After more than two years of trying, the City of Los Angeles has abandoned plans to migrate its police department to Google's hosted email and office application platform saying the service cannot meet certain FBI security requirements.
As a result, close to 13,000 law-enforcement employees will remain indefinitely on the LAPD's existing Novell GroupWise applications, while other city departments will use the Google Apps for Government cloud platform.
Council members last week amended a November 2009 contract the city has with systems integrator CSC under which the company was supposed to have replaced LA's GroupWise email system with Google's email and collaboration system. Under the amended contract, the LAPD will no longer move its email applications to Google.
Instead, Google will pay up to $350,000 per year for the LAPD to maintain its GroupWise licences for the entire term of the CSC contract and any extensions beyond that. Google will also substantially reduce the amount it charges for the rest of the city's use of Google Apps. Under the amendment, CSC too will reduce its initial integration fee for the project by $250,000 (£160,000).
Earlier this month, LA's chief legislative analyst, Gerry Miller, and its chief administrative officer, Miguel Santana, said the contract amendment was necessary because the Google service could not be brought into compliance with the FBI's Criminal Justice Information Systems (CJIS) requirements.
"Although CSC does not have the technical ability to comply with the City's security requirements, it should be noted that the DOJ requirements are not currently compatible with cloud computing," the two wrote.
The CJIS database is maintained by the FBI and is one of the world's largest repositories of criminal history records and fingerprints. The records are accessible to law enforcement officials around the country, but all entities authorised to access the database are required to comply with a strict set of security requirements pertaining to the manner in which the data is accessed, shared, transmitted, stored and destroyed. The security requirements include encryption of all data, both in transit and at rest, and FBI background checks on anyone who accesses the database. The policy applies to anyone with access to the database, including contractors.
The contract amendment proposal recommended by Miller and Santana does not make it clear how Google and CSC failed to comply with those requirements.
In the past however, city officials have not minced words in expressing their frustration over the issue. In a strongly worded notice of deficiencies to CSC last December, LA CTO Randi Levin blasted Google and CSC for repeatedly committing to deadlines for implementing the security requirements but then failing to meet them. At the time, Levin noted that the delays had forced the LAPD to move about 1,900 users who had migrated to Google's new email system back to the old GroupWise platform. The delay also caused the LAPD to postpone its planned migration of 4,000 more users to the new system last October, Levin said.
In April, the Los Angeles Times reported that the city was considering suing Google and CSC over their delay in implementing the CJIS security requirements, despite assuring city officials that they would do so.
Google maintains that the LAPD's security requirements were never part of the original contract. The company claims that the security requirements were introduced only after the migration to Google Apps was well underway at LA. According to the company, CJIS requirements are incompatible with cloud computing environments, and therefore present a unique challenge not just for Google but any cloud vendor attempting to migrate a law enforcement system to the cloud.
On Tuesday, the company reiterated those claims: "We're disappointed that the City introduced requirements for the LAPD after the contract was signed that are, in its own words, 'currently incompatible with cloud computing,' the Google statement said. "We realise this means the LAPD may not be joining the 17,000 other City employees successfully using Google Apps. Even so, Los Angeles taxpayers have already saved more than two million dollars and the City expects to save millions more in the years ahead."
Jeff Gould, CEO of IT consulting firm Peerstone Research, said that Google's problems may have to do with an FBI requirement that all IT contractor personnel pass a criminal background check and sign a document known as the FBI Security Addendum. Levin's notice of deficiency says that the LAPD embarked on its migration to Google Apps based on the understanding that Google and CSC employees, who were required to sign the addendum, would do so by October 2010.
However, some of Google's support staff with access to Google Apps for Government servers, are based in Europe and will likely be unwilling to sign such an addendum, said Gould, who belongs to a group called Safegov.org that is focused on promoting a set of best practices for cloud deployment in the government. The FBI does not mandate that support personnel be based in the US, he said. However, EU law might make it difficult for Google and others to get European employees to submit to FBI screening and fingerprinting, he said.
Gould added that it is disingenuous for Google or others to claim that CJIS requirements are incompatible with cloud environments. Google and CSC should have known what the requirements were because the CJIS policy document at the time the contract was signed clearly spells them out.
Going forward, the LAPD has the option of upgrading GroupWise, switching to a competing on-premise technology, or moving to cloud email services such as Microsoft's Exchange Online, which complies with CJIS, he said.
The lesson here for other city governments looking to move their police departments to cloud apps is not to get scared off by LA's experience, Gould said. Rather what it highlights is the need for them to do their due diligence better before embarking on it, he said.
"I see CJIS compliance requirements posing a problem for all large scale cloud vendors, which are having difficulty getting US nationals to perform all cloud-related work," said Matthew Cain, an analyst with Gartner. "Most mega-vendors utilise some offshore resources for development and operational reasons."
An LA City spokeswoman directed questions about the city's decision to Levin and to an LAPD spokeswoman. Neither one could be reached immediately.