What Microsoft partners and customers should know about Azure Government

Azure Government has seen major developments over the last few years as Microsoft has expanded its capabilities for US federal agencies—and the contractors that work with them.

Azure Government stands apart from Azure Commercial, the publicly available Azure services used by most organizations, in a number of ways. As we will explore in this article, the differences are driven by the specialized requirements around hosting, security, privacy, and administrative practices that cloud vendors like Microsoft must satisfy to win the business of government agencies.

STIGs, or Security Technical Implementation Guides, are put out by DISA to ensure agencies meet minimum requirements for securing VMs and workloads, down to individual apps like Adobe Acrobat, Word, or Chrome. STIGs have a big influence in the public sector because they dictate what must be done to a server or service to secure it to approved DoD standards. Everything must be aligned with STIGs to comply with Department of Defense (DoD) standards and to be eligible for an ATO, or Authority to Operate. ATOs are needed for an application to ‘go live’ and be accessible to an agency or department like the DoD.

In order to get an ATO, software must meet the appropriate STIGs and must be shown to be functional. This evaluation is usually performed by Information Assurance, or IA, as we like to call them. Cyber monitoring or continuous monitoring is also part of the ATO process. By way of certain tools, cyber engineers can provide overwatch and detect or prevent cyber-attacks and warn of potential security issues.

Although open to state and local agencies, by far the biggest users of Azure Government are large federal departments like Department of Energy, Department of Justice, or Department of Homeland Security. In addition to the first steps I already mentioned, contractor-partners need to think constantly about compliance. Everyone who has a need to gain privileged access has to be DoD Directive 8140 compliant. Signed in August 2015, it superseded DoD 8570. Essentially, this DoD Directive puts you in a category with two separate main tracks, technical and management. Most DoD projects require some kind of Secret clearance to do the work. There are some Top Secret positions as well. Clearance limits jobs you can take. For instance, even if you met all the legal and technical requirements and had Security Plus, you wouldn't necessarily be able to take a job at the FBI if you did not have the required clearance levels.