Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Howdy Terry_Hebert !

You would be surprised at the number of DIB asking for a DOD SRG IL4/5 environment.  If I were to break it down, we can typically differentiate a DIB from any other commercial customer by 1 of three different topics.  1) We need your ITAR compliant offering.  2) We have requirements for an IL5 environment (and they are not a DoD entity), and of course 3) Do you cover DFARS 7012 (now CMMC)?  It's an extremely nuanced conversation, but we often have to rationalize the need for, and how we satisfy the requirements the DIB have for the SRG.  Much of the time, that does distill down to GoCo (Gov't owned, Contractor operated) environments where a hard SRG Impact Level actually does exist.  But I can say this.  Topics like JSIG PL5, FOUO markings and DD 254 do not help the cause.  That's why we articulate where we have an actual DoD SRG P-ATO versus where there is 'equivalency'  Most DIB are satisfied that we have the same controlset implementation in GCC High to be IL4/5 compliant, as it's a twin environment to the DoD. 

Not to take away from the essence of your comment... DIB need a FedRAMP ATO with DFARS 7012 c-g, NIST 800-171 coverage, ITAR sovereignty, and now looking for CMMC.

To ClassANetwork:

The DISA Impact Levels are not a requirement when unclassified  data (CUI/CDI) data is stored, process, or transmitted  in a covered contractor information system in "support of the performance" of a contract.   DISA requirements are required only when "processing data on behalf of DoD".  

The DISA Impact Levels includes requirements for Availability and Integrity versus the 800-171 which is mostly concerned about Confidentiality.  When using a cloud service provider such as Office 365 the DFARS 252.204-7012 is the authority for requirements which states:

"The contractor “shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment."

Microsoft will provide an attestation letter for GCC and GCC high for the c-g requirements.  All quotes are sourced from the DoD Procurement Toolbox.

https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs

Justin Coffey This challenge of providing guidance for the tenant topology a commercial customer has is less than trivial.  In fact, I wrote an article on it found here: The Microsoft 365 US Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

Even if the majority of the company's business is not subject to data handling of CUI/CDI, they can put any data that is non-classed into GCC High.  We always recommend keeping to a single tenant if at all possible.  The collaborative experience is much better in a single tenant, plus it reduces complexity over having to straddle two or more tenants.  Microsoft will close the gap on feature parity challenges, such as B2B Guest access in the 2020 timeframe.  However, we do have reference architecture for those scenarios where a many-tenant topology is required.  They are not published publicly at this point, as it contains some NDA content.  We are happy to share it with you, if you reach out directly.  We can setup a working session to cover them.

RichardWakeman: Thanks for your reply to Jonathan. We, as a partner, are running into scenarios where our manufacturing customers (primarily HQ'd in Michigan) are primarily focused on supporting the automotive sector (and in some cases, the aerospace sector) and may only have 50% or less of their overall business, employees, and/or data being impacted, in some capacity, under ITAR as a defense contractors. These aren't typically enterprise-size customers and typically fall into the SMC-C segment.

Due to the "limitations" on product availability and functionality within Office 365 GCC (including the lack of Office 365 GCC High in CSP today and added complexity of AOS-G (for less than 500 users) and EA (for more than 500 users)), we're continually running into the debate on what direction to advise them to go with: Office 365 GCC High, Office 365 GCC, Office 365 Commercial - and then, "all in" a specific tenant or the split-tenant model. As mentioned, the complexity comes in for the IT-led management and governance as well as the adoption and change management (including end-user awareness and training) headaches for 2 different tenant types with potential different configurations and product/service capabilities.

I'd be curious what your guidance is for these kind of customers and what your reference architectures are (just for awareness if they don't all apply to my referenced scenario). Thanks!

Howdy Jonathan_Priganc!  You hit on a topic that our team at Microsoft encounters frequently within the Defense Industrial Base.  Virtually every large DIB entity has missions OCONUS, and in service of other sovereign defense requirements outside the U.S..  It's a very nuanced set of topics.  There are data sovereignty requirements for export controls in the U.S. working with the U.S. DoD (e.g. ITAR & EAR) that may include export licenses for foreign user populations, such as foreign locations and/or subsidiaries.  At the same time, there may be data sovereignty requirements for export controls in other countries, such as those imposed by the U.K. MoD or AU DoD.  Often times, the same person may have obligations to both sets of export controls at the same time.  They are in direct competition with one another.  It often translates to that person having access into multiple data enclaves in each sovereign location.  Then the question becomes, where you do locate the person's Mailbox, OneDrive for Business and Team's account?  Do they need multiple?  Do you need to isolate one from another?  And in all transparency, will a Geo of the Commercial Office 365 offering even fit the export control requirements for the foreign defense entity in question?  There is no definitive answer.  We've seen customers go in multiple directions.  I've come up with several reference architectures that we share to help address "Cross-Sovereign" deployments of Office 365.  We are happy to share with you.  At the end of the day, Microsoft will accommodate multiple solutions, to include a multi-cloud approach.  But it will be a decision your organization will wrestle with, especially as the compliance bar shifts.

Great to hear from you Jonathan. Excellent point. Not the most common scenario but definitely a valid one and you are correct: Organizations with multi-geo footprints, valid export licenses and complex private/public sector business streams require some additional deliberation. There are a few key factors to consider here when I'm speaking with such customers. #1: If bifurcation between services appears viable, how might this impact (or complement) the organizations existing AD design, data classification, business group policies, etc. #2: Are operational costs clearly understood regarding complexity managing different services, collaboration between them and the policy/governance necessary to ensure avoidance of spillage between different services and #3: Given our compliance in other geographies how can we help the customer demonstrate assurances to regional regulations by sharing our compliance artifacts with the customer relevant to each region. So yes; definitely a good point. Such deployments are possible; they just deserve significant analysis and planning commensurate with their complexity.

Shawn_Veney Good points as always!  I know you and I have talked about this previously but figured I would comment here.  One major challenge that I see is for global companies that have users in multiple countries who also have valid export licenses. It seems that this use-case keeps getting missed. It would be unrealistic to put all user accounts into GCC-High as you now risk bringing non-US controlled military data into the US (think Eurofighter for example).  The employee working on a Eurofighter program may also be working on F35 data in the UK under a valid license.  The company would potentially run afoul of foreign export regulations and risk "ITAR taint" by putting that data on US servers. 

It appears that customers are unable to setup a "split-tenant" with a subset of users in GCC-High and other users in GCC or Commercial.  At least with Commercial you can turn on multi-geo to keep the data resident to the appropriate country, then turn Lockbox on to remove the "potential access" risk.  Per DoS guidance a few years back, if you have actual access records, then potential access is no longer considered an export.  From everything I have seen, the recordkeeping in O365 would easily be able to meet that threshold. 

Thoughts???

Terry; yes. A small risk. Possible; yes, Probable; no. Good call on Lockbox as it is a great assurance feature/tool but I always try to be very transparent about it. It definitely helps a customer demonstrate control over access to their data. And, since our engineering staff almost never accesses customer data you may purchase this tool and never get a request from us! So while the risk is very small; and LockBox is a nice assurance complement; for me it boils down to two core things. 1) Being a service provider and needing to provide for a diverse range of potential solutions and risk appetites (while being clear on what is (and isn't) supported) and 2) Having discretionary vs mandatory control over dependencies. All that said, we know that risk is a very subjective discipline and many regulations purposefully leave room for flexible interpretation to achieve objectives different ways. In turn our services provide a myriad blend of features that help tenants add depth and breadth of data protections in addition to what the baseline service offers. You call out some great questions that can help customers explore the contrasts we are trying to highlight with this article so they might determine where their level of comfort is. Thank you. 

Continued GCC Data Enclave (Export Control/US Persons)

OK, so there is a small risk that Foreign Nationals could access Export Controlled data.   "Certain government entities extend beyond the accreditation with regulations such as CJIS and IRS 1075 that require screened US Persons to support the service." This risk is acceptable for other organizations requiring US Persons (CJIS and IRS 1075) but the risk is too high for Export Control? 

If LockBox is enabled does that mitigate most of the risk for accidental access to data by Foreign Nationals?