Microsoft is committed to U.S. Department of Defense (DoD) contractors and the Defense Industrial Base (DIB) by supporting the Defense Federal Acquisition Regulation Supplement (DFARS) requirements for the Microsoft 365 Government (GCC High) cloud service offering.
Microsoft 365 Government cloud offerings for GCC High meet the applicable requirements of the DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Specifically, the requirements within the Clause that are applicable to the Cloud Service Provider (CSP) and their commitment to fulfill these requirements.
The Third-Party Assessment Organization (3PAO), Kratos Defense & Security Solutions, conducted the annual assessment of the Office 365 GCC High system utilizing the FedRAMP High Baseline security controls. As part of the assessment, Kratos applied the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1 methodology to identify system risks based on likelihood, impact, and risk exposure. The results of the annual assessment were used to assess compliance of the Office 365 GCC High systems against the DFARS Clause 252.204-7012. This article identifies DFARS Clause 252.204-7012 requirements that align with the security controls tested by Kratos as part of the annual assessment, where applicable. Kratos has validated that Microsoft Office 365 GCC High satisfies the requirements as listed below:
The requirements within the Clause that are applicable to the Office 365 GCC High system and the Cloud Service Provider’s commitment to fulfill these requirements are provided in the table below. The first column maps the DFARS Clause sub-headings, and the second column describes Microsoft and Office 365’s commitment to meeting that sub-heading.
DFARS Clause Requirements |
Microsoft Commitment |
(a) Definitions |
*Section not applicable for attestation as its purpose is to provide definitions and context for the DFARS document. |
(b) Requirements pertaining to provision of Adequate security |
Microsoft maintains a FedRAMP High Agency ATO for the Office 365 GCC High SaaS and its services identified in the FedRAMP Marketplace and Microsoft’s Trust Center2. The latest annual assessment was completed between February and June 2022. The assessment ensured that the Office 365 GCC High system has implemented security requirements identified in the FedRAMP High Baseline and NIST SP 800-171, Revision 2, to provide adequate security. |
(c) Cyber incident reporting requirement |
Microsoft reports security incidents in accordance with the FedRAMP obligations and Microsoft’s contractual commitments.
|
(d) Malicious software |
Microsoft works with Customers to submit malicious software found in Office 365 GCC High to the DoD Cyber Crime Center, when appropriate. Malicious software protection measures are in place for the Microsoft Office 365 GCC High system as follows –
From the 3PAO perspective, this relates directly to FedRAMP core control, SI-3, Malicious Code Protection. Kratos tested this control in the latest assessment completed in June 2022. The testing indicated that the control was fully implemented on the Office 365 GCC High system. Our results demonstrate that Microsoft utilizes several tools for malicious code protection as follows:
|
(e) Media preservation and protection |
Microsoft preserves and protects Customer Data in accordance with the Product Terms. Except for free trials, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration, or termination of Customer’s subscription so that Customer may extract the data.
From the 3PAO perspective, this relates to various controls under Incident Response (IR) and Media Protection (MP), which are tested as part of annual assessments to validate the controls are implemented and provide the commensurate level of protections. |
(f) Access to additional information or equipment necessary for forensic analysis |
Microsoft makes commitment in the Product Terms to provide detailed information to customers, agencies, and DoD upon request.
|
(g) Cyber incident damage assessment activities |
Microsoft supports its customers with the damage assessment activities to investigate the cyber incident. Audit and monitoring data are retained for at least 90 days to support investigation of security incidents. |
(h) DoD safeguarding and use of contractor attributional/proprietary information |
*Not applicable for the attestation, as the onus is on the DoD for this requirement. |
(i) Use and release of contractor attributional/proprietary information not created by or for DoD |
*Not applicable for the attestation, as the onus is on the DoD for this requirement. |
(j) Use and release of contractor attributional/proprietary information created by or for DoD |
*Not applicable for the attestation, as the onus is on the DoD for this requirement. |
(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. |
Kratos has validated that all in-scope applicable laws and regulations covered by FedRAMP (and other) authorizations are being met as it pertains to the interception, monitoring, access, use, and disclosure of electronic communications and data. For details, as it pertains to customers, refer to the publicly available Microsoft Product Terms and service level agreements. |
(l) Other safeguarding or reporting requirements |
Microsoft requires all contractors and subcontractors to safeguard data and report cyber incidents as with prescribed methods and timelines defined by Microsoft policies and procedures, whether pertaining to its unclassified information systems (as required by other applicable clauses) or because of other applicable U.S. Government statutory or regulatory requirements. |
(m) Subcontracts |
While this portion is only applicable to Government contracts, Microsoft maintains commitment in meeting the requirement of inclusion of the required language regarding DFARS Clause 252.204-7012 in contracts and sub-contracts. |
Microsoft 365 Government cloud offering for GCC High have been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs. Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to cloud service providers (CSPs) covered by our FedRAMP authorizations. This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems.
Please follow me here and on LinkedIn. Here are my additional blog articles:
Blog Title |
Aka Link |
New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base |
|
Microsoft CMMC Acceleration Update |
|
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government |
|
Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings |
|
New! Support for FedRAMP in Microsoft 365 Government (GCC High) | |
Microsoft Expands Support for the DIB – Announcing Support for DFARS in Microsoft 365 Government (GCC) |
|
The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In |
|
Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants |
|
Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants |
|
Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring |
|
Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty |
|
Microsoft expands qualification of contractors for government cloud offerings |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.