Microsoft cloud gets Pentagon's top security rating
Microsoft's Azure and Office 365 cloud offerings have earned a provisional authority to operate certification at Level 5, the highest security level for unclassified information.
The Pentagon has given the highest security rating for unclassified data to Microsoft's federal cloud offerings, Azure Government and a Defense Department-specific iteration of Office 365. The Microsoft services were granted Level 5 provisional authority to operate certification.
According to Microsoft, the rating makes it the first and only cloud provider that can offer a complete DOD cloud solution that is approved at that security level for controlled unclassified information (CUI).
In a blog post, Tom Keane, general manager for Microsoft Azure, explained that the Microsoft offerings achieved the security level because of "dedicated infrastructure that ensures physical separation of DOD customers from non-DOD customers."
The company said it has built multiple data centers to provide DOD with exclusive services for Azure and Office 365 U.S. Government Defense services.
Microsoft already has FedRAMP High, FedRAMP Moderate and FedRAMP Accelerated approvals under the General Services Administration's Federal Risk and Authorization Management Program.
The addition of DOD Level 5, the company said in a statement, that it will give its customers the capability to build applications that maintain CUI data requiring over Level 4 protection when necessary. Microsoft said its government-only infrastructure offers more protection because its data centers are hardened, geographically dispersed and operated by screened personnel.
Categories of information in Level 4 include, but are not limited to, export-controlled information such as technical specifications, law enforcement sensitive information, protected health information and some personally identifiable information. Level 5, according to DOD, "accommodates CUI that requires a higher level of protection" and also includes unclassified National Security Systems.
In a cloud security guide issued by the Defense Information Systems Agency in March 2016, officials said they were taking a "cautious approach with regard to Level 5 information," because of risks associated with shared cloud environments and legal concerns.