Cloud Infrastructure at Microsoft, Microsoft Compliance Framework for Online Services and the Information Security Management System for Microsoft Cloud Infrastructure paper that gives an overview of the key certifications and attestations Microsoft maintains.

For more information on FISMA and its importance, check out the National Institute of Standards and Technology website and Mark Estberg’s full post on the Global Foundation Services Blog.