Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Terry_Hebert 

Generally I see two ways. First I have a hard requirement to demonstrate the equivalancy clause in sub paragraph (D) that you mention. I am also required to meet 800-171 in the context that I must enable a tenant to do so. This occurs through the extension of my control implementation to the tenant as well as capabilities provided within the service. In another context if I work in the industry as contractor and not just service provider; I would also be required to comply. Really though as the preface makes clear 800-171 is a subset and simplification of 800-53 along the Confidentiality dimension. Now personally (and deserving of a whole other blog) I think it may have been just as effective to focus on a subset of 800-53 rather than write 800-171. Selfishly it would have made my role as service provider far easier requiring far less translation between -171 and -53! I think as we assess movement towards CMMC (yet another good topic to address) we will continue to assess the parallelisms between CSPs and tenants and the regulations each implements. Great questions and observations Terry - thank you. 

NIST 800-171 (Maybe)?

The article states: "DFARS mandates the implementation of NIST 800-171 AND FedRamp Moderate Impact Level for Commercial clouds."

The DFAR 252.204.7012 rule does not state NIST 800-171 AND Fedramp Moderate impact. DFAR rule states "If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline" 

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

Most understand that there is a shared responsibility for security implementation of DFARS 7012 rule.  The DoD customer has a responsibility to properly configure their tenant to meet "our" requirement for 800-171. Where is Microsoft obtaining information suggesting that both FedRamp and 800-171 are required from cloud commercial service providers?

Terry_Hebert 

Excellent points but this was not about directory (though some customers do have concerns there). Support remains an issue that deserves awareness to avoid spillage to processes outside the accreditation boundary. More important is that GCC takes dependency on Azure Commercial; where it has attained FedRAMP High which is excellent; but as discussed elsewhere FedRAMP <> US Person/Citizen. Due to the potential for the SaaS layer to take on a dependency at the PaaS / IaaS layer where compensating control may be discretionary instead of mandatory; this in turn results in a level of residual risk I do not support when it comes to contractual support for export data in GCC. GCCH on the other hand was designed for dependency on Azure Government which does provide for US Citizen/Persons. I have had customers make decisions that GCC provides sufficient protections to meet their export requirements; and I am fine with that as long as they and their counsel feel they have made a well informed decision. However as a service provider I would not provide contractual support for a class of data that the service was not explicitly designed to support. Hope that helps clarify further. 

GCC Data Enclave of Commercial Question

The Export Control requirements for ITAR and EAR is based on the data.  A foreign national is not allowed to access export controlled data and export controlled data can only reside CONUS.  

The GCC article states:  "There is a contractual commitment to ensure data residency for the primary Office workloads administered by screened US Persons for access to customer data...to the covered workload." and  "shared services may have data processing Outside the Continental United States (OCONUS) and leverage a global follow-the-sun support model. Most notably, this includes a global network and a global directory."  

Is Microsoft suggesting a global directory as "data processing"?

I understand that Microsoft Support uses the commercial Azure AD for authentication and authorization for GCC but just because there is a shared authentication service does not mean a GCC customer is not compliant with Export Control.  It would not be uncommon for  on-premise AD account to include both US persons and unconfirmed US persons.  It is prudent for a company to appropriately authorize access to Export Controlled data to only US Persons but there is not a requirement for separate AD infrastructures

Thanks Terry_Hebert !

Good question. The reason I have always pushed for us to use the term 'equivalency' are due to two reasons: First; that the Commercial service has differing values for a number of ODVs across the control scope and Second; that customers really need to understand how they might be treated differently as a tenant of the Commercial vs Government services i.e. if we declare an incident for the Commercial service all entities within would be treated to the Commercial (not Government) Incident Response practices and requirements. So I use equivalency (amongst other tactics) as an attempt to incent customers to look deeply at these differences before making such choices. As you and I have discussed over the years; I am fine if a customer makes a choice to accept a risk; as long as that was a well-informed decision and I've done my job contributing to the 'well informed' aspect of that decision 😉 

Thank you for these blog posts.  This is the most detailed explanation on the different tenants I have seen. 

FedRAmp Moderate Equivalency Question.

The chart and article states that Office 365 is FedRamp Moderate "equivalency" in Microsoft 365 Commercial.  On the FedRamp website for Office 365 Multi-Tenant and Supporting Services for Public Cloud it states that it is FedRamp Authorized.  Why is Microsoft calling it equivalent and not authorized?  When a customer is looking for FedRamp authorized services this is the source they would use. 

https://marketplace.fedramp.gov/#/product/office-365-multi-tenant--supporting-services?status=Compliant&sort=productName&productNameSearch=microsoft