Microsoft Azure has announced in a blog by Tom Keane, Partner Director, Program Management, Microsoft Azure that reached Azure has reached another compliance milestone. In April Microsoft announced four industry certifications for Microsoft Azure – CDSA,FISC, DISA Level 2 and MTCS level 3. They have now added four government accreditations – P-ATO, PA, HIPaa BAA and IRS 1075.
Azure Private Sector Accreditations
Keane, reminded his readers that Microsoft had attained four private sector compliance certifications back in April 2013 which were:
CDSA: Azure passed the CDSA (Content Delivery and Security Association) audit, enabling secure workflow for content development and distribution. Azure met the Content Protection and Security (CPS) standard for compliance with antipiracy procedures governing digital media.
FISC: Azure was assessed by FISC for compliance to the guidelines published by The Center for Financial Industry Information Systems (FISC) in Japan. The guidelines cover such areas as banking computer systems security, information system audits, contingency planning, and security policy development.
DISA Level 2 for the US defense sector: Azure has been granted a DISA Provisional Authorization for Cloud Security Model Level 2 under a reciprocal agreement with the FedRAMP JAB. This certification attests to Azure’s compliance with required standards as dictated by DoD Instruction 8500.01 and 8510.01, the Security Requirements Guide, CDSSI 1253, and NIST 800-37 / 53.
MTCS Level 3: Azure (public) has achieved level 3 certification with the Multi-Tier Cloud Security Standard for Singapore (MTCS SS), an ISO 27001-based standard covering areas such as data retention and sovereignty, developed under the Singapore Information Technology Standards Committee (ITSC). Level 3 is designed for regulated organizations with the most stringent security requirements around HBI data.
New Government accreditations for Azure
To add to those applicable to the private industry certifications there are four new accreditations that should help Aure expand its share of public sector markets. Customers are assured that these certifications apply immediately and that not only (for the US) is data sovereignty assured, but that all Microsoft personnel have been screened for security clearance, though Microsoft do not confirm exactly what level of security clearance or screening process is undertaken.
The four accreditations should help secure US government customers, and includes a higher level DoD (Department of Defense clearance) and healthcare.
FedRAMP Moderate P-ATO: Azure Government—including identity services (Azure Active Directory and Multi-Factor Authentication)—is now certified for US government customers. Receiving the P-ATO for Azure Government provides independent attestation that the cloud platform meets the rigorous standards and security requirements laid out in NIST 800-53.
DISA Level 2 PA: As part of the FedRAMP authorization, Azure Government has been granted a PA for DISA Level 2 by the FedRAMP Joint Authorization Board (JAB). Department of Defense customers can place non-sensitive information and defense applications into Azure Government that require DISA Level 2.
HIPAA BAA: Microsoft now contractually commits to meeting HIPAA requirements in Azure Government by providing a BAA addendum to enterprise agreements. US Government customers and partners can have confidence that PHI will be protected with best-in-class security and privacy capabilities and processes.
IRS Publication 1075: Azure Government provides the features, processes, and transparency that enables customers to achieve compliance with IRS 1075. Customers can review Azure Government’s IRS 1075 Safeguard Security Report, as well as a controls matrix that defines distributed accountabilities for certifying their solutions on Azure Government.
Microsoft now believes that it holds the highest number of government accreditations across the cloud industry, although this does not mean it holds the highest within specific sectors of government. Oracle, AWS and Google Cloud will no doubt be aiming to catch up with these accreditations as quickly as possible.
It will be interesting to see how quickly this has an impact. Government tendering can take some time and it is not always about the number of accreditations but also includes such things as the relationship. As contracts are awarded over the next few years, cloud computing expenditure will increase and this announcement will do little harm. For a full list of accreditations one can visit the Azure Trust Center.