Last month, the Defense Department gave Microsoft’s Azure Government cloud platform its highest certification in terms of security for unclassified data.
In a company blog post, Tom Keane, general manager for Microsoft Azure, noted that Azure Government is “the first commercial cloud service to be awarded an Information Impact Level 5 DoD Provisional Authorization by the Defense Information Systems Agency (DISA).”
Such an authorization allows all DOD customers to use Azure Government for the most sensitive controlled unclassified information (CUI), including CUI of National Security Systems. FCW reports that Microsoft already held FedRAMP High, FedRAMP Moderate and FedRAMP Accelerated approvals under the General Services Administration's Federal Risk and Authorization Management Program.
“This achievement is the result of the collective efforts of Microsoft, DISA and its mission partners to work through requirements pertaining to the adoption of cloud computing for infrastructure, platform and productivity across the DOD enterprise,” Keane noted.
Achieving a High Level of Cloud Security
According to a March 2016 DISA guide on cloud computing security guidelines, “CUI is information the federal government creates or possesses that a law, regulation, or governmentwide policy requires, or specifically permits, an agency to handle by means of safeguarding or dissemination controls.”
CUI can encompass numerous kinds of information, including unclassified information concerning items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect U.S. national security and nonproliferation objectives.
This includes dual-use items; items identified in Export Administration Regulations, International Traffic in Arms Regulations and the munitions list; license applications; and sensitive nuclear technology information.
CUI can also include Personally Identifiable Information, Protected Health Information; and other data requiring explicit CUI designation (i.e., For Official Use Only, Official Use Only, Law Enforcement Sensitive, Critical Infrastructure Information, and Sensitive Security Information).
Level 4 authorization accommodates CUI or other mission critical data, according to DISA. Level 5 accommodates CUI that requires a higher level of protection than that afforded by Level 4 as deemed necessary by the information owner, public law or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP +Control and Control Enhancements.
Implications of the Cloud Security Authorization
Microsoft has had to set up separate cloud infrastructure to achieve the certification. Keane noted that Information Impact Level 5 “requires processing in dedicated infrastructure that ensures physical separation of DOD customers from non-DoD customers.”
Keane added that DOD authorizing officials can use the Azure Government authorization “as a baseline for input into their authorization decisions on behalf of mission owner systems using the Azure Government cloud DOD Region.”
According to FCW, “the company said it has built multiple data centers to provide DOD with exclusive services for Azure and Office 365 U.S. Government Defense services.”
Over the past few months, Microsoft ran a preview program with more than 50 customers across the Pentagon, including all branches of the military, unified combatant commands and defense agencies.
“We are thrilled to announce the general availability of the DOD Region to all validated DoD customers,” Keane said. “Key services covering compute, storage, networking and database are available today with full service level agreements and dedicated Azure Government support.”
Katell Thielemann, research director for the public sector and U.S. federal government at Gartner, told MeriTalk that the approval is significant for both industry and the government “in that it sends a strong signal that companies like Microsoft are taking both security and Federal-specific requirements very seriously.”
“The FedRAMP and DISA review processes are stringent, lengthy, and costly. Federal agencies, and the DoD specifically, are looking for ways to leverage all the benefits of the cloud, but their mission environments demand high levels of data protection and security,” Thielemann said.
For more information on securing Azure cloud deployments, check out this CDW white paper.