Blog Post

  • FelixOctavian's avatar
    FelixOctavian
    Copper Contributor

    How does this impact organizations that would like to store CUI on systems that use Azure Commercial for authentication?  For example, downloading CUI directly from a DoD source to an Azure AD-joined workstation while logged into their Azure AD account.  If the CUI is never stored in Microsoft 365 services like OneDrive or SharePoint and stays local to the workstation, would Azure Commercial's adherence to DFARS be sufficient for handling CUI?  Would it be sufficient for ITAR/EAR?

  • This is an amazing write up, thanks so much for sharing! I'm sure I'll be sending this link to many people in the future when they want to understand what GCCH means

  • GregoryDamon's avatar
    GregoryDamon
    Copper Contributor

    Excellent!  Thanks so much Richard for pointing me to this article.  I've got it book-marked for reference.  A lot to digest, even for Architects like myself that need to dig deeper on some of this.

  • Scott_Singer's avatar
    Scott_Singer
    Copper Contributor

    This was a helpful blog.  But, I have a question/challenge:

     

    "It does not guarantee fulfillment of US Persons nor US Citizenship requirements, nor does it confer data residency in the Continental United States (CONUS)."

     

    I am not aware of an ITAR requirement now for data sovereignty.  22 CFR ยง120.54 says it is not an export of ITAR technical data if it is encrypted end to end between US Persons and/or stored using FIPS 140-2 approved cloud storage. 

     

    I understand that you have focused the GCC High offerings to meet DFARS 7012 and ITAR requirements but there are many small companies that make this a difficult hurdle for them to overcome.