Blog Post

Public Sector Blog
1 MIN READ

Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

RichardWakeman's avatar
RichardWakeman
Icon for Microsoft rankMicrosoft
Oct 18, 2019
There is an update to this article found at:   https://aka.ms/MSGovCompliance        
Updated Sep 23, 2024
Version 18.0
compliance
defense
federal
office365
public sector
Tom_Ray's avatar
Tom_Ray
Copper Contributor
Jun 17, 2020

I came to this page trying to understand the architecture of Azure ("commercial" and "government") and its impact on our planned implementations of MS Teams/InTune as well as on compliance to CJIS for our Office 365 and for our new backup solution (which the vendors are telling us could use either Azure commercial or government).  Anyone at Microsoft: please correct me if i am wrong in my reading of this article. As an SLTT:

  1. our Azure AD is in the Azure Commercial (it is) as it should have been 
  2. building out virtual servers for InTune in Azure GCC is wrong since it cannot use our existing Azure AD (we are being told this, but it seems like it would work from what I read here)
  3. establishing an organizational root CA should be done now for both MS Teams (and either now or future AIP deployment) and for the new backup solution.  The root CA could be on-premise or in Azure (Commercial or GCC).  If on-premise, it could also be "tied" to an already pubic ally trusted certificate authority (e.g., Entrust).  And, if InTune/MS Teams in GCC cannot make use of our Commercial Azure AD, that root CA would dictate the use of Azure commercial for both MS Teams and the new backup solution.
  4. We've confirmed that control of our encryption key within the organization is sufficient for CJIS on the backup solution.  #3 does not break such compliance only if we use/set up an on-premise root CA.
  5. Is establishing an organizational root CA now additionally necessary for ensuring police emails, devices managed by InTune, files in SharePoint and OneDrive, and files moved by MS Teams (all in our existing Azure Commercial cloud) are protected up to CJIS standards, or do the police need to move to the GCC of the Azure government series? And, if the latter, what all needs to be in there?
  6. What else is needed to of the current Office 365 (in commercial) in order to meet CJIS requirements? (this may be a question for our State)

Please feel free to reply and post here as well as directly to me.  Thank you.