Microsoft’s Cloud Infrastructure Receives FISMA Approval

By Mark Estberg, Senior Director of Risk and Compliance,
Global Foundation Services

Although cloud computing has emerged as a hot topic only in the past few years, Microsoft has been running some of the largest and most reliable online services in the world for over 16 years. Our cloud infrastructure supports more than 200 cloud services, 1 billion customers, and 20 million businesses in over 76 markets worldwide.

 

Today, I am pleased to announce that Microsoft’s cloud infrastructure has achieved another milestone in receiving its Federal Information Security Management Act of 2002 (FISMA) Authorization to Operate (ATO). Meeting the requirements of FISMA is an important security requirement for US Federal agencies. The ATO was issued to Microsoft’s Global Foundation Services organization. It covers Microsoft’s cloud infrastructure that provides a trustworthy foundation for the company’s cloud services, including Exchange Online and SharePoint Online, which are currently in the FISMA certification and accreditation process. 

 

This ATO represents the government’s reliance on our security processes and covers Microsoft’s General Support System and follows NIST Special Publication 800-53 Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations.”

 

Government organizations require specialized compliance and regulatory processes. Operating under FISMA requires transparency and frequent security reporting to our US Federal customers. And we are applying these specialized processes across our infrastructure to even further enhance our Online Services Security & Compliance program. The company has been designing and testing our cloud applications and infrastructure for over a decade to continually address emerging, internationally-recognized standards. We are focused on excelling in demonstrating our capabilities and compliance with these laws and with our stringent internal security and privacy policies. As a result, all our customers can benefit from highly-focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.

 

 

 

Microsoft’s Chicago datacenter (a FISMA-approved facility), provides over 17 football fields worth of cloud computing capacity.

 

The company opened its first datacenter in September 1989 and today its globally-distributed, high-availability datacenters are managed by our Global Foundation Services (GFS) group. GFS’s Online Services Security & Compliance team has built upon the company’s existing capabilities, including being one of the first major online service providers to achieve our ISO/IEC 27001:2005 certification and SAS 70 Type II attestation, which also met the FISMA requirements. We have also gone beyond the ISO standard, which includes some 150 security controls and developed over 300 security controls to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved. The additional rigorous testing and continuous monitoring required by FISMA have already been incorporated into our overall information security program, which is described in several white papers located our Global Foundation Services web site.  

 

More information about FISMA is available at the National Institute of Standards and Technology web site.

Comments

  • Anonymous
    December 04, 2010
    Is FISMA compliance also valid for Azure Datacenters? Tnks

  • Anonymous
    December 07, 2010
    Was this at the low or moderate level?

  • Anonymous
    January 14, 2011
    Can this be leveraged through FedRAMP?

  • Anonymous
    March 16, 2011
    Other press releases indicate that although the data center is approved to operate, the actual application services (i.e. Exchange Online and SharePoint) have not been certified.  What is the status of service certification?

  • Anonymous
    July 07, 2011
    Who builds a major data center adjacent to a busy interstate highway?

  • Anonymous
    October 05, 2011
    does this mean that a SharePoint Online Dedicated Service offering would be automatically FISMA Compliant?

  • Anonymous
    March 19, 2013
    As an Office 365 Enterprise level customer, how can we obtain a copy of the FISMA ATO Letter to satsify our Federal governmnet clients inquiries?

  • Anonymous
    May 23, 2014
    Mark Estberg, Senior Director Online Services Security & Compliance


    Compliance is a popular

  • Anonymous
    May 27, 2014
    PurpleDemon9

  • Anonymous
    May 27, 2014
    DIAMOND

  • Anonymous
    March 08, 2016
    Pingback from FISMA Certification and Accreditation for BPOS-Federal | Cloud Power IT Insights

  • Anonymous
    March 08, 2016
    Pingback from Microsoft Cloud Infrastructure FISMA Approval and Delivering on Public Sector Customer Needs | Cloud Power IT Insights