Government contractors and the federal customers they support are moving in mass to cloud solutions for meeting their growing security and compliance risks. By and large, these organizations are choosing one of the most secure and robust platforms available - Office 365 Government Community Cloud High (GCC High). Below are various explanations about the platform, why it is heavily relied upon by contractors, its role in meeting security and compliance goals(CMMC/NIST/DFARS/FAR/ITAR), and how to obtain licensing.
Topics Covered
Where is GCC High Located? The Foundation
What is Available in GCC High? Product and Feature Parity
Are There Other 'Versions' of Office 365?
Why Should You Choose O365 GCC High? Pros and Cons
Do You Need GCC High For CMMC?
How Do You Obtain Licenses? Eligibility and Purchasing
The Foundation
Office 365 GCC High is built on Microsoft Azure Government within 8 dedicated US-sovereign data centers. Azure Government is currently certified to FedRAMP High, and the entire suite of GCC High services is undergoing audits to upgrade its certification to FedRAMP High. For many entities interested in GCC High, the foundation of Azure Government is especially helpful because each Microsoft employee working those environments is a US Citizen and background checked. This factor is particularly important for companies handling ITAR data.
Product and Feature Parity
O365 GCC High includes many of the same feature sets and products of the commercially available Office 365 (Office 365 Commercial): SharePoint Online, Teams, Exchange Online, OneDrive for Business, Power Apps, etc. However, full parity is not achieved.
The following Licensing Guide gives a breakdown of security features and products available on the platform.
O365 GCC High can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. Additionally, Microsoft agrees to support all requirements for DFARS as part of this environment. This environment was previously available only through an enterprise agreement, requiring 500 or more licenses. However, it is now available to all organizations with a requirement to manage CUI/ITAR data or have the CMMC clause in one of their contracts.
Other 'Versions' of Office 365
Microsoft has three other environments for Office 365. Here’s a quick explanation of each:
Office 365 Commercial
This environment is built to FedRAMP Moderate standards and can be configured to meet CMMC and NIST 800-171. However, this offering will not currently meet paragraphs e) and f) of DFARS 7012. It leverages the Azure Commercial stack and is generally available through all licensing outlets from retail to Enterprise Agreement.
Office 365 GCC
This environment is largely equivalent to the Office 365 Commercial environment, except that its data is segregated from commercial organizations. It can be configured, with appropriate licensing, to be 100% CMMC and NIST 800-171 compliant. It leverages the Azure Commercial stack and is available from Cloud Solution Providers and through an Enterprise Agreement.
Office 365 DoD
The DoD environment is built on Azure Government, within dedicated government data centers. The DoD environment is accessible for DoD organizations and cannot be purchased by private organizations.
Why Should You Choose O365 GCC High?
Government Contractors of all sizes are deploying to Office 365 GCC High for compliance reasons and peace of mind. While per license pricing is more than Commercistep-by-step video of the processal, for most organizations, the ability to become fully DFARS and ITAR compliant outweighs the cost difference. DCMA is currently conducting DFARS audits on contractors within the Defense Industrial Base (DIB), and the DoD is taking steps to reward businesses for their compliance efforts. The DFARS Interim Rule, published on September 30, 2020 provides documentation stating that CMMC will be a requirement in contracts.
At the CMMC 1.0 Press Conference, Ellen Lord (Under Secretary of Defense for Acquisition & Sustainment) stated "One of my biggest concerns is implementing CMMC for small and medium businesses, because that's where a large part innovation comes from. We need small and medium businesses in our defense industrial base, and we need to retain them... " Small and medium businesses can alleviate many of their existing costs associated with on premises servers, systems, maintenance and upkeep by moving to cloud platforms and infrastructure. However, not all cloud options are equal.
If you do work with the US Government, regardless of fund source or procurement process, you need GCC High. DFARS 7012 and CMMC have three basic requirements:
- Adequate Security: Basically NIST 800-171's 110 distinct security controls plus several additional practices introduced by CMMC
- Contractual Flowdown: If the prime contractor has to meet these security requirements, so do their subcontractors or vendors
- Event Reporting: If you have an incident, or you were to be compromised in any way, you need to let the government know and they will need access to the cloud environment beyond the scope of your specific tenant
The first can be met with each option of Office 365, including GCC High. The second requirement requires you meet the first and third. The third requirement can ONLY be met with GCC High.
While there are still some contractors delaying their migration to Office 365 GCC High, it is not a decision that should be taken lightly as the government is getting more aggressive in how they are evaluating the SSPs and POA&Ms of prospective contractors as part of the source selection board process. You can also read about where to deploy for DFARS 7012 here or by clicking the image below.
Also, Microsoft provides a helpful list of regulations and certifications they meet with Office 365 GCC High. It is also important to note that this version of the platform does not currently support sharing to external users using Office 365 Commercial. i.e. a user on an O365 GCC High Tenant cannot share a document (likely containing sensitive data) with another individual that does not have a similar secure environment. This capability is currently on the Microsoft roadmap for Microsoft365 GCC High.
Do You Need GCC High For CMMC?
It is becoming a more prevalent question as DFARS 7012 has taken a backseat to CMMC in the public discourse. GCC High is not required to meet CMMC at any Level. However, GCC High is the only version of the Office 365 or Microsoft 365 platform that meets the reporting requirements of DFARS 7012 found in paragraphs C-G as explained in the sections above. Technically, the Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC's requirements with native security products/capabilities. CMMC Level 3, for example, can be met in Commercial and GCC per the standards written to date. Read more about GCC High for CMMC in this blog or by clicking the image below.
How to Obtain Licenses
Microsoft Office 365 GCC High isn't something you can simply buy from traditional sources. You have to go through the process of gaining eligibility and even then, there's some work involved. It is often a challenge to find the right site, the right form, and the right information to obtain O365 GCC High Licensing.
Once you receive notice of eligibility, you can do two things: work with a Microsoft Partner to obtain an enterprise agreement for 500 or more users OR work with one of the vendors capable of selling GCC High licensing under 500. Summit 7 is one of them, and you can contact the team here.
Once you have the licensing you need, begin configuring your tenant properly and establishing certain security/governance features like Azure Information Protection (AIP) before lobbing content in and turning on user access.
There are a litany of things to consider before migrating to GCC High, one of those being the obvious: How much does this cost?
We've broken down why the cost of GCC High is considered "more expensive" in this blog to help you #StayInformed.
