Support for FedRAMP in Microsoft 365 Government (GCC High)

Executive Summary

The U.S. Department of Defense (DoD) Federal Acquisition Regulation supplement (DFARs) 252.204-7012 requires Cloud Service Providers (CSP) to meet a baseline for compliance. CSPs must support DFARs 7012 flow down contract clauses to safeguard Controlled Unclassified Information (CUI) against unauthorized disclosure. CSPs must also provide cloud solutions that are Federal Risk and Authorization Management Program (FedRAMP) Moderate (or High) authorized or cloud solutions that can demonstrate FedRAMP Moderate ‘Equivalency’.

Microsoft 365 Government (GCC High) has completed multiple FedRAMP High impact level audits, meets security and compliance requirements outlined by the U.S. Federal Government and DoD, and is actively servicing Agency ATOs (e.g. DHS, DoJ, FBI, etc.)  Microsoft's GCC High accreditation package has been successfully assessed by Kratos Defense & Security Solutions, a FedRAMP authorized Third-Party Assessment Organization (3PAO), and industry leader. Additionally, Microsoft is engaged with the FedRAMP Program Management Office (PMO) to address any outstanding administrative concerns that the government or customers may have.

To demonstrate our commitment, we currently support Flow-Downs for DFARs 7012 in GCC High and in Azure Government.  This translates to helping customers demonstrate DFARs 7012 compliance in the U.S. Sovereign Cloud.  This includes DFARs 7012 alignment with the U.S. National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171 in a shared responsibility model with the Customer. The remainder of this article discusses the FedRAMP Status of Office 365 GCC High and Azure Government.

For more information beyond FedRAMP, view my other blog article:  https://aka.ms/MSGovCompliance

Office 365 and Azure – Two Parts of the FedRAMP Solution

Cloud services bundled together in Microsoft 365 Government (GCC High) are split into two separate sets of authorizations, Office 365 and Azure.

The Office 365 productivity services include:

All other services fall under Azure including (but not limited to) :

FedRAMP for Azure

The U.S. government established FedRAMP to reduce redundant work by government agencies, to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA), and to accelerate Federal agencies’ adoption of secure cloud solutions.

You can demonstrate compliance with the FedRAMP High Impact Level in both Azure Commercial and Azure Government.  Azure Commercial and Azure Government each have a Provisional Authorization to Operate (P-ATO) from the FedRAMP Program Management Office (PMO) and the Joint Authorization Board (JAB retired 2024). The PMO is the primary governance and decision-making body for FedRAMP. Representatives from the Department of Defense, the Department of Homeland Security, and the General Services Administration serve on the PMO board. The PMO grants a P-ATO to Cloud Service Providers (CSP) that have demonstrated FedRAMP compliance and chose not to pursue an Agency ATO.

You can find a full list of Azure services that meet the requirements of FedRAMP High in the Azure compliance scope documentation.

There are over 140 Azure services covered by the FedRAMP High P-ATO in Azure Government.  You may even observe that Dynamics 365 Government (GCC High) falls under the scope of the Azure Government P-ATO in the FedRAMP Marketplace where the P-ATO in the is recognized as ‘Authorized’ by the FedRAMP PMO.

For more information, please reference:

• Microsoft FedRAMP Documentation (https://aka.ms/fedramp)
• FedRAMP Package F1603087869:  Azure Commercial Cloud | FedRAMP Marketplace
• FedRAMP Package F1209051525:  Azure Government (includes Dynamics 365) | FedRAMP Marketplace

FedRAMP Moderate for Office 365

The FedRAMP Marketplace for ‘Microsoft - Office 365 Multi-Tenant & Supporting Services’ lists our package for Office 365 GCC (not GCC High) with Agency ATOs from over 30 different Federal Government Agencies for the FedRAMP Moderate Impact Level.  In brief, this means the FedRAMP PMO has completed its review of one or more Agency ATOs. It also indicates the FedRAMP PMO is satisfied that Microsoft meets the FedRAMP requirements and had earned a listing on the Marketplace as ‘Authorized’. With the Agency ATOs in place, the FedRAMP PMO will not complete a P-ATO for Office 365 as that would be redundant to Agencies’ work.

FedRAMP ‘Equivalency’ in Office 365

You can demonstrate compliance with the FedRAMP High Impact Level in Office 365 GCC High.  In fact, you can demonstrate FedRAMP High compliance in all Microsoft cloud offerings (in scope of this article).  At the time of this writing, we successfully completed multiple FedRAMP High Impact Level audits, including Security Assessment Reports (SAR).  This is sufficient for purposes of us advertising FedRAMP High ‘Equivalency’, as it completes Microsoft's scope of responsibility towards FedRAMP authorization for a Federal Agency ATO. The FedRAMP PMO now has the task to review the Agencies ATOs and Microsoft’s submitted Body of Evidence (BOE).

We advertise that we have FedRAMP High ‘equivalency’ in Office 365.  Microsoft validates the controls for Office  365 into FedRAMP holistically because we operate all instances of Office 365 employing a consistent control framework and uniform implementations of controls based on NIST SP 800-53, Revision 5 - a requirement of FedRAMP.

We have several Federal Agencies actively deployed in GCC High, demonstrating compliance with FedRAMP High.  The Agency ATOs include but are not limited to the U.S. Department of Homeland Security (DHS), the U.S. Department of Justice (DoJ), the U.S. Federal Bureau of Investigation (FBI), and the U.S. Department of the Treasury.

For more information, please reference:

• Microsoft FedRAMP Documentation (https://aka.ms/fedramp)
• FedRAMP Package MSO365MT:  Office 365 Multi-Tenant & Supporting Services | FedRAMP Marketplace
• FedRAMP Package FR1824057433:  Microsoft Office 365 GCC High | FedRAMP Marketplace

3PAO Assessment

The Third-Party Assessment Organization (3PAO), Kratos Defense & Security Solutions, conducted the annual assessment of the Office 365 GCC High system utilizing the FedRAMP High Baseline security controls. As part of the assessment, Kratos applied the NIST SP 800-30, Revision 1 methodology to identify system risks based on likelihood, impact, and risk exposure.  

Microsoft Office 365 GCC High achieved a FedRAMP Agency ATO at the High baseline and is maintained in its currency with annual assessments.  The security requirements for FedRAMP High are met as follows:

• NIST SP 800-53 Revision 4 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
• Federal Information Processing Standards (FIPS) Publication 199 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
• FIPS Publication 200 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
• NIST SP 800-60 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
• NIST SP 800-61 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment

The result of the 3PAO assessment includes a Security Assessment Report (SAR), a Security Assessment Plan (SAP) and letters of attestation found in the Body of Evidence.

Body of Evidence

The Body of Evidence (BoE) is defined as the supporting documentation for a cloud service provider to demonstrate compliance with the FedRAMP security control baseline through an assessment conducted by a FedRAMP-recognized 3PAO.

For more information on the specific requirements for a BoE, please review the U.S. Department of Defense memorandum for ‘FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings’.  Office 365 GCC High and Azure Government’s BoE’s include the following in alignment with the memo:

• SSP: The System Security Plan provides an overview of the security requirements for the Cloud Services and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed or stored by the system.
• CIS & CRM: The Control Implementation Summary report includes control implementation responsibility and implementation status of the FedRAMP security controls.  Also included in the CIS is an Excel spreadsheet for the Customer Responsibility Matrix.  The CRM identifies what controls are inherited from the cloud service provider, versus those controls that are the responsibility of the customer (tenant owner).  Most importantly, the CRM identified the controls that are shared responsibility of both the CSP and the customer.
• SAR: The Security Assessment Report is generated by the 3PAO during the annual assessment.
• SAP: The Security Assessment Plan (SAP) lists the scope and security controls selected for annual assessment by the 3PAO.
• Penetration Testing Report: Cloud penetration testing report produced by Azure FedRAMP High and DoD SRG compliance program.
• DFARs Compliance Attestation Letter:  Attestation of Compliance with Defense Federal Acquisition Regulation Supplement (DFARs) clause 252.204-7012.
• CMMC Compliance Attestation Letter:  Attestation of Compliance with Cybersecurity Maturity Model Certification (CMMC) Requirements.

The BoE is considered highly sensitive and confidential information.  Historically, many CSPs have not been willing to share their BoE with customers.  However, Microsoft is transparent and will allow for customers to access the BoE under a Non-Disclosure Agreement (NDA). 

To request the BoE, you must be a customer and make an E-mail request to:

• Office 365 GCC High: O365FedRAMP@microsoft.com
• Azure Government: AzFedDoc@microsoft.com

Note: If you have your Microsoft NDA handy and can provide the document ID, it can save time during the request.

DoD Memo for FedRAMP Moderate ‘Equivalency’

The DoD memorandum for ‘FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings’ establishes the definition of ‘Equivalency’.  Please note the second paragraph of the memo:

This memorandum does not apply to Cloud Service Offerings (CSOs) that are FedRAMP Moderate Authorized under the existing FedRAMP process.

With this established, any cloud service that falls under the Azure Government P-ATO is fully covered and advertised in the FedRAMP Marketplace as ‘Authorized’. 

For the Office 365 GCC High cloud services, we can demonstrate compliance with FedRAMP Moderate ‘Equivalency’ with our BoE in the manner the memo describes.  Fundamentally, the memo requires a CSP to do all the activities leading to a FedRAMP Agency ATO or P-ATO, minus the FedRAMP PMO’s review. Microsoft has done the FedRAMP Agency ATO process numerous times and is in the process of finishing the PMO’s review. Microsoft’s BOE will suffice to meet any FedRAMP Moderate equivalency review by assessors and members of the Defense Industrial Base.

DFARs 7012 and NIST SP 800-171 in GCC High and Azure Government

Microsoft supports Flow-Downs for DFARs 7012 in GCC High and in Azure Government.  This translates to a commitment where we demonstrate DFARs 7012 compliance in the U.S. Sovereign Cloud.  This includes DFARs 7012 alignment with NIST SP 800-171 in a shared responsibility model with the Customer.

For more information, please see my other blog ‘Support for DFARs in Microsoft 365 Government (GCC High)’.

Microsoft Federal Successfully Completed a Voluntary CMMC Assessment

Microsoft is demonstrating its continued commitment to the U.S. DoD and DIB with our successful completion of a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Joint Surveillance Voluntary Assessment Program (JSVAP). Microsoft operates its U.S. Federal business out of the Microsoft 365 Government (GCC High) and Azure Government U.S. Sovereign cloud. We leverage the same security and monitoring suite available to all our customers in this environment. DIBCAC and Redspin, a Certified 3rd Party Assessment Organization (C3PAO), completed their assessments and awarded Microsoft with a perfect 110-point score. This DIBCAC High certificate will be converted into a Cybersecurity Maturity Model Certification (CMMC) Level 2 accreditation as federal rulemaking allows.

For more information, please see the blog ‘Microsoft Federal Successfully Completes Voluntary CMMC Assessment’

Also note that many of the C3PAOs passed their own DIBCAC High assessments leveraging Microsoft’s U.S. Sovereign cloud with Microsoft 365 Government (GCC High) and Azure Government.

Appendix

Please follow me here and on LinkedIn. Here are my additional blog articles: