Support for DFARS in Microsoft 365 Government (GCC High)
Published Apr 11 2024 11:33 AM 1,775 Views
Microsoft

Microsoft is committed to U.S. Department of Defense (DoD) contractors and the Defense Industrial Base (DIB) by supporting the Defense Federal Acquisition Regulation Supplement (DFARS) requirements for the Microsoft 365 Government (GCC High) cloud service offering.

 

Microsoft 365 Government cloud offerings for GCC High meet the applicable requirements of the DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Specifically, the requirements within the Clause that are applicable to the Cloud Service Provider (CSP) and their commitment to fulfill these requirements.

 

The Third-Party Assessment Organization (3PAO), Kratos Defense & Security Solutions, conducted the annual assessment of the Office 365 GCC High system utilizing the FedRAMP High Baseline security controls. As part of the assessment, Kratos applied the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1 methodology to identify system risks based on likelihood, impact, and risk exposure. The results of the annual assessment were used to assess compliance of the Office 365 GCC High systems against the DFARS Clause 252.204-7012. This article identifies DFARS Clause 252.204-7012 requirements that align with the security controls tested by Kratos as part of the annual assessment, where applicable. Kratos has validated that Microsoft Office 365 GCC High satisfies the requirements as listed below:

 

  • Security requirements equivalent to the FedRAMP High baseline
    • Microsoft Office 365 GCC High achieved a FedRAMP Agency Authorization to Operate (ATO) at the High baseline in April 2020 and is maintained in its currency with annual assessments.  The Agency ATOs include but are not limited to the U.S. Department of Homeland Security (DHS), the U.S. Department of Justice (DoJ), the U.S. Federal Bureau of Investigation (FBI), and the U.S. Department of the Treasury.
    • For more information, please see 'Support for FedRAMP in Microsoft 365 Government (GCC High)'
  • Security requirements detailed in DFARS Clause 252.204-7012 for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment are met as follows:
    • The NIST SP 800-171, Revision 2 is the minimum-security standard for DFARS Clause 252.204-7012.
      • Federal Information Processing Standards (FIPS) Publication 199 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
      • FIPS Publication 200 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
      • NIST SP 800-53 Revision 4 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
      • NIST SP 800-60 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
      • NIST SP 800-61 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment.
    • DFARS Clause 252.204.7012 requires multifactor authentication (MFA) as the minimum-security standard- authentication. MFA has been validated as implemented and configured to comply with FIPS 140-2 requirements.

 

The requirements within the Clause that are applicable to the Office 365 GCC High system and the Cloud Service Provider’s commitment to fulfill these requirements are provided in the table below. The first column maps the DFARS Clause sub-headings, and the second column describes Microsoft and Office 365’s commitment to meeting that sub-heading.

 

DFARS Clause Requirements

Microsoft Commitment

(a) Definitions

*Section not applicable for attestation as its purpose is to provide definitions and context for the DFARS document.

(b) Requirements pertaining to provision of Adequate security

Microsoft maintains a FedRAMP High Agency ATO for the Office 365 GCC High SaaS and its services identified in the FedRAMP Marketplace and Microsoft’s Trust Center2. The latest annual assessment was completed between February and June 2022. The assessment ensured that the Office 365 GCC High system has implemented security requirements identified in the FedRAMP High Baseline and NIST SP 800-171, Revision 2, to provide adequate security.

(c) Cyber incident reporting requirement

Microsoft reports security incidents in accordance with the FedRAMP obligations and Microsoft’s contractual commitments.

 

  • Microsoft’s Product Terms (last updated in August 2022) includes the ‘Online Services Data Protection Addendum (DPA)’3 that contains Security Incident Notification covering breach of security and response measures that include notification of the impacted customer, investigation of the security incident, and providing the customer with detailed information about the incident. Additionally, these measures include taking reasonable steps to mitigate the effects and to minimize any damage resulting from the security incident.
  • The Office 365 Security Incident & Response (SIR) team provides centralized incident management and response for Office 365. Microsoft Office 365 GCC H’s System Security Plan (SSP) states that the notification timeline obligation starts when the official Security Incident declaration occurs. Office 365 SIR team reports incidents to designated authorities (including the United States Computer Emergency Readiness Team) consistently with NIST SP 800-61 Rev. 2 as documented in the Office 365 Security Incident Response Plan.
  • The Microsoft DPA indicates that whenever Microsoft becomes aware of a breach of security involving unauthorized loss, disclosure, or modification of customer data, Microsoft notifies affected customers within 72 hours4. The notification timeline commitment begins when the official security incident declaration occurs. Upon declaring a security incident, the notification process occurs as expeditiously as possible, without undue delay. Microsoft will provide an initial report to the customer for a declared Security Incident on the timelines provided in accordance with customer contractual commitments. Microsoft does not access Customer Data except to provide the service and does not examine Customer Data to determine if it is specifically regulated under Customer contracts with third parties. Microsoft will work with the Customer to identify any Customer Data involved in a Security Incident so that the Customer can determine if it meets the reporting obligations for “Cyber Incidents” under the DFARS.

(d) Malicious software

Microsoft works with Customers to submit malicious software found in Office 365 GCC High to the DoD Cyber Crime Center, when appropriate. Malicious software protection measures are in place for the Microsoft Office 365 GCC High system as follows –

 

  • Microsoft Office 365 GCC High assets are protected from malicious software using anti-malware software. Anti-malware software helps provide both preventive and detective control over malicious software. Anti-malware tools that detect files determined to be malicious sends alerts to the appropriate Microsoft personnel, triggering the incident response process.
  • Detection of malicious software may come from Vanquish, which conducts signature-based detection as well as smart alerts to provide alerts to Microsoft On-Call Engineers 24x7.Periodic anti-virus scans of the file system (at least weekly)
  • Real-time anti-virus scans of files as they are downloaded, opened, or executed.
  • Windows Defender host-based anti-malware agents that use signature and non-signature-based detection to detect malicious code.

 

From the 3PAO perspective, this relates directly to FedRAMP core control, SI-3, Malicious Code Protection. Kratos tested this control in the latest assessment completed in June 2022. The testing indicated that the control was fully implemented on the Office 365 GCC High system. Our results demonstrate that Microsoft utilizes several tools for malicious code protection as follows:

 

  • System Center Endpoint Protection (SCEP), Windows Defender, and Forefront Endpoint Protection (FEP) or Microsoft Endpoint Protection (MEP) are installed as part of the initial build on all O365 GCC High assets. These tools implement host based malicious code protection mechanisms to detect the presence and contain malicious code. In addition to signature-based detection mechanisms, these tools also utilize behavior monitoring, network inspection, and/or heuristics to detect malicious code that may be missed by signature-based methods. This control will be re-evaluated on an annual basis.

(e) Media preservation and protection

Microsoft preserves and protects Customer Data in accordance with the Product Terms. Except for free trials, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration, or termination of Customer’s subscription so that Customer may extract the data.

 

  • Any physical or virtual systems impacted by Security Incidents are treated in accordance with Microsoft’s incident response processes, which are assessed annually by the independent 3PAO.
  • The Office 365 Security Incident Response Plan addresses preservation of evidence during the triage events. The O365 SIR team is comprised of security investigators with industry leading subject matter expertise in evidence gathering and forensic investigation. The SIR team will drive the process of identifying, acquiring, and preserving the data. For all investigation matters involving legal chain of custody and evidentiary preservation in support of law enforcement engagement, the O365 SIR team consults with internal groups such as Corporate External Legal Affairs (CELA)and leverage their capabilities. Preservation of evidence occurs in a secure location as constrained by customer contracts and federal regulations.
  • Office 365 audit policy requires audit log retention for one year. Audit log data is retained in Microsoft’s Cosmos data repository which prevents modification of log data. Microsoft policy requires preservation and protection of all relevant forensic data of known affected information systems in support of an incident. Any relevant monitoring/packet capture data must be gathered and retained by the Customer.
  • Microsoft commitments regarding Security Incident notification would continue to support preservation and access to preserved forensics.

 

From the 3PAO perspective, this relates to various controls under Incident Response (IR) and Media Protection (MP), which are tested as part of annual assessments to validate the controls are implemented and provide the commensurate level of protections.

(f) Access to additional information or equipment necessary for forensic analysis

Microsoft makes commitment in the Product Terms to provide detailed information to customers, agencies, and DoD upon request.

 

  • Per the Product Terms for the ‘Online Services DPA’, “Security Incident Notification”, if Microsoft becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Professional Services Data, or Personal Data while processed by Microsoft (each a “Security Incident”), Microsoft will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

(g) Cyber incident damage assessment activities

Microsoft supports its customers with the damage assessment activities to investigate the cyber incident. Audit and monitoring data are retained for at least 90 days to support investigation of security incidents.

(h) DoD safeguarding and use of contractor attributional/proprietary information

*Not applicable for the attestation, as the onus is on the DoD for this requirement.

(i) Use and release of contractor attributional/proprietary information not created by or for DoD

*Not applicable for the attestation, as the onus is on the DoD for this requirement.

(j) Use and release of contractor attributional/proprietary information created by or for DoD

*Not applicable for the attestation, as the onus is on the DoD for this requirement.

(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.

Kratos has validated that all in-scope applicable laws and regulations covered by FedRAMP (and other) authorizations are being met as it pertains to the interception, monitoring, access, use, and disclosure of electronic communications and data. For details, as it pertains to customers, refer to the publicly available Microsoft Product Terms and service level agreements.

(l) Other safeguarding or reporting requirements

Microsoft requires all contractors and subcontractors to safeguard data and report cyber incidents as with prescribed methods and timelines defined by Microsoft policies and procedures, whether pertaining to its unclassified information systems (as required by other applicable clauses) or because of other applicable U.S. Government statutory or regulatory requirements.

(m) Subcontracts

While this portion is only applicable to Government contracts, Microsoft maintains commitment in meeting the requirement of inclusion of the required language regarding DFARS Clause 252.204-7012 in contracts and sub-contracts.

 

Microsoft 365 Government cloud offering for GCC High have been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs. Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to cloud service providers (CSPs) covered by our FedRAMP authorizations. This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems.

 

Appendix

 

Please follow me here and on LinkedIn. Here are my additional blog articles:

 

Blog Title

Aka Link

New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base

https://aka.ms/ND-ISAC/IdentityWP 

Microsoft CMMC Acceleration Update

https://aka.ms/CMMC/Acceleration

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

https://aka.ms/USSovereignCloud

Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

https://aka.ms/MSGovCompliance

New! Support for FedRAMP in Microsoft 365 Government (GCC High)

https://aka.ms/FedRAMPGCCH 

Microsoft Expands Support for the DIB – Announcing Support for DFARS in Microsoft 365 Government (GCC)

https://aka.ms/DFARsGCC

The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

https://aka.ms/AA6frar

Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants

https://aka.ms/AA6seih

Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants

https://aka.ms/AA6vf3n

Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring

https://aka.ms/AA6xn69

Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty

https://aka.ms/CUISovereignty

Microsoft expands qualification of contractors for government cloud offerings

https://aka.ms/GovCloudEligibility 

Co-Authors
Version history
Last update:
‎Apr 11 2024 11:02 AM
Updated by: