Blog Post

  • cekimball Thank you for the feedback and totally agree.  I have a major version update of this blog that provides additional clarity on this topic.

  • cekimball's avatar
    cekimball
    Copper Contributor

    Regarding CUI and ITAR...   You state "Export-controlled data such as ITAR technical data is one of the categories of CUI".

     

    Need to be careful here.  While CUI can include ITAR (ITAR is one of the categories of CUI), ITAR is not a subset of CUI - I can have ITAR information that is not also CUI.  Think of a Venn diagram with CUI and ITAR circles - there is an intersection of them, but the ITAR circle is not a subset of the CUI circle.

     

    As an example, I could develop weapon designs on my own (not under government contract) and seek to sell them outside the US.  Those designs would be subject to ITAR, but would not be CUI.

     

    CUI is defined in 32 CFR Part 2002 "Controlled Unclassified Information"; see paragraph 2002.4 “Definitions”, sub-paragraph (h).  The key phrase is that CUI "is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government".  If the Government does not create it or possess it, and it is not created or possessed on behalf of the Government, it is not CUI.

  • BDuffey's avatar
    BDuffey
    Copper Contributor

    RichardWakeman As of this writing, Microsoft GCC High does not appear on the FedRAMP marketplace website (in fact it is no longer pending).  The fact that a CSP has an Agency ATO does not make an offering 'FedRAMP Authorized'.  You might consider updating this information.

  • bcarlin's avatar
    bcarlin
    Copper Contributor

    Why couldn't Azure Commercial be used for CUI and ITARs, if the following compensating controls are place: 

    • All Azure workloads (VM, AKS, Log Analytics) use Azure Disks and Storage Accounts which are encrypted with Customer Managed Keys, using Azure Key Vault (FIPS 140-2 Level 2 certified). 
    • All Azure workloads in US based Availability Zones.
    • All Endpoint data flows to Azure Workloads leverage FIPS 140-2 modules.
    • Endpoint authorization is gated with AAD Conditional Access (Compliant, MFA, Terms of Use). 

     

     

  • cmarcoules's avatar
    cmarcoules
    Copper Contributor

    Quick question about the Microsoft 365 Government (DoD) table above.  FCI + CMMC L1 have 'Yes' in Microsoft 365 "Commercial," Microsoft 365 Government (GCC) and Microsoft 365 Government (GCC High).  CUI/CDI +CMMC L2-3 has a "No" in Microsoft 365 "Commercial" and Yes in GCC and GCC High.  NIST SP 800-53 / 171 has "Yes" in all three Microsoft Instances.  My understanding is that CMMC L2 and NIST 800-171 are relatively the same.  If you're striving to be CMMC L2 as well as NIST 800-171 compliant, which Microsoft instance would you need to be running?  It doesn't look like Commercial would be the route to go as CMMC L2 says No and NIST 800-171 says Yes.  Can you help me understand what route to go?

     

  • C4MB99's avatar
    C4MB99
    Copper Contributor

    Thank you Shawn_Veney and RichardWakeman This has been informative and helpful. I've learned more about the different levels of M 365 Government offerings and you cleared up some misconceptions I had.  

  • There are two issues often at play here; one is that the customer ultimately decides what to purchase. many factors drive those decisions and cost is obviously one. we try to ensure customers can make the most informed decisions, but I've been witness to many decisions that were regretted. We do not 'police' the customer and force them to choose one service over another. Sometimes the customer makes a well-informed decision but is driven by price or other factors; sometimes they do not make that well informed decision regardless of how much we try to get the right information to them. Secondly is the issue of understanding what you buy. The way the question above is framed demonstrates a consistent challenge i.e. a common misconception that the purchase of one of the services equates to the same level of compliance in whatever support channel the customer purchases or engages in. We try to make very clear that support is a different system. We also have many cautions we publish for our government customers that might engage support to ensure they understand what cautions they should take (and assumptions to avoid) when engaging support. I could add that there is a third possible issue at play which is that a customer may overextend their perception of their government requirements into an assumption that they can only engage with US based support personnel. If there is no exchange of CUI; the customer may engage a support person and receive assistance necessary to unblock their situation having never exposed anything sensitive to the support persons involved. Many customers choose to enact their own internal Tier 1 type support functions to ensure that any escalation to an external service provider remains 'sanitized' and that a user has not provided more data than necessary to the wrong parties perhaps not knowing they needed to request specific support for their issue if sharing controlled data etc. Hope that helps provide some context. 

  • C4MB99's avatar
    C4MB99
    Copper Contributor

    > I have been on calls assisting such customers that were routed through our global support staff and were frustrated that ‘Microsoft’ did not understand that they had US Government requirements and should not have been routed to offshore support personnel in Asia.

     

    I am curious how that happens. How does Microsoft 365 "Commercial" get sold to customers who actually need GCC or GCC High?