FISMA was passed in 2002 and created a process for federal agencies to certify and accredit the security of information management systems. FISMA certification and accreditation indicates that a federal agency has approved a particular solution for its use in line with the level of security established by that agency.

The certification and accreditation has resulted in an official “Authorization to Operate” (ATO) issued on April 19 by the U.S. Department of Agriculture (USDA) for Microsoft’s Business Productivity Online Services-Federal, which includes Exchange Online, SharePoint Online, and Office Communications Online. It follows a similar authorization issued by the USDA in November for the Microsoft data centers that will deliver these services to the USDA.

For Office 365 Security and Compliance certifications refer to following links:

Security, Audits, and Certifications

Standard Response to Request for Information – Security and Privacy

This White Paper describes how Office 365 fulfills the security, compliance and risk management requirements as defined by the Cloud Security Alliance, Cloud Control Matrix. 

Certifications general Description

· EU Safe Harbor

The European Union, through the EU Data Protection Directive, has stricter privacy rules than the U.S. and most other countries. To enforce these rules, the EU prohibits personal data from crossing borders into other countries except in circumstances where the transfer has been legitimated by a recognized mechanism, such as Safe Harbor certification.

To allow for the continual flow of information required by international business, the European Commission reached agreement with the U.S. Department of Commerce, whereby U.S. organizations can self-certify as complying with the “Safe Harbor” principles that track loosely to the requirements of the Directive.

· ISO27001

The Microsoft Online Services Information Security Policy aligns with International Organization for Standards ISO 27002 augmented with requirements specific to online services. An organization may obtain an ISO 27001 certification on its Information Security Management Systems (ISMS), which is typically based on the ISO 27002 Information Security Standards. ISO has been the foundation of the BPOS Services and its supporting infrastructure since 2009 and has been certified by the British Standards Institute (BSI).


The Family Educational Rights and Privacy Act provides privacy assurances for students of educational institutions that receive federal funding.


GLBA stands for Gramm Leach Bliley Act, and sets minimum security and privacy requirements for financial institutions in the United States. There is no such thing as a software or service that is “GLBA compliant”, because GLBA compliance also requires procedures and policies. Some software companies – particularly small ones – will state they are themselves “GLBA compliant”, but what they presumably mean is they are able to be used by a company that is subject to GLBA regulation. There are two principal regulations under the GLB Act that affect Microsoft cloud services: the Financial Privacy Rule - which governs the collection and disclosure of customers’ personal financial information by financial institutions and the Safeguards Rule - which requires all financial institutions to design, implement and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions.

Under GLB, financial institutions must:

  1. Exercise appropriate due diligence in selecting service providers.
  2. Prohibit service providers that receive nonpublic personal information from using that information for any other purpose than it was originally provided.
  3. Require service providers by contract to implement appropriate security measures “to meet the objectives of” the safeguards rule.
  4. Monitor service providers’ compliance with these contractual terms.


Microsoft Online Services’ ordering, billing, and payment systems that handle credit card data are Level One PCI Compliant, and customers can use credit cards to pay for the services with confidence. TrustWave performs third-party PCI-DSS audits and determined the Microsoft Online Commerce Platform (OCP) has satisfactorily met the Payment Card Industry Data Security Standard (PCI-DSS) version 1.2.



The Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:

1. Plan for security

2. Ensure that appropriate officials are assigned security responsibility

3. Periodically review the security controls in their information systems

4. Authorize system processing prior to operations and, periodically thereafter

· SAS70

Statement on Auditing Standards (SAS) No. 70 is an audit standard set by the American Institute of Certified Public Accountants (AICPA) and is geared towards service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, hosted data centers, application service providers (ASPs) and managed security providers. The SAS 70 audit is an independent verification of compliance with security controls and effectiveness of security controls.

At the conclusion of a SAS No. 70 service auditor's examination ("SAS 70 audit"), the service auditor renders an opinion on the following:

  1. Whether or not the service organization's description of controls is presented fairly.
  2. Whether or not the service organization's controls are designed effectively.

  3. Whether or not the service organization's controls are placed in operation as of a specified date.

  4. Whether or not the service organization's controls are operating effectively over a specified period of time. (Type 2 only)


HIPAA stands for the Health Insurance Portability and Accountability Act, a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information. To comply with HIPAA, in certain cases Microsoft must sign a business associate agreement (“BAA”) with HIPAA covered entities which assures adherence to certain privacy and security requirements.

Certifications for BPOS-S

· EU Safe Harbor

· ISO27001

· SAS70 Type I



· PCI*

Comments (0)

Skip to main content