Home
%3CLINGO-SUB%20id%3D%22lingo-sub-718445%22%20slang%3D%22en-US%22%3EUnderstanding%20Compliance%20Between%20Microsoft%20365%20Commercial%2C%20GCC%2C%20GCC-High%20and%20DoD%20Offerings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-718445%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20is%20the%20second%20of%20a%20series%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FPublic-Sector-Blog%2Fbg-p%2FPublicSectorBlog%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EMicrosoft%20Tech%20Community%20Public%20Sector%20Blog%3C%2FA%3E%20and%20touches%20on%20several%20%26nbsp%3Bkey%20principles%20for%20compliance%2C%20including%20data%20residency%20versus%20data%20sovereignty.%26nbsp%3B%20For%20the%20first%20article%20in%20the%20series%2C%20please%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FPublic-Sector-Blog%2FHistory-of-Microsoft-Cloud-Service-Offerings-leading-to-the-US%2Fba-p%2F758041%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EHistory%20of%20Microsoft%20Cloud%20Service%20Offerings%20leading%20to%20the%20US%20Sovereign%20Cloud%20for%20Government%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20will%20focus%20on%20each%20of%20the%20US-based%20cloud%20offerings%20from%20Microsoft%20and%20compare%20the%20differences%20in%20compliance.%26nbsp%3B%20In%20order%20to%20keep%20this%20article%20concise%2C%20I%20will%20refrain%20from%20repeating%20%26nbsp%3Bcontent%20from%20the%20first%20article.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1985406234%22%20id%3D%22toc-hId-1985406234%22%3EMicrosoft%20365%20Commercial%3C%2FH1%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138364iE60882BDFB49007E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Compliance%20Chart%20-%20Commercial.png%22%20title%3D%22Compliance%20Chart%20-%20Commercial.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--763264232%22%20id%3D%22toc-hId--763264232%22%3EFedRAMP%20in%20Commercial%3C%2FH2%3E%0A%3CP%3EYou%20can%20demonstrate%20compliance%20with%20the%20FedRAMP%20Moderate%20Impact%20Level%20in%20Microsoft%20365%20Commercial.%26nbsp%3B%20It%20is%20even%20more%20impressive%20to%20note%20that%20you%20can%20demonstrate%20compliance%20with%20FedRAMP%20High%20in%20Azure%20Commercial.%26nbsp%3B%20We%20do%20have%20accreditation%20from%20the%20Department%20of%20Health%20and%20Human%20Services%20(DHHS)%20for%20%E2%80%9C%3CA%20href%3D%22https%3A%2F%2Fmarketplace.fedramp.gov%2F%23%2Fproduct%2Foffice-365-multi-tenant--supporting-services%3Fstatus%3DCompliant%26amp%3Bsort%3DproductName%26amp%3BproductNameSearch%3Dmicrosoft%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20-%20Office%20365%20Multi-Tenant%20%26amp%3B%20Supporting%20Services%3C%2FA%3E%E2%80%9D.%26nbsp%3B%20This%20Provisional%20Authority%20to%20Operate%20(P-ATO)%20is%20for%20a%20GCC%20tenancy%2C%20but%20GCC%20is%20a%20data%20enclave%20of%20Commercial%2C%20effectively%20extending%20the%20accreditation%20to%20the%20whole%20of%20the%20Commercial%20cloud.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CEM%3ENote%3C%2FEM%3E%3C%2FSTRONG%3E%3CEM%3E%3A%20For%20context%20of%20what%20a%20%E2%80%98data%20enclave%E2%80%99%20is%2C%20please%20refer%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FPublic-Sector-Blog%2FHistory-of-Microsoft-Cloud-Service-Offerings-leading-to-the-US%2Fba-p%2F758041%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3CEM%3EHistory%20of%20Microsoft%20Cloud%20Service%20Offerings%20leading%20to%20the%20US%20Sovereign%20Cloud%20for%20Government%3C%2FEM%3E%3C%2FA%3E%20%3CEM%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EWe%20advertise%20that%20we%20have%20FedRAMP%20Moderate%20%E2%80%98%3CEM%3Eequivalency%3C%2FEM%3E%E2%80%99%20in%20Microsoft%20365%20Commercial.%26nbsp%3B%20Microsoft%20validates%20the%20controls%20for%20Microsoft%20365%20into%20FedRAMP%20holistically%20because%20we%20operate%20all%20instances%20of%20Office%20365%26nbsp%3Bemploying%20a%20consistent%20control%20framework%20and%20uniform%20implementations%20of%20controls%20based%20on%20NIST%20800-53%20(a%20requirement%20of%20FedRAMP).%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-979546103%22%20id%3D%22toc-hId-979546103%22%3EA%20word%20about%20FedRAMP%20in%20Commercial%20and%20how%20it%20relates%20to%20CUI%3C%2FH2%3E%0A%3CP%3EI%20often%20get%20pulled%20into%20customer%20conversations%20%26nbsp%3Bon%20suitability%20for%20%3CA%20href%3D%22https%3A%2F%2Fwww.archives.gov%2Fcui%2Fregistry%2Fcategory-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EControlled%20Unclassified%20Information%3C%2FA%3E%20(CUI)%20in%20the%20Commercial%20cloud.%26nbsp%3B%20The%20common%20misconception%20by%20many%20is%20regarding%20FedRAMP.%26nbsp%3B%20Yes%2C%20you%20can%20demonstrate%20compliance%20with%20FedRAMP%20Moderate%20in%20Microsoft%20365%20Commercial.%26nbsp%3B%20However%2C%20not%20all%20FedRAMP%20%2F%20NIST%20800-53%20implementations%20are%20the%20same.%26nbsp%3B%20The%20way%20Microsoft%20implements%20FedRAMP%20Moderate%20in%20Commercial%20is%20not%20the%20same%20as%20%26nbsp%3Bother%20Cloud%20Service%20Providers%20(CSP%E2%80%99s).%26nbsp%3B%20Ultimately%2C%20FedRAMP%20Moderate%20is%20not%20the%20high%20bar%20for%20compliance%20with%20any%20CSP.%26nbsp%3B%20It%20does%20not%20guarantee%20fulfillment%20of%20US%20Persons%20nor%20US%20Citizenship%20requirements%2C%20nor%20does%20it%20confer%20data%20residency%20in%20CONUS.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CEM%3EHowever%2C%20customers%20think%20they%20are%20getting%20something%20that%20they%20are%20not%2C%20just%20from%20that%20label.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECommercial%20was%20not%20built%20for%20the%20regulations%20and%20standards%20that%20govern%20CUI.%26nbsp%3B%20Thus%2C%20in%20the%20table%20above%2C%20you%20can%20observe%20that%20CUI%20is%20presented%20as%20%E2%80%98No%E2%80%99.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EThe%20way%20I%20frame%20this%20out%20for%20customers%20is%20this%3A%20your%20higher%20bar%20for%20compliance%20to%20gain%20coverage%20of%20CUI%20is%20in%20alignment%20with%20other%20controls%20above%20and%20beyond%20FedRAMP.%26nbsp%3B%20If%20you%20are%20affiliated%20with%20law%20enforcement%20and%20the%20criminal%20justice%20system%2C%20you%20will%20likely%20require%20CJIS%20adjudication%20from%20the%20FBI%20or%20from%20the%20US%20State%20you%20are%20in.%26nbsp%3B%20If%20you%20are%20affiliated%20with%20the%20Internal%20Revenue%20Service%20or%20Department%20of%20Revenue%2C%20you%20will%20likely%20require%20IRS%201075%20for%20coverage%20of%20Federal%20Tax%20Information.%26nbsp%3B%20If%20you%20are%20affiliated%20with%20U.S.%20Defense%20or%20Military%2C%20you%20will%20likely%20require%20export%20controls%20that%20include%20the%20International%20Traffic%20in%20Arms%20Regulation%20(ITAR)%20and%20Export%20Administration%20Regulations%20(EAR).%26nbsp%3B%20Each%20one%20of%20these%20%26nbsp%3Brequire%20screened%20US%20persons%20and%20data%20residency%2Fsovereignty%20in%20CONUS.%26nbsp%3B%20These%20are%20what%20will%20direct%20you%20to%20our%20Government%20cloud%20solutions%20and%20diminish%20Commercial%20as%20an%20option.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1572610858%22%20id%3D%22toc-hId--1572610858%22%3ECommercial%20has%20%E2%80%98Maybe%E2%80%99%20for%20NIST%20800-171%3F%3C%2FH2%3E%0A%3CP%3EThis%20is%20for%20the%20Defense%20Industrial%20Base%20(DIB)%20including%20aerospace%20and%20defense%20contractors%20of%20the%20US%20Department%20of%20Defense%20(DoD).%26nbsp%3B%20To%20contract%20with%20the%20DoD%2C%20you%20must%20demonstrate%20compliance%20with%20the%20Defense%20Federal%20Acquisition%20Regulation%20Supplement%20252.204-7012%20(DFARS).%26nbsp%3B%20DFARS%20mandates%20the%20implementation%20of%20NIST%20800-171%20and%20FedRamp%20Moderate%20Impact%20Level%20for%20Commercial%20clouds.%26nbsp%3B%20It%20is%20a%20set%20of%20controls%20that%20are%20used%20to%20secure%20Non-Federal%20Information%20Systems%20(commercial%20systems).%20NIST%20800-171%20is%20derived%20from%20NIST%20800-53.%26nbsp%3B%20Think%20of%20it%20as%20a%20subset%20of%20the%20controls%20that%20apply%20to%20the%20DIB.%26nbsp%3B%20Given%20Microsoft%20uniformly%20implements%20NIST%20800-53%20in%20all%20of%20our%20clouds%2C%20undoubtedly%2C%20we%20have%20coverage%20for%20NIST%20800-171%20controls%20in%20Commercial.%20%26nbsp%3BHowever%2C%20there%20are%20differences%20in%20the%20System%20Security%20Plan%20(SSP)%20Organizational%20Defined%20Values%20(ODV%E2%80%99s)%20for%20Commercial%20than%20you%20will%20find%20in%20our%20Government%20cloud%20solutions.%26nbsp%3B%20Namely%2C%20the%20ODV%E2%80%99s%20in%20Commercial%20are%20designed%20for%20a%20global%20service.%26nbsp%3B%20There%20are%20control%20differences%20that%20make%20supporting%20DFARS%20clause%20252.204-7012%20sub-paragraphs%20(c)-(g)%20much%20less%20tenable%20in%20Commercial.%20Log%20retention%20is%20not%20in%20compliance%20across%20all%20services%20in%20Commercial%3B%20tenant%20guidance%20for%20log%20configurations%20differs%2C%20incident%20response%20times%20differ%20and%20other%20ODV%E2%80%99s%20differ%20that%20contribute%20to%20how%20we%20could%20enable%20support%20for%20(c)-(g).%26nbsp%3B%20We%20say%20%E2%80%98%3CEM%3EMaybe%3C%2FEM%3E%E2%80%99%20because%20it%E2%80%99s%20not%20completely%20out%20of%20the%20question%20that%20you%20could%20supplement%20our%20service%2C%20such%20as%20log%20retention%20in%20a%20customer%20managed%20Security%20Information%20and%20Event%20Management%20(SIEM)%20solution%20(e.g.%20Azure%20Sentinel%2C%20Splunk%2C%20etc.).%26nbsp%3B%20However%2C%20Microsoft%20does%20not%20demonstrate%20compliance%20with%20NIST%20800-171%20out-of-the-box%20in%20Commercial.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-170199477%22%20id%3D%22toc-hId-170199477%22%3ECommercial%20will%20not%20recognize%20US%20Government%20requirements%3C%2FH2%3E%0A%3CP%3EAs%20I%20mentioned%2C%20there%20are%20guidance%2C%20operational%20and%20support%20differences%20between%20the%20services%20provided%20for%20Commercial%20as%20opposed%20to%20those%20built%20for%20the%20US%20Government.%26nbsp%3B%20There%20is%20no%20way%20to%20identify%20a%20government%20tenant%20within%20the%20Commercial%20service.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20painful%20learning%20curve%20when%20a%20customer%20%26nbsp%3Bdiscovers%20this%20post%20sale%2Fdeployment%20while%20%26nbsp%3Bin%20the%20middle%20of%20an%20incident.%20I%20have%20been%20on%20calls%20assisting%20such%20customers%20that%20were%20routed%20through%20our%20global%20support%20staff%20and%20were%20frustrated%20that%20%E2%80%98Microsoft%E2%80%99%20did%20not%20understand%20that%20they%20had%20US%20Government%20requirements%20and%20shouldn%E2%80%99t%20have%20been%20routed%20to%20offshore%20support%20personnel%20in%20Asia.%20That%20is%20how%20the%20Commercial%20service%20works.%26nbsp%3B%20If%20you%20have%20requirements%20for%20screened%20US%20Persons%2C%20Microsoft%20built%20services%20exclusively%20for%20the%20US%20Government%20that%20are%20suitable%20to%20sovereignty%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-2109523317%22%20id%3D%22toc-hId-2109523317%22%3EMicrosoft%20365%20Government%20Community%20Cloud%26nbsp%3B(GCC)%3C%2FH1%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138365i5A0D1A1CC1CCB821%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Compliance%20Chart%20-%20GCC.png%22%20title%3D%22Compliance%20Chart%20-%20GCC.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--639147149%22%20id%3D%22toc-hId--639147149%22%3EScope%20of%20Services%20in%20GCC%3C%2FH2%3E%0A%3CP%3EGCC%20is%20a%20data%20enclave%20of%20Commercial.%26nbsp%3B%20A%20data%20enclave%20in%20this%20context%20is%20a%20logically%20segregated%20environment%2C%20with%20servers%20residing%20in%20regional%20Azure%20data%20centers.%26nbsp%3B%20In%20the%20case%20of%20GCC%2C%20the%20data%20enclave%20is%20in%20CONUS.%26nbsp%3B%20There%20is%20a%20contractual%20commitment%20to%20ensure%20data%20residency%20for%20the%20primary%20Office%20workloads%20administered%20by%20screened%20US%20Persons%20for%20access%20to%20customer%20data.%26nbsp%3B%20This%20includes%20data%20processing%20specific%20to%20the%20covered%20workloads%20(e.g.%20Exchange%20Online%20Protection).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CEM%3EThe%20service%20description%20for%20all%20Microsoft%20365%20US%20Government%20offerings%20may%20be%20found%20at%20%3C%2FEM%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fo365usgovservicedescription%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3Ehttp%3A%2F%2Faka.ms%2Fo365usgovservicedescription%3C%2FEM%3E%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EAt%20the%20time%20of%20this%20writing%2C%20the%20service%20availability%20for%20GCC%20covered%20workloads%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExchange%20Online%20%26amp%3B%20Exchange%20Online%20Protection%3C%2FLI%3E%0A%3CLI%3ESharePoint%20Online%20%26amp%3B%20OneDrive%20for%20Business%20Online%3C%2FLI%3E%0A%3CLI%3ESkype%20for%20Business%20Online%3C%2FLI%3E%0A%3CLI%3ETeams%20%26amp%3B%20Voice%20(Phone%20System%20%26amp%3B%20Audio%20Conferencing)%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20ProPlus%20%26amp%3B%20Office%20for%20the%20Web%3C%2FLI%3E%0A%3CLI%3E%3CEM%3Eand%20more%20as%20documented%20in%20the%20%3C%2FEM%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fo365usgovservicedescription%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3EUS%20Government%20Service%20Description%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EGiven%20GCC%20is%20a%20data%20enclave%20of%20Commercial%2C%20there%20are%20several%20shared%20services.%26nbsp%3B%20These%20shared%20services%20may%20have%20data%20processing%20Outside%20the%20Continental%20United%20States%20(OCONUS)%20and%20leverage%20a%20global%20follow-the-sun%20support%20model.%26nbsp%3B%20Most%20notably%2C%20this%20includes%20a%20global%20network%20and%20a%20global%20directory.%26nbsp%3B%20For%20example%2C%20Azure%20Active%20Directory%20(AAD)%20in%20Commercial%20is%20shared%20with%20GCC.%26nbsp%3B%20AAD%20replicates%20globally%20and%20may%20have%20data%20processing%20(authentication)%20occur%20OCONUS%20along%20with%20service%20management%20by%20global%20support%20personnel.%20For%20this%20reason%2C%20Microsoft%20will%20not%20contractually%20commit%20to%20export%20controls%20in%20GCC.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CEM%3EAs%20a%20result%2C%20you%20may%20observe%20a%20%E2%80%98No%E2%80%99%20in%20the%20column%20for%20ITAR%20%26amp%3B%20EAR%20for%20GCC.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThere%20is%20an%20outstanding%20benefit%20for%20the%20shared%20services%20with%20Commercial.%26nbsp%3B%20GCC%20has%20ubiquitous%20access%20to%20the%20global%20catalog%20of%20integrated%20applications%2C%20including%20the%20%3CA%20href%3D%22https%3A%2F%2Fazuremarketplace.microsoft.com%2Fen-us%2Fmarketplace%2Fapps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAAD%20App%20Gallery%3C%2FA%3E%20and%20the%20%3CA%20href%3D%22https%3A%2F%2Fazuremarketplace.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%3C%2FA%3E%20in%20Commercial.%26nbsp%3B%20The%20best%20illustration%20of%20this%20benefit%20is%20access%20to%20Microsoft%20solutions%20to%20include%20Visual%20Studio%20Online%2C%20the%20Microsoft%20Developer%20Network%20(MSDN)%20and%20Azure%20DevOps%20in%20Azure%20Commercial.%26nbsp%3B%20This%20is%20not%20the%20case%20with%20the%20US%20Sovereign%20Cloud.%26nbsp%3B%20Consequently%2C%20tenants%20in%20the%20US%20Sovereign%20Cloud%20must%20deploy%20Commercial%20or%20GCC%20tenants%20to%20provide%20access%20into%20these%20Commercial%20services%20that%20are%20not%20deployed%20into%20the%20US%20Sovereign%20Cloud%20accreditation%20boundary.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1103663186%22%20id%3D%22toc-hId-1103663186%22%3EDFARS%20Yes%2C%20but%20No%20Flow-Downs%20in%20GCC%3C%2FH2%3E%0A%3CP%3EIn%20GCC%20covered%20workloads%2C%20we%20can%20demonstrate%20support%20for%20DFARS%20clause%20252.204-7012%20sub-paragraphs%20(c)-(g).%26nbsp%3B%20We%20have%20an%20auditor%E2%80%99s%20attestation%20letter%20that%20shows%20on%20two%20pages%20summarizing%20how%20those%20sub-paragraphs%20are%20supported%2C%20but%20we%20will%20not%20sign%20a%20contractual%20flow-down.%26nbsp%3B%20Why%3F%20Because%20we%20did%20not%20build%20GCC%20(nor%20Commercial)%20for%20this%20purpose.%26nbsp%3B%20You%20will%20not%20get%20a%20contractual%20agreement%20from%20Microsoft%20to%20support%20DFARS%20in%20GCC%2C%20nor%20to%20demonstrate%20DFARS%20compliance%20with%20your%20customers%2C%20vendors%20and%20partners.%20%26nbsp%3BThe%20primary%20gap%20includes%20the%20scope%20of%20services%20that%20fall%20outside%20the%20covered%20workloads%20for%20GCC.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1448493775%22%20id%3D%22toc-hId--1448493775%22%3EControlled%20Unclassified%20Information%20is%20a%20Maybe%20in%20GCC%3C%2FH2%3E%0A%3CP%3EThe%20NIST%20800-60%20Volume%202%20registry%20is%20rather%20large.%26nbsp%3B%20There%20are%2020%20CUI%20categories%20as%20of%20the%20latest%20revision%2C%20to%20include%20many%20information%20types.%26nbsp%3B%20The%20question%20is%2C%20which%20CUI%20category%20is%20in%20scope%3F%26nbsp%3B%20Several%20categories%20may%20not%20require%20data%20sovereignty%2C%20such%20as%20Privacy%2C%20Legal%2C%20etc.%26nbsp%3B%20Is%20it%20permissible%20to%20rely%20on%20data%20residency%20in%20GCC%3F%26nbsp%3B%20Maybe.%26nbsp%3B%20However%2C%20many%20of%20the%20CUI%20categories%20to%20include%20Defense%2C%20Export%20Control%2C%20Nuclear%2C%20etc.%20%26nbsp%3B%26nbsp%3Bundoubtedly%20require%20the%20US%20Sovereign%20cloud%20and%20are%20not%20appropriate%20for%20storage%20within%20GCC.%26nbsp%3B%20Ultimately%2C%20customers%20are%20responsible%20for%20ensuring%20that%20they%20review%20the%20relevant%20regulations%20and%20Microsoft's%20offering%20prior%20to%20determining%20which%20Microsoft%20Government%20Cloud%20Service%20is%20the%20best%20fit%20to%20support%20their%20obligations%20for%20CUI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-294316560%22%20id%3D%22toc-hId-294316560%22%3ECriminal%20Justice%20Information%20Services%20in%20GCC%3C%2FH2%3E%0A%3CP%3EThe%20most%20predominant%20tenant%20populations%20in%20GCC%20include%20State%20and%20Local%20Government%20(SLG)%20entities%2C%20such%20as%20highway%20patrol%2C%20sheriff%2C%20local%20law%20enforcement%2C%20etc.%20that%20require%20CJIS.%26nbsp%3B%20The%20CJIS%20security%20policy%20provides%2013%20areas%20that%20should%20be%20evaluated%20to%20determine%20if%20cloud%20services%20can%20be%20used%20and%20are%20consistent%20with%20CJIS%20requirements.%20These%20areas%20correspond%20closely%20to%20the%20NIST%20800-53%20control%20implementation%20for%20FedRAMP%20Moderate%20with%20a%20security%20policy%20aligning%20with%20CJIS.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EMicrosoft%20will%20sign%20the%20CJIS%20Security%20Addendum%20in%20states%20with%20CJIS%20Information%20Agreements.%20These%20tell%20state%20law%20enforcement%20authorities%20responsible%20for%20compliance%20with%20CJIS%20Security%20Policy%20how%20Microsoft's%20cloud%20security%20controls%20help%20protect%20the%20full%20lifecycle%20of%20data%20and%20ensure%20appropriate%20background%20screening%20of%20operating%20personnel%20with%20access%20to%20CJI.%20Microsoft%20continues%20to%20work%20with%20state%20governments%20to%20enter%20into%20CJIS%20Information%20Agreements.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EMicrosoft%20has%20assessed%20the%20operational%20policies%20and%20procedures%20of%20Microsoft%20Azure%20Government%2C%20Microsoft%20Office%20365%20U.S.%20Government%2C%20and%20Microsoft%20Dynamics%20365%20U.S.%20Government%2C%20and%20will%20attest%20to%20their%20ability%20in%20the%20applicable%20services%20agreements%20to%20meet%20FBI%20requirements%20for%20the%20use%20of%20in-scope%20services.%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FCJIS-Implementation-62af7c27%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDownload%20the%20CJIS%20implementation%20guidelines%20for%20Microsoft%20Government%20Cloud%20Services%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1125452101%22%20id%3D%22toc-hId-1125452101%22%3E%3CBR%20%2F%3ECJIS%20status%20in%20the%20United%20States%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138360i1375F909A56A597D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E36%20states%20and%20the%20District%20of%20Columbia%20with%20management%20agreements%2C%20highlighted%20on%20the%20map%20in%20green%20include%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3EAlabama%2C%20Alaska%2C%20Arkansas%2C%20Arizona%2C%20California%2C%20Colorado%2C%20Florida%2C%20Georgia%2C%20Hawaii%2C%20Illinois%2C%20Indiana%2C%20Iowa%2C%20Kansas%2C%20Kentucky%2C%20Maine%2C%20Massachusetts%2C%20Michigan%2C%20Minnesota%2C%20Missouri%2C%20Montana%2C%20New%20Jersey%2C%20New%20York%2C%20Nevada%2C%20North%20Carolina%2C%20Oklahoma%2C%20Oregon%2C%20Pennsylvania%2C%20Rhode%20Island%2C%20South%20Carolina%2C%20Tennessee%2C%20Texas%2C%20Utah%2C%20Vermont%2C%20Virginia%2C%20Washington%2C%20Washington%20D.C.%2C%20West%20Virginia.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EMicrosoft's%20commitment%20to%20meeting%20the%20applicable%20CJIS%20regulatory%20controls%20allows%20Criminal%20Justice%20organizations%20to%20implement%20cloud-based%20solutions%20and%20be%20compliant%20with%20CJIS%20Security%20Policy%20V5.7.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CEM%3ECurrent%20as%20of%2004%2F18%2F2019%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--2127769438%22%20id%3D%22toc-hId--2127769438%22%3EMicrosoft%20365%20Government%20(GCC%20High)%3C%2FH1%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138366i47FC3606A4F321E7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Compliance%20Chart%20-%20GCC%20High.png%22%20title%3D%22Compliance%20Chart%20-%20GCC%20High.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2113056834%22%20id%3D%22toc-hId-2113056834%22%3EITAR%20in%20GCC%20High%3C%2FH2%3E%0A%3CP%3EThis%20service%20was%20built%20for%20export%20controls%20in%20the%20US%2C%20to%20include%20ITAR%20and%20EAR.%26nbsp%3B%20I%20have%20customers%20interpret%20that%20GCC%20is%20suitable%20for%20export%20controls.%26nbsp%3B%20I've%20even%20had%20customers%20decide%20that%20Commercial%20is%20sufficient.%26nbsp%3B%20I%20tell%20them%20that%20I%20am%20not%20a%20lawyer%2C%20and%20I%20cannot%20give%20you%20legal%20counsel%2C%20but%20I%20think%20that%20is%20extremely%20unwise.%26nbsp%3B%20I%20can't%20stop%20you%20from%20leveraging%20Commercial%20or%20GCC%20for%20CUI%20categorized%20as%20Export%20Control%2C%20especially%20for%20ITAR.%20I%20hope%20you%20take%20advantage%20of%20every%20data%20protection%20feature%20that%20we%20offer%20you!%26nbsp%3B%20GCC%20High%20was%20created%20to%20give%20you%20a%20contractual%20assurance%20for%20export%20controls%20in%20the%20US.%26nbsp%3B%20This%20includes%20a%20US%20Sovereign%20Cloud%20accreditation%20boundary%20encompassing%20all%20services%20attached%20to%20GCC%20High.%26nbsp%3B%20For%20example%2C%20the%20network%20is%20sovereign%20and%20constrained%20to%20CONUS.%26nbsp%3B%20The%20directory%20services%20with%20AAD%20are%20provided%20by%20Azure%20Government%20and%20are%20sovereign%20to%20the%20US.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--439100127%22%20id%3D%22toc-hId--439100127%22%3EDoD%20CC%20SRG%20Impact%20Level%204%20Equivalency%20in%20GCC%20High%3C%2FH2%3E%0A%3CP%3EWe%20have%20evolved%20the%20US%20Sovereign%20Cloud%20to%20include%20PII%20protections.%26nbsp%3B%20PII%20protections%20are%20now%20all%20the%20way%20up%20to%20IL4%20in%20GCC%20High.%26nbsp%3B%20This%20is%20significant.%26nbsp%3B%20If%20you%20know%20you%20will%20have%20PII%20on%20a%20contract%20and%20going%20after%20new%20business%2C%20are%20you%20going%20after%20it%20with%20IL4%2C%20or%20just%20IL2%3F%26nbsp%3B%20This%20can%20be%20a%20competitive%20advantage%20if%20you%20can%20demonstrate%20IL4.%26nbsp%3B%20There%20is%20a%20good%20likelihood%20that%20your%20customer%20will%20be%20more%20IL4%20oriented%2C%20or%20already%20consuming%20our%20IL4%20and%20IL5%20clouds.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1303710208%22%20id%3D%22toc-hId-1303710208%22%3ENIST%20800-171%20and%20DFARS%20with%20Flow-Downs%20in%20GCC%20High%3C%2FH2%3E%0A%3CP%3EMicrosoft%20will%20sign%20a%20contractual%20Flow-Down%20for%20DFARS%20in%20GCC%20High.%26nbsp%3B%20This%20translates%20to%20a%20contractual%20commitment%20where%20we%20demonstrate%20DFARS%20compliance%20in%20the%20US%20Sovereign%20Cloud.%26nbsp%3B%20This%20includes%20DFARS%20alignment%20with%20NIST%20800-171%20in%20a%20shared%20responsibility%20model%20with%20the%20Customer.%26nbsp%3B%20Given%20that%20Microsoft%20uniformly%20implements%20NIST%20800-53%20in%20all%20of%20our%20clouds%2C%20the%20SSP%20ODV%E2%80%99s%20for%20FedRAMP%20High%20in%20GCC%20High%20are%20designed%20to%20demonstrate%20compliance%20with%20DFARS.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EGCC%20High%20complies%20with%20DFARS%20clause%20252.204-7012%20sub-paragraphs%20(c)-(g)%2C%20except%20as%20follows%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E(c)%20Cyber%20incident%20reporting%20requirement.%26nbsp%3BMicrosoft%20will%20report%20security%20incidents%20to%20the%20Customer%20in%20accordance%20with%20Incident%20Response%20processes%20and%20definitions%20detailed%20in%20the%20DoD%20CC%20SRG%20accreditation%20requirements.%20The%20customer%20will%20be%20responsible%20for%20reporting%20the%20incident%20to%20DoD%2C%20if%20required.%3C%2FLI%3E%0A%3CLI%3E(e)%20Media%20preservation%20and%20protection.%26nbsp%3BMicrosoft%20shall%20preserve%20and%20protect%20all%20relevant%20forensic%20data%20of%20known%20affected%20information%20systems%20in%20support%20of%20an%20incident.%20Any%20relevant%20monitoring%2Fpacket%20capture%20data%20must%20be%20gathered%20and%20retained%20by%20the%20Customer.%3C%2FLI%3E%0A%3CLI%3E(f)%20Access%20to%20additional%20information%20or%20equipment%20necessary%20for%20forensic%20analysis.%20%26nbsp%3BUpon%20request%20by%20Customer%2C%20Microsoft%20will%20provide%20appropriate%20additional%20access%20to%20any%20relevant%20forensic%20information.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId--1248446753%22%20id%3D%22toc-hId--1248446753%22%3E%3CBR%20%2F%3EFedRAMP%20High%20in%20GCC%20High%3C%2FH2%3E%0A%3CP%3EAt%20the%20time%20of%20this%20writing%2C%20GCC%20High%20currently%20has%20a%20FedRAMP%20Agency%20ATO%20at%20the%20Moderate%20Impact%20Level%20from%20the%20Department%20of%20Justice%20(DOJ)%20and%20successfully%20completed%20two%20FedRAMP%20High%20Impact%20Level%20audits.%26nbsp%3B%20We%20have%20several%20Federal%20Agencies%20actively%20deployed%20in%20GCC%20High%2C%20demonstrating%20compliance%20with%20FedRAMP%20High.%26nbsp%3B%20The%20FedRAMP%20High%20ATO%20is%20pending%20finalization%20in%20the%20FedRAMP%20Marketplace.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EToday%2C%20you%20can%20demonstrate%20compliance%20with%20FedRAMP%20High%20in%20GCC%20High%20and%20in%20Azure%20Government.%26nbsp%3B%20However%2C%20the%20High%20Impact%20Level%20is%20not%20a%20requirement%20for%20DFARS%20Compliance.%26nbsp%3B%20FedRAMP%20Moderate%20is%20specifically%20required%20for%20DFARS.%26nbsp%3B%20And%20for%20that%2C%20we%20do%20have%20an%20Agency%20ATO%20currently%20in%20place%20covering%20GCC%20High.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-494363582%22%20id%3D%22toc-hId-494363582%22%3ENERC%20and%20FERC%20in%20GCC%20High%3C%2FH2%3E%0A%3CP%3EMicrosoft%20has%20engaged%20with%20multiple%20entities%20obligated%20to%20demonstrate%20compliance%20requirements%20of%20the%20North%20American%20Electric%20Reliability%20Corporation%20(NERC)%20and%2For%20the%20Federal%20Energy%20Regulatory%20Commission%20(FERC).%26nbsp%3B%20They%20find%20M365%20GCC%20High%20and%20Azure%20Government%20to%20be%20the%20closest%20match%20of%20Microsoft%20cloud%20service%20offerings%20to%20fulfill%20their%20requirements.%20Due%20to%20the%20dynamic%20scope%20of%20applicability%20that%20an%20entity%20may%20define%2C%20we%20recommend%20you%20request%20explicit%20support%20from%20your%20Microsoft%20account%20team%20if%20you%20have%20compliance%20requirements%20in%20this%20area.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--260842020%22%20id%3D%22toc-hId--260842020%22%3EMicrosoft%20365%20Government%20(DoD)%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138367iEE492957674E5F2A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Compliance%20Chart%20-%20DoD.png%22%20title%3D%22Compliance%20Chart%20-%20DoD.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20not%20in%20the%20DoD%2C%20don't%20worry%20about%20it.%26nbsp%3B%20You're%20not%20getting%20into%20the%20service.%26nbsp%3B%20Only%20the%20DoD%20and%20those%20approved%20by%20them%20(such%20as%20service%20providers%20or%20entities%20authorized%20by%20the%20DoD)%20are%20allowed%20into%20the%20IL5%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-718445%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20500px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138373i19EF2763E8E126CE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%223dm3wp.gif%22%20title%3D%223dm3wp.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUnderstanding%20compliance%20between%20Commercial%2C%20GCC%2C%20GCC%20High%20and%20DoD%20offerings%3A%20There%20remains%20much%20confusion%20as%20to%20what%20service%20supports%20what%20standards%20best.%20If%20you%20have%20DFARS%2C%20ITAR%2C%20FedRAMP%2C%20CJIS%2C%20IRS%20and%20other%20regulatory%20requirements%20and%20you%20are%20trying%20to%20understand%20what%20service%20is%20the%20best%20fit%20for%20your%20organization%20then%20you%20should%20read%20this%20article.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-718445%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This article is the second of a series in the Microsoft Tech Community Public Sector Blog and touches on several  key principles for compliance, including data residency versus data sovereignty.  For the first article in the series, please refer to History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government.

We will focus on each of the US-based cloud offerings from Microsoft and compare the differences in compliance.  In order to keep this article concise, I will refrain from repeating  content from the first article.

 

Microsoft 365 Commercial

 

Compliance Chart - Commercial.png

 

FedRAMP in Commercial

You can demonstrate compliance with the FedRAMP Moderate Impact Level in Microsoft 365 Commercial.  It is even more impressive to note that you can demonstrate compliance with FedRAMP High in Azure Commercial.  We do have accreditation from the Department of Health and Human Services (DHHS) for “Microsoft - Office 365 Multi-Tenant & Supporting Services”.  This Provisional Authority to Operate (P-ATO) is for a GCC tenancy, but GCC is a data enclave of Commercial, effectively extending the accreditation to the whole of the Commercial cloud.

Note: For context of what a ‘data enclave’ is, please refer to the History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government  

We advertise that we have FedRAMP Moderate ‘equivalency’ in Microsoft 365 Commercial.  Microsoft validates the controls for Microsoft 365 into FedRAMP holistically because we operate all instances of Office 365 employing a consistent control framework and uniform implementations of controls based on NIST 800-53 (a requirement of FedRAMP).

A word about FedRAMP in Commercial and how it relates to CUI

I often get pulled into customer conversations  on suitability for Controlled Unclassified Information (CUI) in the Commercial cloud.  The common misconception by many is regarding FedRAMP.  Yes, you can demonstrate compliance with FedRAMP Moderate in Microsoft 365 Commercial.  However, not all FedRAMP / NIST 800-53 implementations are the same.  The way Microsoft implements FedRAMP Moderate in Commercial is not the same as  other Cloud Service Providers (CSP’s).  Ultimately, FedRAMP Moderate is not the high bar for compliance with any CSP.  It does not guarantee fulfillment of US Persons nor US Citizenship requirements, nor does it confer data residency in CONUS.

However, customers think they are getting something that they are not, just from that label.

Commercial was not built for the regulations and standards that govern CUI.  Thus, in the table above, you can observe that CUI is presented as ‘No’.

The way I frame this out for customers is this: your higher bar for compliance to gain coverage of CUI is in alignment with other controls above and beyond FedRAMP.  If you are affiliated with law enforcement and the criminal justice system, you will likely require CJIS adjudication from the FBI or from the US State you are in.  If you are affiliated with the Internal Revenue Service or Department of Revenue, you will likely require IRS 1075 for coverage of Federal Tax Information.  If you are affiliated with U.S. Defense or Military, you will likely require export controls that include the International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR).  Each one of these  require screened US persons and data residency/sovereignty in CONUS.  These are what will direct you to our Government cloud solutions and diminish Commercial as an option.

Commercial has ‘Maybe’ for NIST 800-171?

This is for the Defense Industrial Base (DIB) including aerospace and defense contractors of the US Department of Defense (DoD).  To contract with the DoD, you must demonstrate compliance with the Defense Federal Acquisition Regulation Supplement 252.204-7012 (DFARS).  DFARS mandates the implementation of NIST 800-171 and FedRamp Moderate Impact Level for Commercial clouds.  It is a set of controls that are used to secure Non-Federal Information Systems (commercial systems). NIST 800-171 is derived from NIST 800-53.  Think of it as a subset of the controls that apply to the DIB.  Given Microsoft uniformly implements NIST 800-53 in all of our clouds, undoubtedly, we have coverage for NIST 800-171 controls in Commercial.  However, there are differences in the System Security Plan (SSP) Organizational Defined Values (ODV’s) for Commercial than you will find in our Government cloud solutions.  Namely, the ODV’s in Commercial are designed for a global service.  There are control differences that make supporting DFARS clause 252.204-7012 sub-paragraphs (c)-(g) much less tenable in Commercial. Log retention is not in compliance across all services in Commercial; tenant guidance for log configurations differs, incident response times differ and other ODV’s differ that contribute to how we could enable support for (c)-(g).  We say ‘Maybe’ because it’s not completely out of the question that you could supplement our service, such as log retention in a customer managed Security Information and Event Management (SIEM) solution (e.g. Azure Sentinel, Splunk, etc.).  However, Microsoft does not demonstrate compliance with NIST 800-171 out-of-the-box in Commercial.

Commercial will not recognize US Government requirements

As I mentioned, there are guidance, operational and support differences between the services provided for Commercial as opposed to those built for the US Government.  There is no way to identify a government tenant within the Commercial service. 

This is a painful learning curve when a customer  discovers this post sale/deployment while  in the middle of an incident. I have been on calls assisting such customers that were routed through our global support staff and were frustrated that ‘Microsoft’ did not understand that they had US Government requirements and shouldn’t have been routed to offshore support personnel in Asia. That is how the Commercial service works.  If you have requirements for screened US Persons, Microsoft built services exclusively for the US Government that are suitable to sovereignty requirements.

 

Microsoft 365 Government Community Cloud (GCC)

 

Compliance Chart - GCC.png

 

Scope of Services in GCC

GCC is a data enclave of Commercial.  A data enclave in this context is a logically segregated environment, with servers residing in regional Azure data centers.  In the case of GCC, the data enclave is in CONUS.  There is a contractual commitment to ensure data residency for the primary Office workloads administered by screened US Persons for access to customer data.  This includes data processing specific to the covered workloads (e.g. Exchange Online Protection).

 

The service description for all Microsoft 365 US Government offerings may be found at http://aka.ms/o365usgovservicedescription

At the time of this writing, the service availability for GCC covered workloads are:

  • Exchange Online & Exchange Online Protection
  • SharePoint Online & OneDrive for Business Online
  • Skype for Business Online
  • Teams & Voice (Phone System & Audio Conferencing)
  • Office 365 ProPlus & Office for the Web
  • and more as documented in the US Government Service Description

 

Given GCC is a data enclave of Commercial, there are several shared services.  These shared services may have data processing Outside the Continental United States (OCONUS) and leverage a global follow-the-sun support model.  Most notably, this includes a global network and a global directory.  For example, Azure Active Directory (AAD) in Commercial is shared with GCC.  AAD replicates globally and may have data processing (authentication) occur OCONUS along with service management by global support personnel. For this reason, Microsoft will not contractually commit to export controls in GCC.

As a result, you may observe a ‘No’ in the column for ITAR & EAR for GCC.

There is an outstanding benefit for the shared services with Commercial.  GCC has ubiquitous access to the global catalog of integrated applications, including the AAD App Gallery and the Azure Marketplace in Commercial.  The best illustration of this benefit is access to Microsoft solutions to include Visual Studio Online, the Microsoft Developer Network (MSDN) and Azure DevOps in Azure Commercial.  This is not the case with the US Sovereign Cloud.  Consequently, tenants in the US Sovereign Cloud must deploy Commercial or GCC tenants to provide access into these Commercial services that are not deployed into the US Sovereign Cloud accreditation boundary.

 

DFARS Yes, but No Flow-Downs in GCC

In GCC covered workloads, we can demonstrate support for DFARS clause 252.204-7012 sub-paragraphs (c)-(g).  We have an auditor’s attestation letter that shows on two pages summarizing how those sub-paragraphs are supported, but we will not sign a contractual flow-down.  Why? Because we did not build GCC (nor Commercial) for this purpose.  You will not get a contractual agreement from Microsoft to support DFARS in GCC, nor to demonstrate DFARS compliance with your customers, vendors and partners.  The primary gap includes the scope of services that fall outside the covered workloads for GCC.

 

Controlled Unclassified Information is a Maybe in GCC

The NIST 800-60 Volume 2 registry is rather large.  There are 20 CUI categories as of the latest revision, to include many information types.  The question is, which CUI category is in scope?  Several categories may not require data sovereignty, such as Privacy, Legal, etc.  Is it permissible to rely on data residency in GCC?  Maybe.  However, many of the CUI categories to include Defense, Export Control, Nuclear, etc.   undoubtedly require the US Sovereign cloud and are not appropriate for storage within GCC.  Ultimately, customers are responsible for ensuring that they review the relevant regulations and Microsoft's offering prior to determining which Microsoft Government Cloud Service is the best fit to support their obligations for CUI.

 

Criminal Justice Information Services in GCC

The most predominant tenant populations in GCC include State and Local Government (SLG) entities, such as highway patrol, sheriff, local law enforcement, etc. that require CJIS.  The CJIS security policy provides 13 areas that should be evaluated to determine if cloud services can be used and are consistent with CJIS requirements. These areas correspond closely to the NIST 800-53 control implementation for FedRAMP Moderate with a security policy aligning with CJIS.

Microsoft will sign the CJIS Security Addendum in states with CJIS Information Agreements. These tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Microsoft's cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with access to CJI. Microsoft continues to work with state governments to enter into CJIS Information Agreements.

Microsoft has assessed the operational policies and procedures of Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics 365 U.S. Government, and will attest to their ability in the applicable services agreements to meet FBI requirements for the use of in-scope services.

Download the CJIS implementation guidelines for Microsoft Government Cloud Services


CJIS status in the United States

clipboard_image_2.png

36 states and the District of Columbia with management agreements, highlighted on the map in green include:

Alabama, Alaska, Arkansas, Arizona, California, Colorado, Florida, Georgia, Hawaii, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Massachusetts, Michigan, Minnesota, Missouri, Montana, New Jersey, New York, Nevada, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, Washington D.C., West Virginia.

Microsoft's commitment to meeting the applicable CJIS regulatory controls allows Criminal Justice organizations to implement cloud-based solutions and be compliant with CJIS Security Policy V5.7.

Current as of 04/18/2019

 

Microsoft 365 Government (GCC High)

 

Compliance Chart - GCC High.png

 

ITAR in GCC High

This service was built for export controls in the US, to include ITAR and EAR.  I have customers interpret that GCC is suitable for export controls.  I've even had customers decide that Commercial is sufficient.  I tell them that I am not a lawyer, and I cannot give you legal counsel, but I think that is extremely unwise.  I can't stop you from leveraging Commercial or GCC for CUI categorized as Export Control, especially for ITAR. I hope you take advantage of every data protection feature that we offer you!  GCC High was created to give you a contractual assurance for export controls in the US.  This includes a US Sovereign Cloud accreditation boundary encompassing all services attached to GCC High.  For example, the network is sovereign and constrained to CONUS.  The directory services with AAD are provided by Azure Government and are sovereign to the US.

DoD CC SRG Impact Level 4 Equivalency in GCC High

We have evolved the US Sovereign Cloud to include PII protections.  PII protections are now all the way up to IL4 in GCC High.  This is significant.  If you know you will have PII on a contract and going after new business, are you going after it with IL4, or just IL2?  This can be a competitive advantage if you can demonstrate IL4.  There is a good likelihood that your customer will be more IL4 oriented, or already consuming our IL4 and IL5 clouds.

NIST 800-171 and DFARS with Flow-Downs in GCC High

Microsoft will sign a contractual Flow-Down for DFARS in GCC High.  This translates to a contractual commitment where we demonstrate DFARS compliance in the US Sovereign Cloud.  This includes DFARS alignment with NIST 800-171 in a shared responsibility model with the Customer.  Given that Microsoft uniformly implements NIST 800-53 in all of our clouds, the SSP ODV’s for FedRAMP High in GCC High are designed to demonstrate compliance with DFARS.

GCC High complies with DFARS clause 252.204-7012 sub-paragraphs (c)-(g), except as follows:

  • (c) Cyber incident reporting requirement. Microsoft will report security incidents to the Customer in accordance with Incident Response processes and definitions detailed in the DoD CC SRG accreditation requirements. The customer will be responsible for reporting the incident to DoD, if required.
  • (e) Media preservation and protection. Microsoft shall preserve and protect all relevant forensic data of known affected information systems in support of an incident. Any relevant monitoring/packet capture data must be gathered and retained by the Customer.
  • (f) Access to additional information or equipment necessary for forensic analysis.  Upon request by Customer, Microsoft will provide appropriate additional access to any relevant forensic information.


FedRAMP High in GCC High

At the time of this writing, GCC High currently has a FedRAMP Agency ATO at the Moderate Impact Level from the Department of Justice (DOJ) and successfully completed two FedRAMP High Impact Level audits.  We have several Federal Agencies actively deployed in GCC High, demonstrating compliance with FedRAMP High.  The FedRAMP High ATO is pending finalization in the FedRAMP Marketplace.

Today, you can demonstrate compliance with FedRAMP High in GCC High and in Azure Government.  However, the High Impact Level is not a requirement for DFARS Compliance.  FedRAMP Moderate is specifically required for DFARS.  And for that, we do have an Agency ATO currently in place covering GCC High.

 

NERC and FERC in GCC High

Microsoft has engaged with multiple entities obligated to demonstrate compliance requirements of the North American Electric Reliability Corporation (NERC) and/or the Federal Energy Regulatory Commission (FERC).  They find M365 GCC High and Azure Government to be the closest match of Microsoft cloud service offerings to fulfill their requirements. Due to the dynamic scope of applicability that an entity may define, we recommend you request explicit support from your Microsoft account team if you have compliance requirements in this area.

Microsoft 365 Government (DoD)

 

Compliance Chart - DoD.png

 

If you are not in the DoD, don't worry about it.  You're not getting into the service.  Only the DoD and those approved by them (such as service providers or entities authorized by the DoD) are allowed into the IL5 environment.

12 Comments
Regular Visitor

Thank you for these blog posts.  This is the most detailed explanation on the different tenants I have seen. 

 

FedRAmp Moderate Equivalency Question.

The chart and article states that Office 365 is FedRamp Moderate "equivalency" in Microsoft 365 Commercial.  On the FedRamp website for Office 365 Multi-Tenant and Supporting Services for Public Cloud it states that it is FedRamp Authorized.  Why is Microsoft calling it equivalent and not authorized?  When a customer is looking for FedRamp authorized services this is the source they would use. 

 

https://marketplace.fedramp.gov/#/product/office-365-multi-tenant--supporting-servicesstatus=Complia...

Microsoft

Thanks @Terry Hebert !

Good question. The reason I have always pushed for us to use the term 'equivalency' are due to two reasons: First; that the Commercial service has differing values for a number of ODVs across the control scope and Second; that customers really need to understand how they might be treated differently as a tenant of the Commercial vs Government services i.e. if we declare an incident for the Commercial service all entities within would be treated to the Commercial (not Government) Incident Response practices and requirements. So I use equivalency (amongst other tactics) as an attempt to incent customers to look deeply at these differences before making such choices. As you and I have discussed over the years; I am fine if a customer makes a choice to accept a risk; as long as that was a well-informed decision and I've done my job contributing to the 'well informed' aspect of that decision ;) 

Regular Visitor

GCC Data Enclave of Commercial Question

 

The Export Control requirements for ITAR and EAR is based on the data.  A foreign national is not allowed to access export controlled data and export controlled data can only reside CONUS.  

 

The GCC article states:  "There is a contractual commitment to ensure data residency for the primary Office workloads administered by screened US Persons for access to customer data...to the covered workload." and  "shared services may have data processing Outside the Continental United States (OCONUS) and leverage a global follow-the-sun support model. Most notably, this includes a global network and a global directory."  

 

Is Microsoft suggesting a global directory as "data processing"?

 

I understand that Microsoft Support uses the commercial Azure AD for authentication and authorization for GCC but just because there is a shared authentication service does not mean a GCC customer is not compliant with Export Control.  It would not be uncommon for  on-premise AD account to include both US persons and unconfirmed US persons.  It is prudent for a company to appropriately authorize access to Export Controlled data to only US Persons but there is not a requirement for separate AD infrastructures

Microsoft

@Terry Hebert 

 

Excellent points but this was not about directory (though some customers do have concerns there). Support remains an issue that deserves awareness to avoid spillage to processes outside the accreditation boundary. More important is that GCC takes dependency on Azure Commercial; where it has attained FedRAMP High which is excellent; but as discussed elsewhere FedRAMP <> US Person/Citizen. Due to the potential for the SaaS layer to take on a dependency at the PaaS / IaaS layer where compensating control may be discretionary instead of mandatory; this in turn results in a level of residual risk I do not support when it comes to contractual support for export data in GCC. GCCH on the other hand was designed for dependency on Azure Government which does provide for US Citizen/Persons. I have had customers make decisions that GCC provides sufficient protections to meet their export requirements; and I am fine with that as long as they and their counsel feel they have made a well informed decision. However as a service provider I would not provide contractual support for a class of data that the service was not explicitly designed to support. Hope that helps clarify further. 

Regular Visitor

NIST 800-171 (Maybe)?

 

The article states: "DFARS mandates the implementation of NIST 800-171 AND FedRamp Moderate Impact Level for Commercial clouds."

 

The DFAR 252.204.7012 rule does not state NIST 800-171 AND Fedramp Moderate impact. DFAR rule states "If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline" 

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

 

Most understand that there is a shared responsibility for security implementation of DFARS 7012 rule.  The DoD customer has a responsibility to properly configure their tenant to meet "our" requirement for 800-171. Where is Microsoft obtaining information suggesting that both FedRamp and 800-171 are required from cloud commercial service providers?

Microsoft

@Terry Hebert 

 

Generally I see two ways. First I have a hard requirement to demonstrate the equivalancy clause in sub paragraph (D) that you mention. I am also required to meet 800-171 in the context that I must enable a tenant to do so. This occurs through the extension of my control implementation to the tenant as well as capabilities provided within the service. In another context if I work in the industry as contractor and not just service provider; I would also be required to comply. Really though as the preface makes clear 800-171 is a subset and simplification of 800-53 along the Confidentiality dimension. Now personally (and deserving of a whole other blog) I think it may have been just as effective to focus on a subset of 800-53 rather than write 800-171. Selfishly it would have made my role as service provider far easier requiring far less translation between -171 and -53! I think as we assess movement towards CMMC (yet another good topic to address) we will continue to assess the parallelisms between CSPs and tenants and the regulations each implements. Great questions and observations Terry - thank you. 

Regular Visitor

Continued GCC Data Enclave (Export Control/US Persons)

 

OK, so there is a small risk that Foreign Nationals could access Export Controlled data.   "Certain government entities extend beyond the accreditation with regulations such as CJIS and IRS 1075 that require screened US Persons to support the service." This risk is acceptable for other organizations requiring US Persons (CJIS and IRS 1075) but the risk is too high for Export Control? 

 

If LockBox is enabled does that mitigate most of the risk for accidental access to data by Foreign Nationals?

Microsoft

Terry; yes. A small risk. Possible; yes, Probable; no. Good call on Lockbox as it is a great assurance feature/tool but I always try to be very transparent about it. It definitely helps a customer demonstrate control over access to their data. And, since our engineering staff almost never accesses customer data you may purchase this tool and never get a request from us! So while the risk is very small; and LockBox is a nice assurance complement; for me it boils down to two core things. 1) Being a service provider and needing to provide for a diverse range of potential solutions and risk appetites (while being clear on what is (and isn't) supported) and 2) Having discretionary vs mandatory control over dependencies. All that said, we know that risk is a very subjective discipline and many regulations purposefully leave room for flexible interpretation to achieve objectives different ways. In turn our services provide a myriad blend of features that help tenants add depth and breadth of data protections in addition to what the baseline service offers. You call out some great questions that can help customers explore the contrasts we are trying to highlight with this article so they might determine where their level of comfort is. Thank you. 

Occasional Visitor

@Shawn_Veney Good points as always!  I know you and I have talked about this previously but figured I would comment here.  One major challenge that I see is for global companies that have users in multiple countries who also have valid export licenses. It seems that this use-case keeps getting missed. It would be unrealistic to put all user accounts into GCC-High as you now risk bringing non-US controlled military data into the US (think Eurofighter for example).  The employee working on a Eurofighter program may also be working on F35 data in the UK under a valid license.  The company would potentially run afoul of foreign export regulations and risk "ITAR taint" by putting that data on US servers. 

 

It appears that customers are unable to setup a "split-tenant" with a subset of users in GCC-High and other users in GCC or Commercial.  At least with Commercial you can turn on multi-geo to keep the data resident to the appropriate country, then turn Lockbox on to remove the "potential access" risk.  Per DoS guidance a few years back, if you have actual access records, then potential access is no longer considered an export.  From everything I have seen, the recordkeeping in O365 would easily be able to meet that threshold. 

 

Thoughts???

 

Microsoft

Great to hear from you Jonathan. Excellent point. Not the most common scenario but definitely a valid one and you are correct: Organizations with multi-geo footprints, valid export licenses and complex private/public sector business streams require some additional deliberation. There are a few key factors to consider here when I'm speaking with such customers. #1: If bifurcation between services appears viable, how might this impact (or complement) the organizations existing AD design, data classification, business group policies, etc. #2: Are operational costs clearly understood regarding complexity managing different services, collaboration between them and the policy/governance necessary to ensure avoidance of spillage between different services and #3: Given our compliance in other geographies how can we help the customer demonstrate assurances to regional regulations by sharing our compliance artifacts with the customer relevant to each region. So yes; definitely a good point. Such deployments are possible; they just deserve significant analysis and planning commensurate with their complexity.

Microsoft

Howdy @Jonathan_Priganc!  You hit on a topic that our team at Microsoft encounters frequently within the Defense Industrial Base.  Virtually every large DIB entity has missions OCONUS, and in service of other sovereign defense requirements outside the U.S..  It's a very nuanced set of topics.  There are data sovereignty requirements for export controls in the U.S. working with the U.S. DoD (e.g. ITAR & EAR) that may include export licenses for foreign user populations, such as foreign locations and/or subsidiaries.  At the same time, there may be data sovereignty requirements for export controls in other countries, such as those imposed by the U.K. MoD or AU DoD.  Often times, the same person may have obligations to both sets of export controls at the same time.  They are in direct competition with one another.  It often translates to that person having access into multiple data enclaves in each sovereign location.  Then the question becomes, where you do locate the person's Mailbox, OneDrive for Business and Team's account?  Do they need multiple?  Do you need to isolate one from another?  And in all transparency, will a Geo of the Commercial Office 365 offering even fit the export control requirements for the foreign defense entity in question?  There is no definitive answer.  We've seen customers go in multiple directions.  I've come up with several reference architectures that we share to help address "Cross-Sovereign" deployments of Office 365.  We are happy to share with you.  At the end of the day, Microsoft will accommodate multiple solutions, to include a multi-cloud approach.  But it will be a decision your organization will wrestle with, especially as the compliance bar shifts.

Occasional Contributor

@RichardWakeman: Thanks for your reply to Jonathan. We, as a partner, are running into scenarios where our manufacturing customers (primarily HQ'd in Michigan) are primarily focused on supporting the automotive sector (and in some cases, the aerospace sector) and may only have 50% or less of their overall business, employees, and/or data being impacted, in some capacity, under ITAR as a defense contractors. These aren't typically enterprise-size customers and typically fall into the SMC-C segment.

 

Due to the "limitations" on product availability and functionality within Office 365 GCC (including the lack of Office 365 GCC High in CSP today and added complexity of AOS-G (for less than 500 users) and EA (for more than 500 users)), we're continually running into the debate on what direction to advise them to go with: Office 365 GCC High, Office 365 GCC, Office 365 Commercial - and then, "all in" a specific tenant or the split-tenant model. As mentioned, the complexity comes in for the IT-led management and governance as well as the adoption and change management (including end-user awareness and training) headaches for 2 different tenant types with potential different configurations and product/service capabilities.

 

I'd be curious what your guidance is for these kind of customers and what your reference architectures are (just for awareness if they don't all apply to my referenced scenario). Thanks!