Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Howdy Jonathan_Priganc!  You hit on a topic that our team at Microsoft encounters frequently within the Defense Industrial Base.  Virtually every large DIB entity has missions OCONUS, and in service of other sovereign defense requirements outside the U.S..  It's a very nuanced set of topics.  There are data sovereignty requirements for export controls in the U.S. working with the U.S. DoD (e.g. ITAR & EAR) that may include export licenses for foreign user populations, such as foreign locations and/or subsidiaries.  At the same time, there may be data sovereignty requirements for export controls in other countries, such as those imposed by the U.K. MoD or AU DoD.  Often times, the same person may have obligations to both sets of export controls at the same time.  They are in direct competition with one another.  It often translates to that person having access into multiple data enclaves in each sovereign location.  Then the question becomes, where you do locate the person's Mailbox, OneDrive for Business and Team's account?  Do they need multiple?  Do you need to isolate one from another?  And in all transparency, will a Geo of the Commercial Office 365 offering even fit the export control requirements for the foreign defense entity in question?  There is no definitive answer.  We've seen customers go in multiple directions.  I've come up with several reference architectures that we share to help address "Cross-Sovereign" deployments of Office 365.  We are happy to share with you.  At the end of the day, Microsoft will accommodate multiple solutions, to include a multi-cloud approach.  But it will be a decision your organization will wrestle with, especially as the compliance bar shifts.

Thank you for these blog posts.  This is the most detailed explanation on the different tenants I have seen. 

FedRAmp Moderate Equivalency Question.

The chart and article states that Office 365 is FedRamp Moderate "equivalency" in Microsoft 365 Commercial.  On the FedRamp website for Office 365 Multi-Tenant and Supporting Services for Public Cloud it states that it is FedRamp Authorized.  Why is Microsoft calling it equivalent and not authorized?  When a customer is looking for FedRamp authorized services this is the source they would use. 

https://marketplace.fedramp.gov/#/product/office-365-multi-tenant--supporting-servicesstatus=Compliant&sort=productName&productNameSearch=microsoft

Thanks Terry_Hebert !

Good question. The reason I have always pushed for us to use the term 'equivalency' are due to two reasons: First; that the Commercial service has differing values for a number of ODVs across the control scope and Second; that customers really need to understand how they might be treated differently as a tenant of the Commercial vs Government services i.e. if we declare an incident for the Commercial service all entities within would be treated to the Commercial (not Government) Incident Response practices and requirements. So I use equivalency (amongst other tactics) as an attempt to incent customers to look deeply at these differences before making such choices. As you and I have discussed over the years; I am fine if a customer makes a choice to accept a risk; as long as that was a well-informed decision and I've done my job contributing to the 'well informed' aspect of that decision 😉 

Justin Coffey This challenge of providing guidance for the tenant topology a commercial customer has is less than trivial.  In fact, I wrote an article on it found here: The Microsoft 365 US Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

Even if the majority of the company's business is not subject to data handling of CUI/CDI, they can put any data that is non-classed into GCC High.  We always recommend keeping to a single tenant if at all possible.  The collaborative experience is much better in a single tenant, plus it reduces complexity over having to straddle two or more tenants.  Microsoft will close the gap on feature parity challenges, such as B2B Guest access in the 2020 timeframe.  However, we do have reference architecture for those scenarios where a many-tenant topology is required.  They are not published publicly at this point, as it contains some NDA content.  We are happy to share it with you, if you reach out directly.  We can setup a working session to cover them.

RichardWakemanThis (blog post) may be the single greatest resource that Microsoft has made available to the small business (sub-500) GCC High customers, current and potential. Well, other than GCC High itself. I think I reference this weekly when fielding questions about whether GCC High is even necessary.

What's the practical step for getting Microsoft to sign a DFARS flow down? Is that already in the GCC High license agreement? Or is this something customers would have to do on a case-by-case basis?

In my organization I find that there's a lot of confusion and concern surrounding CUI, CMMC (L3-L5 requirements), and the rationale for choosing "GCC High" over "Commercial" 365 licensing.

Here's a comment I received from a colleague just the other day:

Is it Micosoft's directing to industry that in order to obtain CMMC level 3 certification in a Microsoft Cloud environment, it will require both Azure Government and M365 GCC High implementation?  ... if you read the DOD Instruction 5200.48, NOFORN is a distribution marking which may be added to CUI, C, S, TS, TS/SCI.  CUI is not NOFORN by definition plus not all ITAR Defense Information is CUI - a significant portion of ITAR Defense Information is held commercial as Corporate Proprietary Information.  I hold ITAR informatrion by virtue of my service in the army, nuclear weapon construction and Joint C4I System engineering by ITAR Definition the know-how in my head is ITAR Controlled.

GCC Data Enclave of Commercial Question

The Export Control requirements for ITAR and EAR is based on the data.  A foreign national is not allowed to access export controlled data and export controlled data can only reside CONUS.  

The GCC article states:  "There is a contractual commitment to ensure data residency for the primary Office workloads administered by screened US Persons for access to customer data...to the covered workload." and  "shared services may have data processing Outside the Continental United States (OCONUS) and leverage a global follow-the-sun support model. Most notably, this includes a global network and a global directory."  

Is Microsoft suggesting a global directory as "data processing"?

I understand that Microsoft Support uses the commercial Azure AD for authentication and authorization for GCC but just because there is a shared authentication service does not mean a GCC customer is not compliant with Export Control.  It would not be uncommon for  on-premise AD account to include both US persons and unconfirmed US persons.  It is prudent for a company to appropriately authorize access to Export Controlled data to only US Persons but there is not a requirement for separate AD infrastructures

Terry_Hebert 

Excellent points but this was not about directory (though some customers do have concerns there). Support remains an issue that deserves awareness to avoid spillage to processes outside the accreditation boundary. More important is that GCC takes dependency on Azure Commercial; where it has attained FedRAMP High which is excellent; but as discussed elsewhere FedRAMP <> US Person/Citizen. Due to the potential for the SaaS layer to take on a dependency at the PaaS / IaaS layer where compensating control may be discretionary instead of mandatory; this in turn results in a level of residual risk I do not support when it comes to contractual support for export data in GCC. GCCH on the other hand was designed for dependency on Azure Government which does provide for US Citizen/Persons. I have had customers make decisions that GCC provides sufficient protections to meet their export requirements; and I am fine with that as long as they and their counsel feel they have made a well informed decision. However as a service provider I would not provide contractual support for a class of data that the service was not explicitly designed to support. Hope that helps clarify further. 

NIST 800-171 (Maybe)?

The article states: "DFARS mandates the implementation of NIST 800-171 AND FedRamp Moderate Impact Level for Commercial clouds."

The DFAR 252.204.7012 rule does not state NIST 800-171 AND Fedramp Moderate impact. DFAR rule states "If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline" 

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

Most understand that there is a shared responsibility for security implementation of DFARS 7012 rule.  The DoD customer has a responsibility to properly configure their tenant to meet "our" requirement for 800-171. Where is Microsoft obtaining information suggesting that both FedRamp and 800-171 are required from cloud commercial service providers?

Terry_Hebert 

Generally I see two ways. First I have a hard requirement to demonstrate the equivalancy clause in sub paragraph (D) that you mention. I am also required to meet 800-171 in the context that I must enable a tenant to do so. This occurs through the extension of my control implementation to the tenant as well as capabilities provided within the service. In another context if I work in the industry as contractor and not just service provider; I would also be required to comply. Really though as the preface makes clear 800-171 is a subset and simplification of 800-53 along the Confidentiality dimension. Now personally (and deserving of a whole other blog) I think it may have been just as effective to focus on a subset of 800-53 rather than write 800-171. Selfishly it would have made my role as service provider far easier requiring far less translation between -171 and -53! I think as we assess movement towards CMMC (yet another good topic to address) we will continue to assess the parallelisms between CSPs and tenants and the regulations each implements. Great questions and observations Terry - thank you.