What is Microsoft 365 GCC?
"GCC" stands for Microsoft 365 Government Community Cloud (GCC), and is a Microsoft Platform as a Service (PaaS) built on Azure Commercial infrastructure, but is separated from Commercial Office 365 to coincide with Microsoft's accreditation boundary. Microsoft 365 GCC is certified to FedRAMP High standards for cloud systems and now meets the flow down requirements of DFARS 7012 as of February 2021, all of which enables customers to handle Controlled Unclassified Information (CUI) on behalf of the Department of Defense (DoD) to leverage the platform.
Initially, Microsoft 365 GCC was intended for public sector organizations, such as state agencies and municipalities, but had broader applications for some Federal Agencies as well considering it meets DoD CC SRG Impact Level 2. Now certain DoD contractors may elect to use Microsoft 365 GCC in the future but will need to consider certain business risk factors mentioned in a later section below.
Microsoft 365 GCC Data Centers and Residency
All GCC tenants and their contents reside in Microsoft's US Data Centers within the following 10 regions: Central US, East US, East US 2, East US 3 (Coming Soon in Georgia), North Central US, South Central US, West Central US, West US, and West US 2, and West US 3 (Coming Soon in Arizona). As notated by the 'US' following each name, all of these data centers reside in the US Region within the Azure Public Cloud. Microsoft also conducts thorough background checks and investigations on all of its administrators, technicians and architects to ensure they are US Citizens with seven years of US employment history and lack any recent criminal activity.
Can You Meet CMMC 2.0 in Microsoft 365 GCC?
Microsoft has for years suggested Microsoft 365 GCC High for DFARS 7012 compliance and continues to recommend GCC High for companies looking to meet CMMC Levels 2-3. Nevertheless, a company should be able to meet applicable CMMC 2.0 Level 2 requirements in Microsoft 365 GCC through proper configuration but will need to consider some of the following business risk factors.
- Does your company hold or have the possibility of eventually possessing ITAR or NOFORN data? If so, Microsoft explicitly states that Microsoft 365 GCC will not support ITAR requirements and does not fall within the accreditation boundary for compliance. As Microsoft's Richard Wakeman discusses in one of his most recent blogs, GCC customer data resides in the US but is not altogether sovereign because certain products/applications within the entire Microsoft 365 suite (current and future) are not guaranteed to be hosted via US infrastructure or serviced by US Persons.
- A follow on consideration is the 2x expenses associated with migrating, configuring, or implementing a compliant environment, and assessment if your company needs to eventually make a switch to GCC High for ITAR or other purposes. Many businesses find it difficult to budget additional funds for CMMC compliance efforts and certainly would generate additional heartburn if the same level of effort was required to establish another environment to the same maturity level.
Be aware there are portions of the GCC / Commercial infrastructure (Preview/Beta capabilities) that are released at a much faster rate, making it difficult, and in some cases, impossible to turn those capabilities off. In other instances, the integration options available in GCC can easily put you in a non-compliant position unless you exercise very stringent change control and monitoring of all integrations with your environment.
Download the one-page Microsoft 365 GCC vs GCC High Reference Guide to internally discuss these reasons and more when deciding between the different 'versions' of the platform. NOTE: CMMC requirements are established in the DFARS 7021 clause.
GCC vs. GCC HIGH
Can You Meet DFARS 7012 in Microsoft 365 GCC?
As mentioned above, Microsoft has advocated for GCC High as the cloud platform for DoD contractors and DFARS 7012 compliance. Though both, GCC and GCC High, have met FedRAMP requirements and subsequently paragraph (B) in DFARS 7012, paragraphs (C-G) eliminated the viability of GCC for contractors previously.
The DoD explicitly asks for unfettered access to source files, information systems and associated architectures, log data, etc for analysis in the event of a cyber incident. Due to the shared resource model of cloud PaaS, Microsoft set out to meet these requirements in separate data centers and segregated architectures aligned to GCC High and Azure Government. Through newly established media protection and preservation processes at Azure Commercial data centers, these requirements can now be met in GCC. In fact, you can request an Attestation of Compliance with the applicable DFARS 7012 paragraphs (i.e. not for the NIST 800-171 requirements) by submitting a support ticket to Microsoft..
Lastly, Microsoft has a robust set of teams and procedures for incident management, communication, and recovery. Included in that are some incredible resources such as the Microsoft Security Response Center (MSRC), Microsoft Cyber Defense Operations Center (CDOC), and Office 365 Security and Response (SIR) Team.
Microsoft 365 GCC Service Descriptions and Parity
Microsoft 365 GCC has many of the same features and Office 365 applications as the Azure Commercial cloud, including SharePoint Online, Teams, Exchange Online, and OneDrive for Business. Additionally, Microsoft Teams allows meetings and free collaboration between users on GCC and commercial tenants. Microsoft Teams on GCC also allows Live Events. The following Licensing Guide gives a breakdown of some features and products available on the platform. We will update and expand this section over the coming weeks and months.
Teams in Microsoft 365 GCC
Teams for Office 365 GCC, hosted in Azure Commercial, became available in the Summer of 2018 and has grown to close feature parity with the Commercial Teams offering. Some of the more glaring feature parity gaps at the moment center around the lack B2B capabilities with GCC High and DoD tenants. B2B with these offerings is on the Microsoft Roadmap, but it is not expected this year. Unlike the GCC High Teams service, Audioconferencing and Direct Dialing is generally available without the need for additional configurations and a SIP provider.
- Office 365 E1/G1 or E3/G3 or E5/G5
- Microsoft 365 F1 or F3
- Microsoft 365 E3/G3 or E5/G5
Some of the latest features to release for Teams in GCC include Breakout Rooms, Meeting Recordings to OneDrive, Meeting Reactions in Meetings (i.e. the heart button)
Enterprise Mobility and Security in Microsoft 365 GCC
Summit 7 recently wrapped a blog on the Microsoft Defender Suite and a supporting video from Microsoft's Matt Soseman that highlights the various products, their features, and how they meet CMMC 2.0/DFARS requirements. In addition to that content, there are several data points you should be aware of. First, the Office 365 and Microsoft 365 E5/G5 license includes Azure AD Premium 2 and Azure Information Protection, but not MCAS or Azure ATP (otherwise known as Microsoft Defender for Identity). You must purchase those two separately as an add-on.
Microsoft Defender for Office 365
Some of the recent releases that are out or in process include Microsoft Defender for Office 365 GCC (MDO365) Customizable Quarantine Notifications and Alerts, and MDO365 in GCC now has the ability to customize automated investigations and rid of unnecessary alerts. One of the more highly anticipated features for MDO365 in GCC is Safe Links in Microsoft Teams to scan and protect users from malicious links in Teams - Expected in early 2021.
Microsoft Defender for Identity
Currently, the only features that are available on the commercial version of Defender for Identity that are not available on GCC and GCC High are two integrations: the integrations with Microsoft Defender for Endpoint and VPN integration, both of which are in backlog awaiting development.
Microsoft Defender for Endpoint
On the outset, Defender for Endpoint in GCC has several integrations currently that are not generally available in GCC High: Integration with Intune and Microsoft Sentinel.
More information to come!
Coming Soon: Built-in sensitivity labeling for Office and Outlook
Microsoft 365 GCC High is built on Microsoft Azure Government within 8 dedicated government data centers based throughout the United States. The entire suite of Microsoft 365 GCC High services has been awarded its FedRAMP High certification; meaning that all services found in Microsoft GCC High have implemented security measures designated for cloud computing environments and services that interact with the government's most sensitive, unclassified data.
For organizations that interact with export-controlled data such as International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR); Azure Government cloud instances are exponentially beneficial because:
- All personnel employed at these locations must be United States citizens and must successfully pass a background screening
- All data is stored in data centers on U.S. soil.
Eligibility and Purchasing
How do you obtain licenses?
Microsoft 365 GCC licenses can be obtained through multiple methods. To begin, your organization will need to go through the process of gaining eligibility, similar to the steps to obtain GCC High licensing.
You are eligible to purchase GCC licensing if you are:
- A U.S. government entity in its governmental capacity
- A Commercial private entity with any of the following data types, or you require Azure Government: ITAR, CUI, DoD UCNI, DOE UCNI, and CJI
Once completed and you receive a notice from Microsoft confirming eligibility, you can contact a Microsoft Partner LSP to obtain an enterprise agreement for 500 or more users OR work with one of the Microsoft AOS-G vendors capable of selling GCC or GCC High licensing under 500. Another avenue is through the Microsoft CSP program. Billing is traditionally on a monthly term.
Summit 7 is a member of the AOS-G and CSP programs and you can contact the team here for guidance. Once you have the licensing you need, begin configuring your tenant properly and establishing certain security/governance features like Azure Information Protection (AIP) before migrating content in and turning on user access.