Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Hello RogueAgent , 

I'm the Community Manager for the Public Sector Community. Windows Autopilot for GCC-High customers is high priority for us and we are currently working on a plan. We will be able to provide more information around Fall 2020. If you would like to give feedback, we would recommend posting in the Microsoft 365 Uservoice here: https://office365.uservoice.com/ 

RichardWakeman Is there a process that we can use to ask questions regarding the roadmap? I'm interested in knowing the status of Autopilot for GCC High, but it isn't on the roadmap. https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/ems-intune-govt-service-description (Last updated 10/30/2019) states that planning for Autopilot is underway, but that is all I could find.

Thank you for the great content and being so responsive to us!

Slyclouduser, File requests is a new feature for OneDrive.  Any new features must become generally available in Commercial before getting ported over to the sovereign clouds.  A general rule of thumb, is a feature for an existing product that is already within the accreditation boundary will take 3-6 months after GA to release in the sovereign clouds. There are exceptions to the rule, such as requirements for FedRAMP assessments.  At the end of the day, there is a public roadmap for such features found at http://aka.ms/m365roadmap.  That said, I do not see this feature in particular.  

RogueAgent, interestingly enough, the agency itself is homed in M365 GCC High.  While they are the authority for their deployment in GCCH, it does not apply to the States.  Each State has an adjudication for CJIS, as described in the article above.  Given the States will not deploy into GCCH, they will not likely adjudicate GCCH directly.  Microsoft cannot make claims that CJIS is supported in GCCH, especially at the State level.

RichardWakeman, thanks for the very helpful article and sheet! I am curious why GCC High isn't suitable for FBI CJIS work though. Is there any possibility that will happen? That would be helpful for companies who support the DoD and the FBI.

ThiryDB    I've never recommended Commercial for customers that have requirements to demonstrate protection of government data. I've always taken the stance that I recognize this is a customer decision; but one that I cannot support. Remember; as a Commercial customer for example you cannot be treated in accordance with government requirements. Perhaps you have a justifiable absence of need for your service provider to demonstrate support for (c)-(g) of 7012; or you have no concerns about your service provider executing incident response activities that impact your tenant in accordance with 800-53; 800-171; or DFARs; etc. These are customer decisions because that unique context; and the impact of that decision; remains appropriately the customers. It might help to know that most of the entities that I know that decided on Commercial at some point changed their mind and migrated a portion, or all, of their users to GCC &/or GCCH. Those that I know with a remaining presence in Commercial tend to have larger, more complex organizations where it makes sense to have multiple tenants. For most tenants the bright line between Commercial and GCC is that the latter commits to personnel screening requirements that support their tenant needs.

Much of the above conversation focuses on the more stringent ITAR, IL4/5....but as a commercial contractor working with DoD CUI expecting to meet CMMC IL 1/2 and maybe 3 in the next year, but NEVER needing IL4/5 or ITAR, can we remain in M365 commercial Business/Enterprise and avoid M365 GCC?  My understanding is that 800-171 does require the CONOS data center and US personnel support that ITAR and others do require.

Howdy andrewgsauer!  Thank you!!!

DFARS 7012 is an amendment to the Microsoft Enterprise Agreement.  You can find more information here: https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-dfars?view=o365-worldwide

There is an actual 2-page flow-down letter you can also get from Microsoft by request (case-by-case).  However, it's typically only required by ISV's that need to produce a flow-down to their customer when running their SaaS product on Azure Government or M365 GCC High.

RichardWakemanThis (blog post) may be the single greatest resource that Microsoft has made available to the small business (sub-500) GCC High customers, current and potential. Well, other than GCC High itself. I think I reference this weekly when fielding questions about whether GCC High is even necessary.

What's the practical step for getting Microsoft to sign a DFARS flow down? Is that already in the GCC High license agreement? Or is this something customers would have to do on a case-by-case basis?