Edge sync FedRAMP compliance for a GCC tenant

%3CLINGO-SUB%20id%3D%22lingo-sub-3023564%22%20slang%3D%22en-US%22%3EEdge%20sync%20FedRAMP%20compliance%20for%20a%20GCC%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3023564%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20for%20a%20definitive%20statement%20on%20whether%20the%20Microsoft%20Edge%20sync%20data%2C%20for%20a%20GCC%20tenant%2C%20is%20stored%20in%20a%20FedRAMP%20compliant%20site%2C%20for%20the%20purposes%20of%20NIST%20800-171%20compliance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20pages%20in%20the%20Edge%20Deployment%20documentation%20state%20that%20GCC%20%3CEM%3EHigh%3C%2FEM%3E%20is%20not%20supported%2C%20and%20I%20have%20seen%20references%20that%20the%20data%20is%20stored%20in%20the%20same%20country%20as%20the%20tenant%2C%20but%20no%20specifics%20beyond%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%2C%20since%20the%20data%20is%20encrypted%20with%20AIP%20managed%20keys%20prior%20to%20leaving%20the%20user's%20machine%2C%20am%20I%20barking%20up%20the%20wrong%20tree%3F%20If%20data%20is%20properly%20encrypted%20I%20may%20not%20really%20need%20to%20be%20concerned%20at%20all%20about%20where%20it%20is%20properly%20stored.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%26nbsp%3B%3CBR%20%2F%3EOn%20the%20page%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-enterprise-sync-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Edge%20enterprise%20sync%20FAQ%20%7C%20Microsoft%20Docs%3C%2FA%3E%26nbsp%3Bit%20mentions%20that%20open%20tab%20and%20history%20data%20are%20generated%20server%20side.%20Where%20is%20this%20data%20stored%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20the%20language%20%22...%3CSPAN%3Edata%20for%20a%20tenant%20that%20is%20registered%20in%20the%20United%20States%20is%20stored%20in%20servers%20geo-located%20for%20that%20region%20and%20uses%20the%20same%20storage%20solution%20as%20Office%20applications.%22%2C%20but%20%22same%20storage%20solution%22%20is%20quite%20vague.%20It's%20could%20mean%20anything%20from%20%22it's%20saved%20in%20our%20GCC%20tenant's%20One%20Drive%20storage%20space%22%20to%20%22it's%20stored%20on%20the%20same%20brand%20SSD's%20that%20office%20applications%20use%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJames%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am looking for a definitive statement on whether the Microsoft Edge sync data, for a GCC tenant, is stored in a FedRAMP compliant site, for the purposes of NIST 800-171 compliance. 

 

The pages in the Edge Deployment documentation state that GCC High is not supported, and I have seen references that the data is stored in the same country as the tenant, but no specifics beyond that.

 

Or, since the data is encrypted with AIP managed keys prior to leaving the user's machine, am I barking up the wrong tree? If data is properly encrypted I may not really need to be concerned at all about where it is properly stored.

 

Edit: 
On the page Microsoft Edge enterprise sync FAQ | Microsoft Docs it mentions that open tab and history data are generated server side. Where is this data stored?

 

I see the language "...data for a tenant that is registered in the United States is stored in servers geo-located for that region and uses the same storage solution as Office applications.", but "same storage solution" is quite vague. It's could mean anything from "it's saved in our GCC tenant's One Drive storage space" to "it's stored on the same brand SSD's that office applications use".

 

Thank you!

 

James

2 Replies

@James_Hoiby Hi!  I just spoke to the Sync Team and Microsoft Edge Sync service is not FedRAMP compliant.  Currently it is not in our short term roadmap.

 

I do not have information about your second question about where the data is stored but if I get additional insights from the team I'll follow up here.  Thanks! 

 

-Kelly