I am trying to get an answer on FISMA compliance. I know some other Microsoft cloud services (e.g. Office 365) have received a federal ATO but what about Azure?
I found a TechEd 2012 presentation given by David Aiken, Cloudy Weather: How Secure Is the Cloud? (http://northamerica.msteched.com/topic/details/2012/SIA204), which states that Azure "core services" comply with ISO/IEC 27001:2005, SSAE 16 (SOC 1 Type 2),
EU-US Safe Harbour, EU Model Clauses and HIPAA BAA is being worked on and FISMA/FedRAMP is "for later". In the video he says "the other big one we are working on is FISMA...which will come a little bit later than that". The "that" being HIPAA BAA, which back
in mid-June 2012 he said should be in place in a couple of months.
So what's the deal with Azure and FISMA? The first FedRAMP provisional ATOs are supposed to be issued by the end of the year, presumably to some of the existing GSA IaaS BPAs. Is Microsoft working on a FedRAMP JAB-issued provisional ATO for Azure?
What's the timetable?
Changed TypeDino HeModeratorMonday, November 26, 2012 5:41 AMNot a Azure question
Thanks. So I guess for anyone in the market for a IaaS solution that meets federal requirements Microsoft isn't the place to go looking at the moment. I would suggest sharing a timetable as soon as possible, especially if some type of ATO
is likely within the next 6 months. No timetable or information on where Microsoft in in the process suggests it is a ways off.
Marked As Answer byreddog7Tuesday, November 13, 2012 2:35 PM
Unmarked As Answer byreddog7Tuesday, November 13, 2012 2:35 PM
It is now March 12, 2013 and I still haven't seen any feedback regarding when Azure IaaS will have provisional FedRAMP ATO. CGI Federal has an IaaS offering that does have FedRAMP ATO. If we can't get a timetable on Azure then CGI Federal
is our only solution for now.
Autonomic also has a FedRAMP provisional ATO--they were the first to get one. But other providers provide FISMA IaaS solutions through the earlier GSA BPA and have done for some time. You can can get this on
AWS now. Amazon has had it for a since 2011.