How to Get Validation for Microsoft Government Cloud Solutions

For public sector entities seeking to utilize Microsoft's cloud services tailored for government use, such as Microsoft 365 Government Community Cloud (GCC) or Microsoft 365 Government Community Cloud High (GCC High), undergoing a validation procedure with Microsoft is imperative.

This validation process ensures that your organization aligns with the requisite compliance standards necessary for the utilization of these specialized cloud services.

This guide will walk you through the steps to obtain approval from Microsoft, granting you access to their government-centric cloud offerings.

Eligibility Criteria for Microsoft Government Cloud (GCC or GCC High)

To ensure the security and compliance of Microsoft Government Cloud (GCC or GCC High), there are specific criteria that customers must meet.

These criteria help to ensure that only eligible organizations can access and utilize the government-specific cloud services provided by Microsoft:

1. Government-Controlled Data: Customers must be organizations that handle government-controlled data. This includes US federal, state, local, or tribal government entities.
2. US Government Entity: Customers can be approved if they are a US government entity in its governmental capacity. This includes federal agencies, state/local entities, tribal entities, and regional or interstate government entities (excluding international entities).
3. Federally Funded Research and Development Center (FERDC): Customers that are FERDCs are also eligible for Microsoft Government Cloud (GCC or GCC High).
4. Commercial Private Entity: Commercial private entities can be approved if they have data subject to government regulations. Accepted government data types include International Traffic in Arms (ITAR), Controlled Unclassified Information (CUI), Department of Defense (DoD) Unclassified Controlled Nuclear Information (UCNI), Department of Energy (DoE) UCNI, Criminal Justice Information (CJI), Department of Defense Impact Level Data, and other types of data that require Azure Government.

By meeting these criteria, partners and customers can gain access to the secure and compliant Microsoft Government Cloud (GCC or GCC High) services. These services are specifically designed to meet the unique needs and regulatory requirements of government entities and organizations handling government-controlled data.

Step 1: Understand the Criteria

Prior to embarking on the validation journey, it is crucial to gain a comprehensive understanding of the criteria governing the usage of Microsoft's government cloud services. These criteria are established to safeguard the security and compliance of sensitive government data.

Familiarize yourself with the specific regulatory standards and requirements applicable to your organization, such as:

• Criminal Justice Information (CJI)
• Controlled Unclassified Information (CUI)
• Defense Federal Acquisition Regulation Supplement (DFARS)
• International Traffic in Arms Regulations (ITAR)
• and others

Step 2: Opt for the Validation Classification

Microsoft provides diverse validation categories based on the nature of the organization and the level of involvement with government data.

Select the category that aligns most closely with your organization:

• S. Federal, State, Local, or Tribal government entity: Opt for this category if you are a government entity seeking validation for Microsoft 365 GCC Moderate.
• Solution provider serving U.S. federal, state, local, or tribal government entities: Choose this category if you are a Microsoft partner aiming to qualify for programs mandating government validation.
• Customers managing government-controlled data: This category is designed for organizations handling government-controlled data and necessitating Microsoft 365 GCC High.

Step 3: Supply Organizational and Contact Details

During this step, furnish your organization's information and contact particulars. Ensure the accuracy and currency of the provided information to facilitate a streamlined validation process by Microsoft.

Step 4: Supplementary Information

For GCC

For those selecting the "U.S. Federal, State, Local, or Tribal government entity" category, confirm your company's registration with any government programs. Furnish the required information based on your registration status and any relevant programs your organization is associated with.

For GCC High

If your organization deals with government-controlled data and falls under the corresponding category, confirm your company's registration with specific government programs. Additionally, specify whether your organization holds data subject to government regulation. Provide precise details regarding your registration status and the types of data your organization manages.

Step 5: Small Business Association Registration

If your organization is registered with the Small Business Association (SBA), indicate the pertinent registration type. The SBA offers various programs to aid small businesses in securing federal contracts, such as 8(a) Business, HubZone, Women-Owned Small Business (WOSB), Service-Disabled Veteran-Owned Small Business (SDVOSB), and more. Specify the appropriate registration type based on your eligibility.

Step 6: Submit the Eligibility Intake Form

Upon completing all requisite information, submit the eligibility intake form to Microsoft. This form will undergo review by Microsoft's validation team, who will evaluate your organization's compliance and eligibility for utilizing their government cloud services.

Step 7: Documentation and Approval

After filling out the application for validation by Microsoft for Government Cloud solutions, there are a few important steps to take to ensure a smooth process.

Depending on your eligibility, Microsoft may request specific documentation to verify your status. It is important to gather the necessary documents to expedite the validation process. Here are the four options for documentation:

1. Option 1: If you have a valid CAGE Code or full SAM Registration, provide this information to determine your eligibility to do business with the U.S. Government. You can obtain a CAGE Code or register with SAM (System for Award Management) at sam.gov.
2. Option 2: If you have a contract that includes ITAR (International Traffic in Arms Regulations), Export Controlled, CUI (Controlled Unclassified Information), or DFARS 7012 requirements, submit a copy of the contract as documentation.
3. Option 3: If you have a sponsorship letter signed by a government official, attach this letter to your application. Microsoft has provided an example sponsorship letter for your reference.
4. Option 4: If you have any other documentation that proves your status as a Category 1 U.S. entity, provide this documentation to support your eligibility.

After submitting your application and required documentation, Microsoft will review your information. Please note that Microsoft often experiences delays, so it may take 1-3 weeks to receive a Category 1-3 eligibility approval notice.

We recommend starting the process as soon as possible to allow for sufficient processing time.

Once you receive the approval notice, it is valid for a period of 3 years. During this time, you will be eligible to access and utilize Microsoft Government Cloud solutions.

Let us help with your validation process

By following these steps and providing precise information, you are well on your way to obtaining approval from Microsoft for their government cloud solutions. Once validated, you can confidently utilize Microsoft 365 GCC or GCC High in adherence to your organization's specific requirements.

For further insights into government cloud validation and assistance in navigating the process successfully, contact us today.