Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Klaw; good question and not the first time I have heard it. I think though its easy to conflate some issues. Export data is typically associated or aligned with NOFORN requirements although NOFORN can be applied to far more than export data. O365 provides GCCH with explicit intent to support export data. When I use the term export data I am referring to DDTC standards and ITAR. NOFORN is orthogonal. And anecdotally; since we do not yet offer any features to perform a direct backup the data resident in the human mind I think your colleague is safe with their ITAR knowledge 😉 I have spoken before to the fact that the _maturity_ of the services is not what is fundamentally different when you contrast MT, GCC, GCCH & DoD. What does change is (a) the scope of controls being added for each 'higher' level as well as (b) the increased 'rigor' of the control values. This is where a customer should focus on making a decision on what service is most appropriate for them since risk acceptance is ultimately their decision i.e. do they require the added controls, or the added rigor at available in GCCH? They may require such for different reasons. Some customers see explicit interpretations of requirements satisfied in GCCH compared to GCC. Others see benefits of competitive differentiation. Etc. Those that have heard me speak on this know I have no desire to police our customers. My intent is always to ensure they can make the most informed decision. Because migration is not fun. And the unfortunate reality is that I have experienced far more customers that decide to migrate part or all of their business to GCCH than I have seen decide to 'down level'. In summary: