Skip to content

Microsoft's Cloud meets Defence standards

Microsoft Cloud staff have their chests bursting with pride with the announcement that they’ve met some US Dept. of Defence standards.

The blog posting is headed How the Office 365 U.S. Government Cloud meets the regulatory and compliance needs of the Department of Defense which sounds impressive.  Regular readers won’t be surprised to learn that it’s not as great as it might seem.

The compliance does NOT mean Microsoft’s cloud offerings are ‘secure’ for the Pentagon.  You won’t (or shouldn’t) see missile launch codes or troop deployment orders on Microsoft’s servers.

The certification is for “Controlled Unclassified Information (CUI).” – note the word Unclassified.

That’s not to say getting the ‘Security Requirements Guidelines (SRG) L5 and L4 controls’ is easy – it’s not.  The extra requirements are there for some US government contracts and not standard business cloud customers.

Due Diligence Checklist

Microsoft has also released a ‘Due Diligence Checklist‘ for customers to compare cloud services.  Much is made of international standard ISO/IEC 19086.

We hate to bang on about this, but it’s always worth keeping in mind that Microsoft isn’t bound by their promises or standards.  They are only tied to their own terms and conditions of service.  The company has a track record of reading customers data for their own self-interest and there’s nothing to stop them doing it in the future.

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.