Not All Clouds Are Created Equal: Check the Facts

With nearly 6 million Microsoft Government Cloud users across more than 7,000 federal, state and local government entities, Microsoft is committed to supporting the needs of government agencies and to building the most trusted, comprehensive cloud for government.

If you’ve already begun investing in cloud services, it may be time for a check-up to make sure your investments not only support your needs today, but will continue to scale into the future. And if you are still moving towards cloud adoption, it’s important to make sure you know what you are getting, because not all clouds are created equal.

Industry-leading compliance

Requirements around compliance are complex and nuanced: from HIPAA to the IRS to the Department of Defense and FedRAMP, cloud service providers should prove they not only understand compliance standards—but can help you meet them. Only government regulators can determine when an agency or organization is in compliance.

Microsoft offers a cloud that is DoD Impact Level 5-ready for infrastructure, platform, and productivity services (Office 365 DoD and Azure DoD), and our Azure Government FedRAMP Provisional ATO’s  include 13 services in the scope boundary—two times more than the nearest cloud competitor . Microsoft has worked with customers to achieve FedRAMP compliance across all 3 clouds: Azure (IaaS, PaaS), O365 (SaaS) and Dynamics 365 (SaaS), the first cloud service to achieve a JAB P-ATO using the new FedRAMP Accelerated Process.

Microsoft’s compliance certifications help government organizations to meet regulations spanning:

• Criminal Justice Information Services (CJIS) Security Policy regarding protection of Criminal Justice Information
• IRS Publication 1075 regarding protection of Federal Tax Information
• International Traffic in Arms Regulations (ITAR)
• Family Educational Rights and Privacy Act (FERPA) regarding protection of student privacy
• Health Insurance Portability and Accountability Act (HIPAA) regarding protection of private health information
• Federal Risk and Authorization Management Program (FedRAMP — including FedRAMP High, FedRAMP, Moderate and FedRAMP Accelerated) – to meet US Government cloud security requirements

To learn more, visit the Microsoft Trust Center.

Criminal Justice Information Services (CJIS)

Critical in the FBI’s Criminal Justice Information Services (CJIS) standards  are employee background checks, detailed security updates and the ability for the State CJIS Systems Agency (CSA) to examine and inspect cloud solution providers to meet their audit requirements.

Microsoft has signed Criminal Justice Information Services (CJIS) agreements  in 24 states, covering more than 60% of the U.S. population. This is four times the number signed by our nearest cloud competitor. Microsoft is committed to the highest standards of policy control. Microsoft government services are operated by U.S. citizens that are being adjudicated and cleared by the states. These background checks include, but aren’t limited to, fingerprint records, criminal histories, and other information that government agencies must review for access to Criminal Justice Information. Microsoft Government Cloud differentiates with this level of employee security clearances spanning this broad geography.

IRS 1075 guidance and ITAR obligations

IRS tax security guidelines and International Traffic in Arms (ITAR) regulations have special data storage, confidentiality, data location, and other substantive requirements that rely on specific security features.

Microsoft provides certain cloud services or service features that can support customers with ITAR obligations.  Azure Government provides support for customers with data subject to the ITAR through additional contractual commitments to Azure Government customers regarding the location of stored data, and limitations on the ability to access such data to U.S. persons.

Internal Revenue Service Publication 1075 (IRS 1075)  provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 prescribes security and privacy controls, and prioritizes the security of datacenter activities, including data location and the proper handling of FTI, and the oversight of datacenter contractors to limit entry.

Microsoft Azure Government and Microsoft Office 365 U.S. Government cloud services provide a contractual commitment that they have the appropriate controls in place, and the security capabilities necessary for Microsoft agency customers to meet the substantive requirements of IRS 1075. Microsoft Government Cloud Services deliver on the criteria necessary for government agencies and their partners to use cloud services, adding assurance that data will remain in US facilities, datacenter personnel have been screened according to strict guidelines, and continuous monitoring ensures effective incident detection and response.

Hardened data centers

Protection, including hardened data centers, are critical to government operations in the event of a natural disaster or act of terrorism. Knowing a cloud service provider’s geo-redundancy, capacity, and continuity capabilities is important to ensure vital government functions are protected.

Microsoft is the only government cloud with six datacenter regions (including two dedicated regions for DoD Impact Level 5). Microsoft offers the broadest geographic availability and diversity, including 500-mile geo-redundancy, with regions in the east, west, south, and midwest. Our bi-coastal, government-only datacenters offer data replication in multiple locations within the country for business continuity. Microsoft Government Cloud Services deliver on the criteria necessary for government agencies and their partners to use cloud services, adding assurance that data will remain in US facilities, datacenter personnel have been screened according to strict guidelines, and continuous monitoring ensures effective incident detection and response.

Formal eligibility screening

When storing sensitive data, it’s imperative to know what other data and workloads are being stored in the same cloud infrastructure. Government cloud service providers should apply rigorous screening policies and procedures to determine eligibility for all incoming requests.

Microsoft is rigorously screens every incoming request and determines individual eligibility to house data in Microsoft’s Government cloud. Microsoft Government cloud services are available to qualified government entities, including US federal, state, local, tribal, and territorial government entities, and other entities who handle data subject to government regulations and requirements.

Document retention and e-discovery

Meeting and enabling legal compliance means cloud service providers should be able to manage and store data in a way that meets government data retention, e-discovery, public records obligations, legal holds, archiving, messaging rules, and more – as part of the core service, not by requiring to the purchase of expensive third-party add-on services.

Microsoft offers built-in capabilities which help you store data on your terms, and offers search and legal discovery, legal hold, archiving rules, and message handling rules or similar services.

Azure Backup helps enable backups of your Azure Government infrastructure as a service (IaaS) VMs. This can help Azure Government customers in state, local, federal, civilian, and defense, plus more than 100 solution partners with dedicated government practices, to leverage the cloud for critical business needs by backing up their assets on the cloud.

Expert security

Cybersecurity threats continue to evolve, and a cloud security provider who understands the threat landscape, has a history of protecting against them, and proven experience responding to them can give you more confidence in the security of your data.

Microsoft builds security into our products and services from the start. That’s how we deliver a comprehensive, agile platform to better protect your endpoints, move faster to detect threats, and respond to security breaches across even the largest of organizations. Microsoft offers industry-leading security, including encryption – at no additional cost, plus robust anti-virus, anti-threat, and other security features.

Hybrid capabilities

In some cases, you will want the capability of integrating on-premise solutions with the cloud. A hybrid cloud  gives you the best of both worlds, so you can take advantage of external resources when it makes sense for your organization.

Microsoft Cloud for Government solutions enable the ability to integrate cloud and on premises application components and services to reduce cost and simplify administration. The Microsoft hybrid cloud with Azure  combines Microsoft Azure, Windows Server, and Microsoft System Center, giving you Microsoft’s enterprise-grade technology in both your own datacenter and our datacenters. A hybrid cloud with Office 365  helps you meet changing business needs with greater flexibility; the latest versions of SharePoint, Exchange, Skype for Business, and Azure Active Directory Premium are all built for the hybrid cloud.

Open source

Integrating with open source is a need for many organizations who are migrating to the cloud.

Microsoft has announced the expansion of the Microsoft and Red Hat partnership  that will now enable government organizations additional options to migrate their Red Hat subscriptions to Microsoft Azure Government. This extends Microsoft Azure’s certification as a Red Hat Certified Cloud and Service Provider (CCSP) to now serve our U.S. Government customers via Microsoft Azure Government.

Contact Microsoft to learn more about the Microsoft Cloud for Government or to request a trial.