Microsoft Azure Cloud Meets CJIS Compliance in California

Microsoft's cloud platform meets FBI security requirements to open doors for deployment in counties, cities and agencies statewide.

by / March 12, 2015
Stuart McKee, Microsoft's Chief Technology Officer Jessica Mulholland

Microsoft gained a major endorsement Wednesday from the California Department of Justice when it ruled the company's cloud platform Azure compliant with criminal justice security standards.

The DOJ approval, tied to the FBI’s Criminal Justice Information Services (CJIS), effectively clears the path for California’s state, county and city jurisdictions to procure Azure for their data storage and government apps. Cities and counties have traditionally procured such cloud technologies across departments, with criminal justice agencies serving as a major roadblock to wide procurements due to their stringent security requirements. Critical in CJIS standards are employee background checks, detailed quarterly security updates and physical access to a provider’s private cloud infrastructure.

Microsoft is meeting these standards for a second time since its Office 365 Suite passed CJIS review in October 2013.

“That’s really at the core of the agreement: California has a contractual commitment from Microsoft to meet or exceed the CJIS standards,” Stuart McKee, Microsoft’s chief technology officer of state and local government, told TechWire, sister publication to Government Technology.

Complying with many security requisites are many of Microsoft’s cloud competitors, such as Google, but still are not CJIS compliant because they do not permit physical access to their facilities -- but they do comply with the Federal Information Security Management Act (FISMA).

The National Institute of Standards and Technology website, the federal organization responsible for FISMA, lists Google’s moderate FISMA rating as high enough to protect sensitive information, but not information where a security breach may result in “major damage to organizational assets, major financial loss, or severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.”

Amazon Web Services is Microsoft’s other significant rival in the space, and according to its site, serves its clients by complying with some of the CJIS requirements.

For Microsoft, McKee said it is hoped that the agreement inspires confidence for public-sector customers to deploy a range of cloud technologies, such as storage for on-body police video camera footage and archiving criminal records. Likewise, Microsoft’s added commitment is hoped to inspire current internal California providers that support state-operated cloud facilities to embrace the common CJIS standards.

CalCloud, California’s private cloud infrastructure is serviced by IBM, and McKee argues an equal regulatory environment should require both internal government providers like IBM and external providers like Microsoft to be judged under the same conditions.

“Just holding your data internally doesn’t inherently make it more secure." McKee said. "That’s unfortunately a misnomer. Candidly, there are some challenges we do have with the CalCloud arrangement because it does, in many ways, restrict competition."