Office 365 Security / Compliance
Office 365 is a Microsoft service that includes access to Office suite of applications and productivity services such as SharePoint that are enabled via cloud services. IOT has procured a subset of these services such as Exchange Online for email and SharePoint Online for collaboration.
Office 365 Government offers the features of Office 365 while delivering compliance with Federal requirements for cloud services. Features that are unique to Office 365 US Government:
- Customer content is logically segregated from customer content in commercial Office 365 services. It is also stored within the United States.
- Access to customer content is restricted to screened Microsoft personnel.
- Office 365 US Government complies with certifications and accreditations that are required for US Public Sector customers.
For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Outlook and Outlook on the web.
For data at rest, Office 365 deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive for Business.
Mail sent via Office 365 is sent with a requirement to use Transport Layer Security (TLS) and will only connect if the recipient email server certificate was issued by a trusted certificate authority. Currently the State of Indiana utilizes a hybrid deployment where mail routes through on premise servers to be filtered for spam and malware. This connection utilizes opportunistic TLS which allows the sending system to encrypt the inbound SMTP session to our Exchange environment.
- The State of Indiana has a CJIS Information Agreement with Microsoft.
- CJIS is a division of the FBI which grants access to criminal justice information such as fingerprint records and criminal history to state, local and federal law enforcement agencies. The CJIS Security Policy establishes minimum security requirements when these agencies use cloud services for the transmission or storage of this information. Microsoft has assessed the operational policies and procedures for their government cloud services and will attest to their ability to meet FBI requirements. With Office 365 Government, Microsoft will sign the CJIS Security Addendum in states with CJIS Information Agreements.
- The State of Indiana is HIPAA compliant.
- HIPAA is a US healthcare law which regulates the use, disclosure and safeguarding of individually identifiable health information.
Microsoft Azure, Azure Government, Dynamics CRM Online Government and Office 365 Government have a provisional authority to operate for the Federal Risk and Authorization Management Program (FedRAMP), mandatory for cloud services used by federal agencies.
Microsoft certifies that the underlying cryptographic modules used in Microsoft products comply with the Federal Information Process Standard Publication (FIPS) 140-2.
Multi-Factor Authentication is a security system that requires a user to provide multiple methods of authentication to complete the login process. The State of Indiana has implemented a mobile phone two-factor authentication system. Users will be required to register for MFA by going to Phone Factor Portal. Once registered, when a user logs in to a cloud resource with their network credentials they will be prompted for a secondary verification sent to their mobile device to confirm their identity to complete the login process.
Complete list can be found here: Office 365 Compliance Certifications
CS Mark Gold
21 CFR Part 11