Google announced today that its public-sector focused cloud computing service, Google Apps for Government, successfully completed a security certification and accreditation (C&A) process and received an authorization to operate (ATO) from the General Services Administration. This achievement should help overcome one of the more significant barriers to federal agency adoption of third-party cloud computing solutions, and is a strong statement of Google's commitment to the public sector market. It remains to be seen how willing other agencies will be to accept GSA's authorization decision for Google's apps; almost all federal agencies are self-accrediting, making their own decisions about what level of system security and what level of risk they are willing to accept in their own environments, and therefore system authorizations are not often "portable" among agencies, even when the same underlying technology is involved. According to Google's own statements, the company is paying close attention not only to complying with relevant to security requirements, but also to aligning with emerging government-wide standards and definitions on cloud computing, cloud services, and the different architecture patterns associated with the term "cloud computing." While the GSA authorization appears to be a good first step, presumably Google should try to enlist one or more federal agencies as a sponsor in seeking authorization for Google Apps under the Federal Risk and Authorization Management Program (FedRAMP). This government-wide initiative, sponsored by the federal CIO Council, is intended specifically to provide greater reuse of authorization efforts for outsourced systems and services provided for use by multiple agencies. While officially not limited in scope, its initial focus is on cloud computing.
The Google announcement describes the C&A as a requirement of the Federal Information Security Management Act (FISMA), which for practical purposes is true, even if it's technically not quite accurate. Under federal guidance contained in Appendix III of OMB Circular A-130, "Security of Federal Automated Information Resources," agencies are required to "authorize processing" based on an assessment of the information security controls put in place to protect an information system from loss of confidentiality, integrity, or availability of the system itself or the information it processes. Circular A-130 was originally published in 1985 to provide agencies with guidance on implementing the provisions of the Paperwork Reduction Act of 1980, and was significantly updated and re-released three additional times — with additional implementation guidance added to address provisions in the Clinger Cohen Act, updates to the PRA, and numerous other laws and executive orders that impact the management of federal information resources — with the most recent publication (Transmittal Memorandum 4) released in 2000. While the requirement to certify and accredit federal information systems ("accreditation" is essentially the same thing as "authorization") predates FISMA, in recent years the C&A process has been described as a FISMA requirement, largely because the first version of NIST's Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems," was not release in final form until May 2004, two years after FISMA was enacted. Circular A-130 actually references a NIST Federal Information Processing Standard (FIPS 102) that was superceded by SP800-37 and formally withdrawn in early 2005. In February of this year NIST completed a significant revision to SP800-37, which is now titled "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach." Despite this common interpretation of FISMA, the words certification, accreditation, and authorization don't appear anywhere within the text of the FISMA legislation (which itself is Title III of the E-Government Act of 2002).