Microsoft’s Cloud Infrastructure Receives FISMA Approval
By Mark Estberg, Senior Director of Risk and Compliance,
Global Foundation Services
Although cloud computing has emerged as a hot topic only in the past few years, Microsoft has been running some of the largest and most reliable online services in the world for over 16 years. Our cloud infrastructure supports more than 200 cloud services, 1 billion customers, and 20 million businesses in over 76 markets worldwide.
Today, I am pleased to announce that Microsoft’s cloud infrastructure has achieved another milestone in receiving its Federal Information Security Management Act of 2002 (FISMA) Authorization to Operate (ATO). Meeting the requirements of FISMA is an important security requirement for US Federal agencies. The ATO was issued to Microsoft’s Global Foundation Services organization. It covers Microsoft’s cloud infrastructure that provides a trustworthy foundation for the company’s cloud services, including Exchange Online and SharePoint Online, which are currently in the FISMA certification and accreditation process.
This ATO represents the government’s reliance on our security processes and covers Microsoft’s General Support System and follows NIST Special Publication 800-53 Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations.”
Government organizations require specialized compliance and regulatory processes. Operating under FISMA requires transparency and frequent security reporting to our US Federal customers. And we are applying these specialized processes across our infrastructure to even further enhance our Online Services Security & Compliance program. The company has been designing and testing our cloud applications and infrastructure for over a decade to continually address emerging, internationally-recognized standards. We are focused on excelling in demonstrating our capabilities and compliance with these laws and with our stringent internal security and privacy policies. As a result, all our customers can benefit from highly-focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.
Microsoft’s Chicago datacenter (a FISMA-approved facility), provides over 17 football fields worth of cloud computing capacity.
The company opened its first datacenter in September 1989 and today its globally-distributed, high-availability datacenters are managed by our Global Foundation Services (GFS) group. GFS’s Online Services Security & Compliance team has built upon the company’s existing capabilities, including being one of the first major online service providers to achieve our ISO/IEC 27001:2005 certification and SAS 70 Type II attestation, which also met the FISMA requirements. We have also gone beyond the ISO standard, which includes some 150 security controls and developed over 300 security controls to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved. The additional rigorous testing and continuous monitoring required by FISMA have already been incorporated into our overall information security program, which is described in several white papers located our Global Foundation Services web site.
More information about FISMA is available at the National Institute of Standards and Technology web site.
Comments
Anonymous
December 04, 2010
Is FISMA compliance also valid for Azure Datacenters? TnksAnonymous
December 07, 2010
Was this at the low or moderate level?Anonymous
January 14, 2011
Can this be leveraged through FedRAMP?Anonymous
March 16, 2011
Other press releases indicate that although the data center is approved to operate, the actual application services (i.e. Exchange Online and SharePoint) have not been certified. What is the status of service certification?Anonymous
July 07, 2011
Who builds a major data center adjacent to a busy interstate highway?Anonymous
October 05, 2011
does this mean that a SharePoint Online Dedicated Service offering would be automatically FISMA Compliant?Anonymous
March 19, 2013
As an Office 365 Enterprise level customer, how can we obtain a copy of the FISMA ATO Letter to satsify our Federal governmnet clients inquiries?Anonymous
May 23, 2014
Mark Estberg, Senior Director Online Services Security & Compliance
Compliance is a popularAnonymous
May 27, 2014
PurpleDemon9Anonymous
May 27, 2014
DIAMONDAnonymous
March 08, 2016
Pingback from FISMA Certification and Accreditation for BPOS-Federal | Cloud Power IT InsightsAnonymous
March 08, 2016
Pingback from Microsoft Cloud Infrastructure FISMA Approval and Delivering on Public Sector Customer Needs | Cloud Power IT Insights