Microsoft Cloud staff have their chests bursting with pride with the announcement that they’ve met some US Dept. of Defence standards.
The blog posting is headed How the Office 365 U.S. Government Cloud meets the regulatory and compliance needs of the Department of Defense which sounds impressive. Regular Office-Watch.com readers won’t be surprised to learn that it’s not as great as it might seem.
The compliance does NOT mean Microsoft’s cloud offerings are ‘secure’ for the Pentagon. You won’t (or shouldn’t) see missile launch codes or troop deployment orders on Microsoft’s servers.
The certification is for “Controlled Unclassified Information (CUI).” – note the word Unclassified.
That’s not to say getting the ‘Security Requirements Guidelines (SRG) L5 and L4 controls’ is easy – it’s not. The extra requirements are there for some US government contracts and not standard business cloud customers.
Due Diligence Checklist
Microsoft has also released a ‘Due Diligence Checklist‘ for customers to compare cloud services. Much is made of international standard ISO/IEC 19086.
We hate to bang on about this, but it’s always worth keeping in mind that Microsoft isn’t bound by their promises or standards. They are only tied to their own terms and conditions of service. The company has a track record of reading customers data for their own self-interest and there’s nothing to stop them doing it in the future.