Cloud services provider and major Drupal partner Acquia has won U.S. government certification for providing secure Web services, the company's latest step in its march toward giving customers a measured level of protection and control.

Acquia won SSAE 16 (SOC1) certification in June, and the latest move not only provides the company access to the lucrative world of increased government contracts, but also signals it is serious about standards. 

What is FISMA?

Acquia is now approved under the Federal Information Security Management Act of 2002 to provide secure Web services in the cloud, a key process for highly sensitive customers like the government. 

Specifically, Acquia is a FISMA Authorization to Operate (ATO) approved vendor, and that means federal agencies can more easily redesign their Drupal Websites while maintaining stringent security standards and cost efficiencies.


The White House uses Drupal for its Website, as does NASA and the FCC. 

Acquia says it is the first provider to offer an enterprise class Drupal hosting service that is FISMA moderate certified. Acquia Cloud uses Amazon EC2, and that system had already won FISMA Moderate ATO certification

“This effort demonstrates Acquia’s commitment to exceeding our Federal customers high expectations for security and availability in the cloud," Mike Lemire, Acquia’s director of information security said.

The Importance of Standards

Cloud provider Huddle also recently won FISMA approval, but the company had already been popular among European governments. IBM's SmartCloud for Government is FISMA approved, as is Google's Apps for Government.

FISMA provides a framework for government IT purchasing and security protocols, but it also gives potential customers a chance to see how rigorous a company's products are. It might be painful for companies like Huddle and Acquia to go through the certification process, but once they are through it, potential new customers have a new window into those companies' internal processes. 

However, FISMA and SSAE 16 are narrow standards with somewhat limited applicability. IT buyers of all stripes really need more broad based standards to avoid combing through the virtually endless world of Web based apps now available.