GSA, the lead government agency for acquisition, certified and accredited Google according to FISMA.

The question is really whether or not GSA can do that (Certify and accredit for the entire US govt), and whether or not any agency can arbitrarily add their own unique security requirements(DOI excluding)

The truth of the matter is more simple.

Google went through the agonizing process of FISMA that is very stringent compared to jokes like a SAS 70 type 2. Microsoft did nothing. DOI does not have a FISMA certified private or govt cloud.

DOI determined they would add in their own unique security requirements for a yet-unbuilt cloud solution that had never been certified for FISMA. Basically a joke of a to-be solution.

Google cried foul, claiming they had already passed the FISMA qualification, something no other cloud vendor had done at the same time period. Google claimed a certified solution like their cloud could not be compared against a non-existent pipedream cloud.

GSA certified and accredited Google Apps (FISMA certification)
GSA is the lead agency for acquisition for the US Govt
GSA met several the NIST standards at the moderate level
DOI claims that the GSA certification doesn't meet their specific standards and they have to have a govt only cloud in the continental US.
DOI security has been the laughingstock of the US govt for as long as I can remember*

DOI disconnected from the internet by a federal judge for complete failure in IT security

he was suspected, or possibly indicted for some criminal & sexual transgression involving the female staff of Wikileaks?

I am sure the Swedes aren't keen on granting citizenship to every Tom, Dick or Harry alleged pervert.

NELL begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug....

VMware has a Linux vcenter in beta..... http://communities.vmware.com/community/beta/vcserver_linux

While the statements about sugar may be on shaky ground, the primary conclusion of the research quoted could be summarized rather simply. Eat organic. Saying such a thing is hardly "trying to bilk someone out of money" or being a "scumbag". Instead I would say you rushed to judgment.

Powershell is by far, one of the best Microsoft has created on the scripting side. Why? They basically took a shell and enhanced it by making it object aware, and giving it access to .net. In Microsoft lingo, cmdlets replace unix utilities.

I am not a fan of the naming conventions they use in powershell! It makes it harder to write terse scripts.

Please see

http://w3.linux-magazine.com/issue/78/Bash_vs._Vista_PowerShell.pdf for a comparison of powershell vs Bash.

http://blog.brandonbloom.name/2009/04/powershell-condemned-to-reinvent.html

Most of work involves commodity certification & accreditation (C&A) that involves the following:

Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201

Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.

Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).

That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.

During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.

Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.

Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.

After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.

It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.

If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.

And you wonder why the Chinese are plundering the US govt on a daily basis?

Application virtualization having similar sandboxing has been out for several years now.

Another govt stooge in management like Melissa Hathaway that lacks a background in computer security and only knows what layers of bureaucrats said. Maybe he is qualified to be a CIO?

If the universities fail to produce enough security experts, ISC2 is happy to convert your tech support guy into a CISSP for the low rate of $600, and $200 a year thereafter! If you order now, you can also get a CAP certification along with a free toaster.

Don't some consumer motherboards have the triple BIOS features now?

Shoot, even Gigabyte and Asus have passed NASA technology. No wonder the US is in trouble!

Lawyers are the scourge of the earth, and will not be finished mining the product liability goldmine until everything in existence has giant safety warnings on it, and commonsense is abandoned.

Your description of the CEO of United Healthcare receiving a 1 billion dollar bonus is false.

He received options from a time period when the stock was much less valuable. Over several years the company's value rose dramatically, and he exercised the options.

I like how you followed your falsehood immediately with a string of discombobulated emotional arguments, socialistic ranting and wealth redistribution ideas.