Is the FBI trying to kill the use of cloud email services by local law enforcement agencies? Los Angeles, the first big city customer to adopt Google Apps for Government, now says the service cannot meet FBI security requirements. But is the FBI really at fault?
Google and the City of Los Angeles agreed to pull the plug on their very public, two-year struggle to deploy Google Apps for Government (GAFG) at the Los Angeles Police Department (LAPD). In a document published last week, city officials blamed the failed deployment on FBI information security rules which, they allege, make it impossible to deploy cloud email services like Gmail to law enforcement agencies. If this assessment is correct, local police and sheriff departments across the country who are considering Google Apps or comparable cloud services may be in for a rude awakening similar to the one that Los Angeles faces today.
This failure of Gmail at LAPD, while a local issue on its surface, has clear national implications. It serves as a clear warning sign for governments and law enforcement agencies across the nation that are contemplating moving to the cloud. The warning is not that the cloud presents impossible hurdles that cannot be overcome. That is just not true. The salient takeaway is that vendors with diverse cloud solutions and robust product offerings are arguably better situated to meet the complex needs of government entities, whether they are local, state or federal. The City of Los Angeles found this out the hard way.
Where does that leave them? Well, 13,000 LAPD employees will be sticking with their existing on-premises GroupWise email system, while 17,000 other city employees will stay on Gmail.
Interestingly, this deal is actually more remarkable for its financial aspects. Google will not only reimburse Los Angeles for any charges incurred so far by LAPD users and lower the price it charges for LA's other users, but will actually pay the city up to $350,000 per year for the life of the contract to cover the cost of maintaining GroupWise at LAPD. This works out to a de facto $20 per year discount on the already rock bottom price of approximately $40 per user per year that Google is charging the city's other departments. Google's implementation partner CSC will also take a haircut to the tune of $250,000 on its upfront integration fee of $830,000.
How did it all go so wrong? The heart of the problem, according to Los Angeles officials, lies with the FBI computer security rules governing access to the national Criminal Justice Information System database (CJIS). The Bureau imposes strict regulations on all local law enforcement computer systems and personnel who have access to criminal history information contained in CJIS. The regulations cover both direct access to CJIS and secondary dissemination of CJIS-derived information, such as routine email messages that police departments circulate internally. The regulations also apply to outside IT contractors who provide services to law enforcement agencies.
Neither Google nor the city has disclosed exactly which CJIS requirements GAFG failed to meet. The FBI demands 128-bit or better encryption of CJIS-derived information. So-called "at rest" (i.e. storage-based) encryption does not seem to be a standard feature of Google Apps, but the city says Google has met this requirement. LAPD's existing on premises email server, Novell GroupWise, also meets the FBI's encryption standard, as do comparable systems such as IBM Lotus Notes and Microsoft Exchange.
Google's problem with CJIS may concern the FBI requirement that IT contractor personnel pass criminal background checks and sign a document known as the FBI Security Addendum. The city says that Google has confirmed it is unable to meet this requirement, but does not say why. However, analyst firm Gartner reported in July that some of Google's support staff with access to GAFG servers are based in Europe. The FBI doesn't explicitly mandate that support personnel be located in the U.S., but European law may make it difficult for Google to force its European employees to submit to screening (including fingerprinting) by U.S. authorities.
It is perhaps understandable that the City of Los Angeles has chosen to put the blame on the FBI. City officials last week made sweeping declarations regarding the suitability of cloud computing for law enforcement agencies. They bluntly assert that the FBI's "CJIS regulations are currently incompatible with cloud computing". Echoing the city's accusation, Google and CSC say they couldn't meet CJIS requirements because the FBI changed them after the LA contract was signed in 2009. But the version of the FBI's CJIS policy document in force at the time clearly stated that IT contractor staffers must sign the Security Addendum and submit to background checks.
What happens next? Google and CSC are offering Los Angeles a substantial financial compensation for the trouble and cost overruns caused by the failed deployment at LAPD. LAPD has said it will stay with GroupWise for the time being. Going forward, LAPD has the option of upgrading GroupWise, switching to a competing on-premises email solution such as Lotus Notes or Exchange, or utilizing a cloud email solution that complies with the FBI's CJIS requirements, such as Exchange Online.
Experienced IT professionals know all too well that large IT projects can be a source of unexpected cost and risk. But this particular cost and risk could have arguably been avoided. State and Local CIOs who are considering cloud email for their law enforcement agencies should look carefully at the Los Angeles experience with Google Apps. It is a clear reminder of the importance of conducting thorough due diligence on vendor offerings before deploying them to government users.
Note: Official City of Los Angeles documents referred to in this article can be found on the LA City Clerk web site (Contract number C-116359).