Aug 24 2020 02:48 PM
Costs for GCC High O365 licenses are roughly double commercial. What is Microsoft doing to lower these costs? They are crippling small businesses that need to comply with CMMC & DFARS compliance requirements.
Aug 28 2020 04:14 PM - edited Aug 28 2020 06:17 PM
Solution@M_Titcombe Howdy! Thank you for your interest in GCC High. GCC High was purpose built to meet the specific needs of customers who have strict requirements for US export control and desire a contractual commitment from their CSP for the same. Microsoft only offers a contractual commitment to ITAR in O365 GCC High & Azure Government. US Does your customer have such a requirement? If no then they may be able to use GCC or perhaps even Commercial services (depending on requirements). If they do have an ITAR requirement but don't need a contractual commitment from their CSP then there may be multiple ways to satisfy the requirement outside of GCC High. They may be able to use compensating controls and manage their risk Here are a few examples of compensating controls:
- segregate the export controlled data and maintain it on-premises
- create a "data enclave" to house export control data in GCC High or Azure Government
- use client-side end-2-end encryption like AIP HYOK and/or S/MIME
This said, there may be significant cost (financial, utility or performance) to using compensating controls so please weigh them accordingly.
I hope this helps! Please feel free to reach out to me privately for any clarifications :)
Sep 02 2020 03:58 AM
@Paul Meacham - I would also add that pros and cons to compensating controls should be weighed in addition to cost.
With compensating controls, administration complexity and security practice complexity also increase. In addition to complexity in design and management, you may be losing cloud service capabilities.
Sep 02 2020 05:21 AM
Aug 28 2020 04:14 PM - edited Aug 28 2020 06:17 PM
Solution@M_Titcombe Howdy! Thank you for your interest in GCC High. GCC High was purpose built to meet the specific needs of customers who have strict requirements for US export control and desire a contractual commitment from their CSP for the same. Microsoft only offers a contractual commitment to ITAR in O365 GCC High & Azure Government. US Does your customer have such a requirement? If no then they may be able to use GCC or perhaps even Commercial services (depending on requirements). If they do have an ITAR requirement but don't need a contractual commitment from their CSP then there may be multiple ways to satisfy the requirement outside of GCC High. They may be able to use compensating controls and manage their risk Here are a few examples of compensating controls:
- segregate the export controlled data and maintain it on-premises
- create a "data enclave" to house export control data in GCC High or Azure Government
- use client-side end-2-end encryption like AIP HYOK and/or S/MIME
This said, there may be significant cost (financial, utility or performance) to using compensating controls so please weigh them accordingly.
I hope this helps! Please feel free to reach out to me privately for any clarifications :)