In a recent press release I read that Amazon Web Services got approval from the GSA to provide cloud services in compliance with the Federal Information Security Management Act (FISMA). Amazon joins Google and Microsoft among cloud services that can say they’re certified under FISMA.
It’s a big deal because federal agencies are moving to the cloud in increasing numbers. To me, however, there’s a more interesting point to be made and I only found one source that noticed – an article by Kevin McCaney, Managing Editor of an online publication called the Government Computer News. McCaney wrote:
FISMA doesn’t require certification of products or services, and doesn’t apply to vendors. It sets security requirements for federal IT systems.
Most would say that businesses today are already subject to too much regulation. So why are Amazon, Google and Microsoft racing to get certified under a standard that doesn’t even apply to them?
The answer is that it’s just good marketing. Vendors are competing for lucrative contracts from the federal government, so if certification under FISMA helps position them for future business, they’re going to do it. Compliance and certification aren’t always requirements. They can also be valuable differentiators and competitive advantages.
It’s not much different from me getting certified in skills that are relevant to my job. When I originally took the time and money to earn my CISM, it wasn’t a requirement. I got certified anyway because it gave me credibility with other security professionals. Going forward, it also helps me compete in the job market.
If you’re looking for a new job, and everyone is at some point, take a page out of Amazon’s book and get certified in an area relevant to your field. Talk to your manager about carving out the time and getting tuition reimbursement. Any decent manager will do this because it’s good marketing (for you and the manager)!