In Microsoft's quest to be the government’s preferred cloud application provider, the company offered a potentially powerful security incentive to swing officials its way.
On Oct. 14, Microsoft signed an agreement with the California Department of Justice indicating that the company would comply with the FBI’s Criminal Justice Information Services (CJIS) standards for handling criminal justice information on its cloud platform.
The agreement's new compliance requirements call for physical access to Microsoft’s cloud facilities, detailed quarterly security updates and background checks for Microsoft personnel. The tech giant hopes that satisfying these requirements as well as additional measures laid out in CJIS standards will tip the scales in its favor for local governments contemplating cloud services.
The agreement could pave the way for California municipalities to transition employees to Microsoft’s Office 365 Government Community Cloud, a platform offering a range of apps including email, word processing and data storage. Among the localities that have transitioned — or intend to transition — to Microsoft 365 are San Jose, San Diego, Santa Clara, Long Beach, Oakland and San Mateo County.
Microsoft’s Chief Technology Officer Stuart McKee, who signed the FBI CJIS security addendum, said the move was representative of Microsoft’s ongoing willingness to engage and participate in government partnerships.
"As it relates to CJIS, we will contractually commit and sign the FBI CJIS security addendum, which in effect, is us committing to the exact same requirements that law enforcement and public safety must meet,” McKee said
Ahsan Baig, the interim CIO of Oakland, Calif., said security compliance was a critical factor when the city chose Microsoft over Google’s cloud-based apps for government.
“We looked into the Google solution also, but where we found an issue was in the DOJ compliance and we started working with Microsoft,” Baig said.
Oakland looked at Los Angeles’ attempt to migrate both city and law enforcement email to Google in 2009. While 17,000 city employees made the switch, security concerns kept 13,000 employees in public safety and related fields out of Google's cloud. Baig said the experience in L.A. made Oakland officials hesitant to consider a similar Google transition.
As Oakland weighed its options between the two services, Baig said Microsoft demonstrated compliance with various aspects of CJIS standards.
"That really helped us a lot," Baig said.
The other major factor in Oakland's decision was a matter of logistics. Baig said that most of Oakland’s employees already are familiar with Microsoft programs like Office and Exchange.
"It would be a very expensive undertaking if I were going to tell all of my end users 'OK, now all of you have to learn Google Docs, their spreadsheets, or other applications,’" he said.
Another smaller but still important consideration for choosing Microsoft, Baig said, was the fact that many departments within the city were already purchasing Microsoft software licenses individually. Buying through an enterprise offering, where a license is purchased in bulk, greatly reduces the pricing while also streamlining services through one provider.
According to Baig, Oakland will soon begin transitioning to Microsoft 365. He expects a fairly quick process spanning six to nine months, starting with non-public safety employees. Once the first installment is complete, law enforcement and public safety employees will move to the cloud platform.
While potentially trend-setting, California’s DOJ agreement with Microsoft isn't the only way to achieve compliance in cloud security — just ask Google.
Google Communications and Public Affairs Manager Shannon Newberry declined to comment on whether Google is willing to join Microsoft in meeting CJIS standards. Yet, she did refer to Google’s compliance with FISMA, the Federal Information Security Management Act established in 2002. Out of FISMA’s three compliance levels — low, moderate, and high (which refer to the potential impacts should a security breach occur) — Google was classified as “moderate.”
According to the National Institute of Standards and Technology website, the federal organization responsible for FISMA, Google’s moderate rating is high enough to protect sensitive information but not information where a security breach may result in "major damage to organizational assets, major financial loss, or severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries."
Notwithstanding the differing security certifications, Google is gaining ground in various states, including Wyoming and Colorado, which use the company's cloud products to varying degrees. Many municipalities also have chosen Google Apps for use in law enforcement and public safety. Specific examples, according to Google, include the Fire Department of Snohomish County, Wash., and the Police Department of Lake Havasu, Ariz.
According to an October article on ZDnet, the U.S. Department of Defense (DoD) awarded both Google and Microsoft the right to provide cloud-based apps to 50,000 DoD users, should those users and organizations wish to use the apps.
Ultimately every agency considering a cloud deployment, including public safety agencies, must make a judgment call based on their agency's specific needs, and what risks they're willing to take to reap the benefits of the cloud.
As for Microsoft, its officials expect that its adherence to CJIS will make the decision to transition to the cloud easier for law enforcement officials in California.
Jason Shueh is a former staff writer for Government Technology magazine.