In 2009 Los Angeles was the first large city to attempt a total migration of its work force from a traditional on-premises email system to a cloud service. The city awarded a contract to Google Apps for 30,000 users, hoping to save millions by retiring an aging on-premises email system (Novell GroupWise).
But the project quickly ran off the rails when the Los Angeles Police department -- which accounted for about half the total seats -- informed the city CTO that Google Apps could not meet the FBI's strict security and privacy requirements for connecting to the bureau's national criminal history database, known as CJIS (Criminal Justice Information System).
The key sticking point for the LAPD was the FBI's rule that employees of outside service providers who may have access to police emails must themselves pass criminal history background checks, including fingerprinting. As it turns out, Google -- like many other large IT service providers -- had hundreds of lower-cost support staff in overseas locations, and apparently couldn't or didn't want to subject them to the FBI's background checks.
[ Could test drives help ease government cloud adoption? Read Datalink Lets Feds Test Drive Cloud. ]
After months of finger pointing in which Google and the city's CTO who had championed the contract attempted to pin the blame on the FBI, Google finally told the city it would not comply with CJIS. Los Angeles was forced to pull the plug on the LAPD portion of its Gmail deployment, but successfully demanded that Google pay the cost of maintaining the older GroupWise email servers at the LAPD for the duration of the Google Apps contract with the rest of the city.
Google's contract with Los Angeles expires in November 2014, and the city has just published a new RFP for a replacement solution. The city has indicated that it would prefer, if possible, a single cloud solution for its entire workforce, including the LAPD, for reasons of cost efficiency. Otherwise, it will be compelled to split the solution as in the previous contract, keeping the LAPD on an on-premises system while the rest of the city stays on the cloud. The city's ideal solution would thus be a CJIS-compliant cloud service that can be rolled out to everyone. Vendor proposals are due shortly and a decision is expected by the end of this year.
The point of the FBI's background check is to protect information in CJIS records from leaks by malicious or careless insiders. In these times of mega-leakers like Bradley Manning (WikiLeaks) and Edward Snowden (Prism), this seems like an eminently sensible precaution. But in 2009, providers of enterprise cloud email like Google and Microsoft weren't familiar with the CJIS requirements and weren't sure how to evolve their business practices to meet them. At the same time, the FBI, which had carefully crafted the CJIS rules over a number of years in close cooperation with state and local police forces, had not yet had to deal with large cloud deployments in these agencies.
Today there has been considerable progress on both issues. On the one hand, the FBI has updated its CJIS policy to make it more cloud-friendly. Interestingly, the bureau has also added language that prohibits cloud providers from "scanning any email or data files for the purpose of building analytics, data mining, or advertising," an apparent reference to the fact that some cloud providers base their enterprise offerings on consumer services originally designed as vehicles for targeted online ads. Although Google Apps turns ad serving off by default for government and education customers, it nevertheless states in its terms of service that customers can retain the option of turning ads back on (since Google specifies that in this case it will not share the resulting ad revenue, it is not clear why it thinks public sector customers would want this option).
On the vendor side, two approaches to CJIS compliance have emerged. First, a number of innovative startups such as CipherCloud and PerspecSys have developed devices that encrypt internal organizational email before it is sent to the cloud, thus making it impossible for cloud provider staff to access the content of the messages. The FBI has acknowledged that encryption is an acceptable method of achieving CJIS compliance. However, while technically ingenious, encryption may limit the functionality of cloud applications and will certainly bring additional costs as well as implementation complexity for the customer.
A second and more direct approach is for the cloud provider to agree to subject its data center staff to the FBI's criminal background check requirements in a process known as adjudication.
The adjudication approach is more costly for the cloud provider but is easier and more transparent for law enforcement agency customers. It is an approach that has thus far been enthusiastically embraced by Microsoft, but not yet by Google. Microsoft has recently signed CJIS compliance and adjudication agreements with the states of Texas and California, thus enabling law enforcement agencies in these states to adopt Office 365. Google has not publicly announced similar plans, and according to Los Angeles' new CTO has even taken the curious stance of recommending that the city adopt Microsoft's Exchange on-premises email system for LAPD while retaining the Google Apps cloud solution for the rest of the city.
However, one may suspect that Google will eventually be compelled to follow Microsoft's initiative on CJIS compliance if it wishes to remain a player in the state and local government market. The ultimate goal for public sector CTOs will inevitably be to roll all of their email systems into a unified cloud solution, thus offering a coherent and cost-effective technology platform as well as the proverbial "single throat to choke" vendor relationship. 2014 will be a crucial year in the U.S. public sector's transition to cloud computing, and developments in Los Angeles and elsewhere will bear watching closely.