Microsoft gets FISMA certification

December 15, 2010
Google will soon be fighting for room on the cloud with rival Microsoft.

Microsoft recently received Federal Information Security Management Act certification for cloud computing data centers — about five months after Google gained approval.

“Meeting the requirements of FISMA is an important security requirement for U.S. Federal agencies,” Microsoft’s Senior Director of Risk and Compliance Mark Estberg wrote in a Dec. 2 Global Foundation Services blog post.

However, Microsoft’s hosted Exchange and Online services are still in the process of getting approved for FISMA certification.

Microsoft recently reworked its cloud services and renamed it “Office 365.” Office 365 is currently in beta form and includes Microsoft Office, SharePoint, Exchange, Lync Online and other services. Office 365 will be available beginning in the first half of next year.

And while Microsoft was celebrating its approval, the General Services Administration announced plans to become the first federal agency to move its email and collaboration tools to Google’s cloud-based service, Google Apps.

Microsoft said it was “disappointed” with the GSA’s selection.

“While we are disappointed we will not have the opportunity to meet the GSA’s internal messaging needs, we will continue to serve its productivity needs through the familiar experience of Microsoft Office and we look forward to understanding more about GSA’s selection criteria – especially around security and architecture,” Micrsoft wrote on its Why Microsoft blog.


Great week for Microsoft’s cloud services

December 12, 2010

Two good pieces of news for Microsoft on the cloud computing front.

Microsoft has received its FISMA certification. Microsoft CTO Susie Adams said in a company blog post, “Adding FISMA to our existing list of accreditations provides even greater transparency into our security processes and further reinforces our commitment to providing secure cloud computing options to federal agencies.”  

At the same time, the Agriculture Department says it’s ready to move to Microsoft’s cloud services. USDA awarded Dell a contract in May for Microsoft online services.  The move to Microsoft’s Enterprise Messaging Service (EMS) includes e-mail, Web conferencing, document collaboration and instant messaging. Federal News Radio’s Jason Miller reports under the deal Dell will move 120,000 USDA employees out of 21 separate e-mail systems and into the EMS system. The transition will begin within the next month.

All of this news comes on the heels of last week’s announcement by the General Services Administration that it has awarded Unisys a contract to move its email to the cloud using Google Apps for Government.


Why Recovery.gov moved to the cloud

June 17, 2010

We told you earlier about Recovery.gov moving into the cloud.

Jim Warren is chief information officer of the <a href="http://www.recovery.gov/Pages/home.aspx&quot; target="_blank"Recovery, Accountability and Transparency Board.

He tells Fed Cloud Blog all about why they decided to make the move.

FCB: Where do you see cloud taking you in the future?

JW: After performing a formal feasibility study to confirm our assessment that our migration into cloud would provide substantial, tangible and intangible benefits, the decision to make the move was all but trivial.

It’s important to note that our decision to move was completely rooted in business optimization. In fact, it wasn’t until after the migration that we learned that we were the first governmentwide information system to successfully migrate to the public cloud environment, which is a major milestone for the government. . . . We expect to save approximately $750,000 over the next 18 months, with even more savings expected to follow. The Board intends to repurpose more than a million [dollars] in computer equipment to the accountability mission, which will strengthen our Recovery Operations Center by allowing for increased tracking of stimulus dollars.

Furthermore, the move to the cloud environment has freed up Board staff resources, allowing us to focus more in improving and displaying richer content on Recovery.gov.

Finally, the cloud model provides efficiency for operating the website, allowing rapid expansion or contraction of resources on an as-needed basis, and ensuring availability and a high-quality experience for our users.

Now, as far as challenges — timing and resource management were our two largest obstacles of migrating into the public cloud infrastructure. Given the technical approach we used, and the contingency options at hand, my team and I were quite confident that our movement to the cloud would be a very low-risk move.

FCB: As you said, you’re the first governmentwide system, really, to move to the cloud. Have you gotten a lot of attention from other agencies who have come to you and said, ‘Hey, how’d you do it?’ What has the reaction been?

JW: The minute the federal [CIO] made that announcement and the press releases hit, I had several agencies contacting me. . . . We are currently in the process of providing guidance and materials, artifacts and lessons learned to several other organizations.

FCB: Speaking of those lessons learned, can you maybe go over two or three? Is there anything you can pass as a best practice or lessons learned?

JW: From a lessons learned perspective, I’m not sure we had any negative lessons. The move was well-orchestrated. We had contingency options along the way, [such as] a COOP site in place.

The official date for our migration to the cloud was actually far sooner than what was publicized because we had flipped back and forth between the COOP site, exercising it to make sure that when we went to full production . . . that Recovery.gov would stay alive. We did that transition numerous times back and forth between COOP and production and, quite frankly, no one in the world knew.

So, we had nothing but a very pleasurable experience in making the migration.

FCB: [Speaking of] challenges, was there anything specific, now that you’ve been on the cloud, that you’re seeing that has really stood out? Are there [issues] you will have to deal with in the future? Anything that surprised you?

JW: Well, not really. There’s some benefits that we knew we would gain that I’m looking at now, like the elasticity, for instance. The performance in the cloud has just been phenomenal, and the elasticity of our provider is just phenomenal.

But what I do not have a firm grasp of yet is performance management of a contractor that utilizes a cloud model.

Because we are the first out there, these methodologies and techniques for providing the performance management simply don’t exist, at least to my knowledge. There are some loose frameworks, but I have not seen anything concrete enough that we could use it.

To give you an example, if you look at a security control evaluation, for instance, using Special Publication 853-A by NIST — how do you really use that in a cloud environment? Do we rely on the service provider to perform security for us?

So, we’re still trying to put our arms around some of the security components and security oversight [and] even though the contract covers that well, and we are FISMA compliant and we do have an authority to operate . . . we’re continuing to optimize the business and we just want to make sure that we’re getting value management and performance management, and we also want to implement good security practices.


Survey: Most federal CISOs not moving to cloud yet

May 12, 2010

The second annual State of Cybersecurity from the Federal CISO’s Perspective has been released. (ISC)2 and Cisco, along with Garcia Strategies, put together their second anual report based on questions answered by a broad cross-section of U.S. government chief information security officers.

Fed Cloud Blog got to sit down with David Graziano, operations director for federal security at Cisco and Lynn McNulty, former director of government affairs at (ISC)2 to get their perspective on what the survey shows.

Today, we bring you excerpts of the conversation.

Why the survey was conducted

LM: We looked around and . . . came to the realization that a lot of people do surveys of CIOs and chief technical information officers and other categories of people, but nobody does a regular, annual survey of CISOs, particularly in the federal community, their role has been changing and is taking on a great deal of importance over the last couple of years and we thought it would be appropriate to reach out to them.

Survey result: There is more satisfaction with EINSTEIN

DG: The EINSTEIN program is put in place by the Department of Homeland Security, and it really is a way to monitor and protect the federal government Internet gateways. The Department of Homeland Security, and specifically US-CERT, put in place the EINSTEIN program over the last few years, and its predominantly there to monitor traffic going in and out of the federal government for the purpose of looking for malware and attempted attacks [and] attempted threats to the penetrate the federal government.

The most interesting part of the aspect of our survey in this area is that we found that . . . CISOs are telling us that they are generally satisfied with the EINSTEIN program. I found that that was very interesting because, a couple of years ago when we did this survey, our respondents were questioning how useful or how valuable EINSTEIN was going to be. The [current] survey has definitely indicated that it is heading in the right direction.

On the changing role of the CISO

DG: Federal CISOs realize that their role is becoming more strategic. That’s definitely, probably the number one finding of this survey. Security is now recognized as being more relevant to an agency’s mission, and, because of that, there’s better alignment with driving agency policy and direction. What we believe has happened is, over the last couple of years . . . federal CISOs were focused on getting their FISMA report cards. Now, all of a sudden, the relevancy of recognizing cybersecurity is critical to an agency’s mission, and has really elevated federal CISOs to becoming more strategic in their organization.

LM: I totally agree with David and I think it’s also one of the impacts of the
Comprehensive National Cyber Initiative
— it has resulted in this kind of much more senior level management attention upon the security issue, with the result that the CISO has probably spent a lot more time in front of a very senior department and agency officials, and has been given tasks and implementing responsibilities that are much more strategic in nature than they are technical in nature.

Are federal CIOs and CISOs hesitant about moving to the cloud?

DG: One of the interesting things from the survey was that 72 percent of our respondents are not using cloud computing. What that tells me is that, while everybody’s talking about it and talking about how great it’s going to be, it means that only 28 percent of our customers are really diving into it. Chances are, that’s primarily due to security concerns, whether it’s data loss or an inability to enforce policy.

If you think about it, whether it’s a private cloud or a public cloud, either way you have to be able to extend your policy into that cloud in order to protect the information that resides there. So, probably what we’ll see, say, over the next two years, is that ability to extend policy into the cloud, and be able to enforce it, and that will reduce the risk and allow our customers to move there. Right now, they’re looking at it and not jumping in.

LM: I think they’re very concerned about the level of risk that’s involved, the potential loss of control over data, and from what I heard from just talking with CISOs, they’re going to move into the cloud, but those applications that get put into the cloud are going to have a very low risk level. It will allow them to gain some experience, and also to feel much more comfortable before they start moving any more sensitive information into cloud computing, particularly if there’s an offshoring element involved in the application.

Does OMB’s Information Systems Security Line of Business facilitate the sharing of best practices when it comes to initiatives like cloud?

LM: I think it does facilitate collaboration. Also, I think agencies will be looking at the Line of Business as a worked example and one that may be better for them to use from both security and economy and efficiency reasons, rather than trying to duplicate that same capability within their own organization.

DG: I agree. If you look at the TIC initiative, for instance. At many agencies, it was going to be cost-prohibitive for them to stand up a security operation center. So, by going and being able to collaborate with other agencies and rely on their expertise, it gave [them] the ability to better protect themselves [and] improve the security of the organizations without spending the money to stand up their own secure operations.


Social Security Administration will use cloud for low-risk applications

April 26, 2010

Frank Baitman is chief information officer at the Social Security Administration.

If you listened to last week’s Ask the CIO on Federal News Radio, you know that Baitman came from the private sector with extensive experience in e-business.

Now, he’s at SSA, and tells Fed Cloud Blog all about why he’s taking a look at cloud computing.

FB: As most federal agencies are, we’re looking at cloud computing and, initially, we’re going to look at using the cloud for low-risk applications, and we’ll be working with other federal agencies to make sure that we share our FISMA certifications on the cloud — whether or not we have that cloud hosted by the federal government or we look to industry to host it.

FCB: When you say ‘low risk’, can you give us an example, maybe, of what [that] is?

FB: We haven’t made any decisions yet, but something like our website. That’s something that might be better hosted outside where you can have scalability, reliability and lower costs, than if we host it internally.

FCB: We imagine even something like public affairs press releases — and stuff like that — stuff you want to get the word out to the public on?

FB: Something where there are probably going to be erratic hits. So, on particular days of the month, for instance, there are going to be a lot of hits on our website and it’s better if someone who can scale that with additional servers hosts that. They can probably do it for a lot less money than we can do it internally.

FCB: You have also talked about modernizing your Citizen Services. A lot of that contains, obviously, some sensitive information. If I want to log on to find out how much Social Security I get when I’m [older], I can do that, but that’s obviously sensitive. Is that something that you think could ever go into the cloud?

FB: That’s something for the distant future, I guess I’d say. There’s a lot we can do nearer term that’s lower risk. There’s no reason to put that out there. . . . If we properly architect [it], we can put the application out there, but keep the data secure within Social Security.


GCE helps Dept. of Labor with financial management in cloud

March 15, 2010

The Department of Labor is using cloud computing for much of its financial management, and GCE is helping the agency out.

This week, Fed Cloud Blog talked with David Lucas, chief strategy officer at GCE Federal, to get the inside scoop on what’s going on.

Lucas starts off by explaining who GCE is and what they do:

DL: GCE is a small business that serves the federal marketplace. Primarily we are known now as a software-as-a-service provider.

We provide a lot of back-office solutions for federal agencies, including financial management services, accounting systems, procurement systems, asset systems — things that help agencies run their back office.

We’ve created a suite of products and services that we offer through a cloud for their use.

FCB: In your experience, so far, is this kind of different process — the cloud process — is that working so far for the federal government? How’s it helping federal agencies?

DL: The biggest thing that, as a [SaaS] provider that we’re able to offer is, we really get agencies out of the business of all the care and feeding of their financial management systems.

These are large, enterprise-sized systems that require a whole lot of investment.

With a cloud solution, agencies no longer have to worry about the infrastructure pieces, like the hosting and the hardware — and they don’t have to worry about the other side of it because we’ve developed an end-to-end solution that is pre-configured and meets all the federal guidance for financial management systems.

So, for an agency that needs a financial management system or wants to modernized set of tools for their users, they can simply plug into a cloud. They don’t own any hardware.

They don’t own any software. Instead, they receive all of this as a service.

FCB: This cloud — or clouds — do you have just one for all federal agencies or do you have many?

DL: We have one offering that can be used by multiple federal agencies.

Right now, we just moved our latest customer, the Department of Labor, into our cloud for financial management solutions. [Labor] consists of about a dozen organizations — their Bureau of Labor Statistics and ETA and others — so there are 12 large organizations that comprise the Department. Each one needs their data segregated and their business process needs met.

So, it’s one government department, but it really breaks down into about a dozen agencies now in the cloud.

FCB: Is this a private cloud? You hear a lot of people talking about the security involved with cloud computing, but sometimes I don’t think people are familiar with private cloud versus public cloud? We know you can’t reveal any actual secrets, but maybe if you want to expand a little bit on how your cloud is secure?

DL: Security is always a concern. In fact, it’s one of the things that comes up whenever someone is looking at this business model.

People are very quickly wowed by the software that you’re offering, because they know how difficult it is, especially in financial management — our line of business — to build a system from scratch. So, we’ve taken that part away.

They’re also wowed by the return on investment when they realize they don’t have to expand their data center or worry about the running of the system every day.

The next thing that usually comes to mind is security.

There are a lot of standards already in place around financial systems that speak to the security requirements, including how you segregate data, how do you keep the integrity of the data as it goes through the system, what kind of access controls are required?

All of this is really spelled out in great detail.

There are NIST standards and FISMA standards — so, what it takes is a fair amount of effort to work with the CIO community of a federal agency to make sure that the i’s are dotted and the t’s are crossed, but it’s something that we were able to do quite effectively with the Department of Labor.

We do have what’s called an authority to operate.

What’s nice is, as other customers take advantage of our cloud, they also take advantage of a lot of the security . . . and all the documentation around the security practices, so that it doesn’t take someone a year just to get through the security process.

Part of our cloud offering is the security compliance piece that’s already in place.


Google’s cloud offerings for the federal government in 2010 — and beyond

January 14, 2010

Google is moving into the federal space and partnering with the U.S. government to deliver services in the cloud for agencies.

David Mihalchik, Business Development Executive for Google Federal, talked with FCB about what Google will offer in 2010 — and beyond.

Fed Cloud Blog: We just wanted to start off with a really simple question — if you could explain your partnership with the federal government in terms of cloud.

David Mihalchik: Today, government is spending too much on information technology and needs to get more out of each dollar that it’s spending on technology.

So, in the case of email in the federal government, agencies are spending millions to maintain systems that have 100 times less inbox storage than a standard consumer email account that are offered for free online.

They’re also struggling to keep pace with innovation, particularly around information sharing and collaboration.

Cloud computing is an area that makes perfect sense for government to address some of these challenges that they’re facing — to dramatically reduce costs for IT, while at the same time increasing performance and being able to keep pace with technology.

The real outstanding question has been, can cloud computing meet government security requirements?

Google’s answer is that we can meet or exceed the government’s requirements as they’re spelled out in FISMA law, and this is something that we know is critical for government.

FCB: We know you probably can’t talk about specifics, but when it comes to complying with FIMSA, can you give us some general ideas of what that means?

DM: This is a law that’s spelled out by Congress and has individual requirements which are spelled out by NIST.

It’s a set of security requirements that every single federal government agency must meet for their systems.

Google reviewed these controls and requirements and really found that, for the most part, we meet the security requirements of the government, and in many cases, exceed the security requirements of the government.

We had to prepare some documentation to demonstrate our compliance and we’ve done that.

FCB: I understand that Google offers cloud services for the general public. How are [the federal services] different? Is there anything different, other than the security, that Google is doing for the federal government versus what someone — like us — can get?

DM: As a consumer user, you’re familiar with gmail for email, calendar, our instant messaging product — Google Talk — docs, Google Sites, Google Video — that’s all bundled together in what we call Google Apps.

That’s a product that we offer to consumers, but we also offer to the enterprise and to our customers in the federal government.

What’s different is that there is much more storage available — 25 gigabytes storage per inbox.

There is support that’s available to our customers, and also the ability to tie this account to a set domain, such as gsa.gov or fcc.gov, so that it’s an experience where it’s all blended in to a domain and you have access to all of those capabilities.

Tomorrow — a weekly cloud news roundup. Monday — more with David Mihalchik of Google Federal.

Get FCB delivered to your inbox by signing up for the Federal News Flash, which comes directly to your email every weekday at 3 p.m. Eastern.