Event banner
Event details
The greatest barriers to GCC High: None of the Business SKUs are in there for one so the cost to go to E SKUs plus the GCC High price premium. The other being the cost/time/effort of migration. If you are already in 365 commercial this cloud to cloud migration should be something that can happen internally, without additional cost, without additional time or effort. I remember seeing something about migration of older .com GCC High tenants to newer .us tenants, it was like a something to fairfax migration(I couldn't find the source), so we know some internal magic is possible. Also, DUO does not work with it without federating with DUO proxy rather than the conditional access method we use now. Also, we would like to be able to authenticate with Fido2 keys into our computers as well as 365 etc, in which case we could get rid of DUO. I personally would also like to know from a lawyer what are the consequences of not going to GCC High, especially with DFARS 7012 and export controlled data. Also, I would like to know from a lawyer just what a company risks by not going with GCC High, with or without Export Controlled Data.
LisaHaywood
Microsoft
MicrosoftThere is nowhere in the regulatory guidance that states you must use GCCH. Compliance and how a company solves for this is based on your organization's interpretation of the requirements that are stated in your mission owner contracts. Microsoft has built solutions to help customers meet their CMMC compliance goals though our cloud and product offerings. Many DIBs will often choose GCCH because of the attestations Microsoft commits to i.e. ITAR/EAR, Data Sovereignty, U.S. Persons, amongst others. Ultimately, it is up to a company to decide which cloud makes most sense for them and how much risk they are willing to offload in the shared responsibility model of using an Online Service Provider.
- DFARS 204.252-7012 requires cloud services that store, process, or transmit CUI to be Fedramp Moderate equivalent plus meet a set of additional forensic data requirements. If any of your CUI is Export Controlled, the US Citizen requirement and data sovereignty requirement applies. I just don't know how serious people are taking the DFARS clauses in general, but this is the clause that is calling out NIST 800-171 in the first place, which of course CMMC was created from as the DoD was noticing no one was anywhere on NIST 800-171 compliance since they allowed self-attestation and POAMs. I know of no one currently that has a NIST 800-171 or CMMC requirement that didn't originate from the DFARS 7012 clause. Wouldn't that be a hard requirement based on Microsoft's own promises? I hear people all the time saying but you don't have to be in if you decide "how much risk". What are we talking about? It's only a problem if there is an incident? Again, what are these risks? Contract gets shuts down or someone has to wear an orange jumpsuit? Who goes to jail? "There is nowhere in the regulatory guidance that states you must use GCCH" contradicts the language in the DFARS 7012.
Paul MeachamCecil, we do not know our customers' requirements. It is incumbent on our customers to inform us what their requirements are. We attempt to align our customer's requirements with the corresponding cloud service but ultimately our customers decide. Almost all (there are a few exceptions) Microsoft Cloud services are assessed against the FedRAMP High control set. It is possible to implement NIST 800-53 or NIST 800-171 controls or CMMC practices in any of the cloud services. Since there are folks that manage CUI that is not Defense related (Tax, Law Enforcement, Nuclear, Critical Infrastructure, Legal, NATO, etc.) they may be able to host that CUI in GCC or even Commercial infra potentially. CMMC applies much more broadly to industry than DFARS ever did (and Executive Order 14028 even more broadly than CMMC) so we are seeing folks that are preparing for CMMC Level 1 that have never had a DFARS requirement and will only hold Federal Contract Information (FCI). If the customer does have a DFARS 252.204-7012 clause requirement, we can offer a commitment for that (including flow-down for sub parts c-g) in O365 GCC, O365 GCC High, Azure Gov and even Azure Commercial (but not for O365 or D365 Commercial). Additionally, since FedRAMP, DFARS and CMMC have no stated requirement for US Persons or US Citizens there could be an additional requirement under US export control (ITAR, EAR, OFAC, 10 CFR part 810, etc.) for US Persons. Microsoft can only offer a US Persons commitment in O365/D365 GCC High and Azure Government. All this is just stating that there can be several factors that need to be considered in determining the right cloud instance. Customers must know their requirements and we do our best to guide them to the cloud service that best aligns with those stated requirements. It is our position that O365 GCC High & Azure Gov is the cloud service best aligned with customers that have DFARS, ITAR & CMMC L2 & L3 requirements but it is up to the customer to decide. If a customer with these requirements stays on-prem, uses a competing commercial cloud service or use a lower compliance Microsoft cloud service they do so at their own cognizance & risk. I hope this helps! Please feel free to contact me if you have any further questions.