https://www.axios.com/2024/05/17/pentagon-weighs-microsoft-licensing-upgrades
The Pentagon is looking at expanding its use of Microsoft software across all components starting next month, according to a draft memo obtained by Axios.
Why it matters: The tech upgrade is spurring concerns among competitor cybersecurity and software vendors interested in coveted defense contracts.
Zoom in: The Pentagon is pushing all department components to start upgrading to Microsoft's E5 licenses by June 3 to support its ongoing zero trust transition, according to the memo.
- The E5 license gives organizations access to Microsoft 365 Defender and other tools that help with insider risk management, identity protection and more.
- If the memo is published as-is, Department of Defense offices would have until June 2025 to complete the transition and install these new tools.
Catch up quick: The Pentagon has been working since 2022 to implement a new zero trust security strategy — which overhauls which employees have access to certain files and requires tougher identity verification tools — by the 2027 fiscal year.
- Pentagon CIO John Sherman told DefenseScoop last week that the department has held "very candid discussions" with Microsoft about its cybersecurity strategies after a data breach last year.
What they're saying: Timothy Gorman, a Pentagon spokesperson, told Axios that the Microsoft E5 upgrades are just "one solution in addition to many other integrated solutions" that DOD is implementing as part of the strategy.
- "There is a draft internal memo in coordination to clearly communicate our leadership's intent," he added.
- David McKeown, DOD's deputy CIO for cybersecurity, mentioned the planned upgrades during remarks at the RSA Conference's public-sector day last week, Gorman said.
- A Microsoft spokesperson said in a statement that its zero-trust platform "emphasizes proactive, integrated, and automated security measures," and it has capabilities for DOD's zero-trust plans.
The big picture: Ever since Microsoft uncovered a Chinese hack of some government officials' email inboxes last summer, tensions between parts of Washington and the tech giant have been high.
- A government advisory board released a report last month saying the attack was "preventable and should never have occurred."
- An aide for the House Homeland Security Committee told Axios on Wednesday that they're working with Microsoft to find a date for a potential hearing on the company's cybersecurity approach.
- Microsoft has also overhauled its internal cybersecurity strategies in response to the incident.
Yes, but: Industry groups are concerned that the Pentagon will open itself up to increased security flaws if it deepens its relationship with Microsoft.
- "It is concerning for any department to further entrench itself into Microsoft's ecosystem before the company has demonstrated that it has satisfied the recommendations of the [Cyber Safety Review Board] report," Ryan Triplette, executive director of the Coalition for Fair Software Licensing, told Axios.
- Triplette added that the E5 licenses come at a "significantly increased cost" and could limit other vendors' ability to compete for contracts or assist in any government security incidents.
The bottom line: Microsoft was already working with the department to help with the zero-trust transition, and typically draft guidance like this wouldn't receive as much scrutiny.
- But the proposed guidance comes as competitors and officials are hawkishly watching Microsoft's every move due to the high-profile attacks.