Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Howdy Terry_Hebert !

You would be surprised at the number of DIB asking for a DOD SRG IL4/5 environment.  If I were to break it down, we can typically differentiate a DIB from any other commercial customer by 1 of three different topics.  1) We need your ITAR compliant offering.  2) We have requirements for an IL5 environment (and they are not a DoD entity), and of course 3) Do you cover DFARS 7012 (now CMMC)?  It's an extremely nuanced conversation, but we often have to rationalize the need for, and how we satisfy the requirements the DIB have for the SRG.  Much of the time, that does distill down to GoCo (Gov't owned, Contractor operated) environments where a hard SRG Impact Level actually does exist.  But I can say this.  Topics like JSIG PL5, FOUO markings and DD 254 do not help the cause.  That's why we articulate where we have an actual DoD SRG P-ATO versus where there is 'equivalency'  Most DIB are satisfied that we have the same controlset implementation in GCC High to be IL4/5 compliant, as it's a twin environment to the DoD. 

Not to take away from the essence of your comment... DIB need a FedRAMP ATO with DFARS 7012 c-g, NIST 800-171 coverage, ITAR sovereignty, and now looking for CMMC.