FISMA Compliance for Cloud Service Providers
Any cloud service provider knows that compliance with the Federal Information Security Management Act (FISMA) is a complex issue. Nevertheless, it has to be met if your business is to handle any government data. While many would be tempted to steer away from government contracts due to the complexities involved, such business does provide long and stable revenue. However, there are two aspects that need to be discussed even if you are not yet working with government contracts.
The first issue is being able to meet FISMA standards even if you are not working with the government. If you are able to show compliance to FISMA standards, then your service becomes that much more attractive to the industry. After all, stability, redundancy, disaster recovery, etc are all part of the normal range of cloud offerings. As CMM level 5 was a few years ago, meeting FISMA means you have reached a level of maturity that puts your service ahead of the pack. It is natural for this to lead to better revenues and bottom lines.
The second issue to discuss here is the continuous monitoring that FISMA advocates.
The National Institute of Standards and Technology (NIST) lays down nine steps that required to ensure FISMA compliance. The last of these is that you “monitor the security controls on a continuous basis”. This is what makes some cloud service providers unhappy. Monitoring on a continuous basis implies additional manpower, tools and controls and eventually raises the cost of their services. NIST points out that unless the monitoring is on a continuous basis, any protocols and procedures you put in place for FISMA compliance will soon get outdated and attackers could easily bypass them.
NIST is right. FISMA is not about documentation, it is about making serious, results-driven improvement to existing procedures and methods. It requires proper tools, testing, training, reporting and corrective action. A monitoring program that is taken seriously will transform static security procedures into dynamic security. Service providers who take this seriously will find it much easier to demonstrate compliance with HIPAA, SOX, HITECH and PCI requirements. Service that meet these standards are the ones that are most valued by the industry.
Since demonstration compliance with FISMA requirements is a complex process, cloud service providers are increasingly turning to third party vendors who specialize in the process. These third parties will take you through the process and ensure that service providers put in place systems to manage their security continuously. While this does appear to be an additional expenditure, it has been observed that improving security certification levels are a powerful way to attract higher paying clients and greater business.
I would suggest that you approach FISMA as companies once approached CMM. Think of it as steps in a security ladder. Every requirement with which you comply makes your services safer and more attractive. It at least gets the low hanging fruit into your basket. Perhaps the additional revenue will pay for the more complex processes.
Be Part of Our Cloud Conversation
Our articles are written to provide you with tools and information to meet your IT and cloud solution needs. Join us on Facebook and Twitter.
About the Guest Author:
Sanjay Srivastava has been active in computing infrastructure and has participated in major projects on cloud computing, networking, VoIP and in creation of applications running over distributed databases. Due to a military background, his focus has always been on stability and availability of infrastructure. Sanjay was the Director of Information Technology in a major enterprise and managed the transition from legacy software to fully networked operations using private cloud infrastructure. He now writes extensively on cloud computing and networking and is about to move to his farm in Central India where he plans to use cloud computing and modern technology to improve the lives of rural folk in India.