Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

To ClassANetwork:

The DISA Impact Levels are not a requirement when unclassified  data (CUI/CDI) data is stored, process, or transmitted  in a covered contractor information system in "support of the performance" of a contract.   DISA requirements are required only when "processing data on behalf of DoD".  

The DISA Impact Levels includes requirements for Availability and Integrity versus the 800-171 which is mostly concerned about Confidentiality.  When using a cloud service provider such as Office 365 the DFARS 252.204-7012 is the authority for requirements which states:

"The contractor “shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment."

Microsoft will provide an attestation letter for GCC and GCC high for the c-g requirements.  All quotes are sourced from the DoD Procurement Toolbox.

https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs