Federal CIO Vivek Kundra is widely seen as a champion of cloud computing for the federal government. In the near future, he may get his wish, as Google Apps looks set to receive FISMA certification.
Kundra has spearheaded the launch of Apps.gov, where federal agencies can browse and purchase cloud-based IT offerings. He would like to see the federal government take advantage of the potential benefits that the cloud has to offer.
Back in September 2009, Google announced that it had submitted a certification and accreditation package to the General Services Administration (GSA). The company expects to receive an authority to operate (ATO) “very shortly,” according to David Mihalchik, Google Federal’s cloud computing and FISMA contact.
“The cloud is coming of age, and we applaud the Obama Administration’s efforts to ensure our government realizes its many advantages,” Matthew Glotzbach, Director, Product Management, Google Enterprise, wrote in a blog post in September. “We also want to do our part to make it easier for government to transition to cloud computing. We recognize that government agencies have unique regulatory and compliance requirements for IT systems, and cloud computing is no exception.”
For federal customers, FISMA certification of a cloud offering is an important metric.
“What it means for federal customers is that they have a way of evaluating the security of Google Apps,” Mihalchik says. “[The customers will be] able to understand that Google Apps has equal or better security than their existing systems.”
One of the pieces Google provides is a continuous monitoring model. Continuous monitoring is at the heart and soul of FISMA reform circulating in Congress.
“One of the things that you hear a lot about in FISMA reform is the concept of continuous monitoring,” Mihalchik says. “That is something that we are doing already and that we will strongly support.”
So what does it take to become accredited?
The National Institute of Standards and Technology (NIST) lays out a set of key controls that systems across the federal government must meet. In order to be accredited, a vendor needs to submit documentation that demonstrates compliance with the set of controls outlined by NIST.
Once Google receives FISMA certification, government clients will be able to use off-the-shelf Google Apps to conduct their business in the cloud. The certification means that the clients will be “able to deploy Google Apps knowing that it is authorized to operate under FISMA.”