none
FISMA / FedRAMP

    General discussion

  • I am trying to get an answer on FISMA compliance. I know some other Microsoft cloud services (e.g. Office 365) have received a federal ATO but what about Azure? 

    I found a TechEd 2012 presentation given by David Aiken, Cloudy Weather: How Secure Is the Cloud? (http://northamerica.msteched.com/topic/details/2012/SIA204), which states that Azure "core services" comply with ISO/IEC 27001:2005, SSAE 16 (SOC 1 Type 2), EU-US Safe Harbour, EU Model Clauses and HIPAA BAA is being worked on and FISMA/FedRAMP is "for later". In the video he says "the other big one we are working on is FISMA...which will come a little bit later than that". The "that" being HIPAA BAA, which back in mid-June 2012 he said should be in place in a couple of months.

    So what's the deal with Azure and FISMA? The first FedRAMP provisional ATOs are supposed to be issued by the end of the year, presumably to some of the existing GSA IaaS BPAs. Is Microsoft working on a FedRAMP JAB-issued provisional ATO for Azure? What's the timetable? 

    • Changed type Dino HeModerator Monday, November 26, 2012 5:41 AM Not a Azure question
    Friday, November 09, 2012 6:29 PM

All replies

  • Hi,

    Windows Azure does not have FISMA. We are close to getting FISMA compliance. But there is no timetable can be shared at this moment.

    Compliance related issue can be found at below page.

    http://www.windowsazure.com/en-us/support/trust-center/compliance/


    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us

    • Marked as answer by reddog7 Tuesday, November 13, 2012 2:35 PM
    Monday, November 12, 2012 6:53 AM
    Moderator
  • Thanks. So I guess  for anyone in the market for a IaaS solution that meets federal requirements Microsoft isn't the place to go looking at the moment. I would suggest sharing a timetable as soon as possible, especially if some type of ATO is likely within the next 6 months. No timetable or information on where Microsoft in in the process suggests it is a ways off. 
    • Marked as answer by reddog7 Tuesday, November 13, 2012 2:35 PM
    • Unmarked as answer by reddog7 Tuesday, November 13, 2012 2:35 PM
    Tuesday, November 13, 2012 2:35 PM
  • It is now March 12, 2013 and I still haven't seen any feedback regarding when Azure IaaS will have provisional FedRAMP ATO. CGI Federal has an IaaS offering that does have FedRAMP ATO. If we can't get a timetable on Azure then CGI Federal is our only solution for now.

    Can someone offer a timetable for Azure? Thanks


    Glenn Meyer

    Tuesday, March 12, 2013 7:19 PM

  • Also interested in timetable for Azure.

    Autonomic also has a FedRAMP provisional ATO--they were the first to get one. But other providers provide FISMA IaaS solutions through the earlier GSA BPA and have done for some time. You can can get this on AWS now. Amazon has had it for a since 2011. 

    http://www.gsa.gov/portal/content/112063


    Wednesday, April 17, 2013 10:06 PM
  • It's now January 30th, 2014 and we still don't have any news about FISMA Compliance?

    Also, why does this article titled "Microsoft's Cloud Infrastructure Receives FISMA Approval" back on December 2nd, 2010 says that they were then FISMA Approved? Was that not pertaining to Windows Azure or was FISMA eventually revoked?

    Friday, January 31, 2014 7:37 AM
  • The 2010 article is referring to the fact that GFS is FISMA compliant, which is the underlying services group that runs the datacenters for Windows Azure and related services.

    As far as I know they haven't released the information about FISMA in Azure. They've stated that Windows Azure is FedRAMP compliant though (http://www.microsoft.com/en-us/news/press/2013/sep13/09-30fedramppr.aspx) which states that as a cloud service they can now host government entity-stuff, but that doesn't explicitly state that it's FISMA certified. There is a difference. 

    Logically though if the datacenter services are FISMA compliant, and the Cloud Services hosted in the datacenters are FedRAMP compliant... I'll still leave it up to the lawyers to explain if that's good enough.


    Developer Security MVP | www.syfuhs.net

    Friday, January 31, 2014 7:04 PM