Summit 7 Team Blogs

Office 365 DFARS Frequently Asked Questions (and Answers) - Part 5

There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know.  

DFARS_FAQ_24.png24. How does Office 365 secure personally identifiable information (PII)?

Microsoft Data Loss Prevention allows an organization to continually monitor for PII and many other types of compliance data across Exchange Online, OneDrive for Business and SharePoint Online.




25. Does O365 provide documentation and material in case of an incident?

Office 365 can provide audit and activity reports that are crucial to properly documenting and responding to an incident.



DFARS_FAQ_26.png26. If O365 requires licenses for every user, what is the best way to work with subcontracts when having to share documents and access information? Do we provide them licenses or do they use their own?

Office 365 provides the ability of external users to access information within the customer’s environment when invited by a licensed user and allowed by the security configuration of the organization.  Depending on the specific needs and requirements, this may be enough to provide the external needs of your user base. 


DFARS_FAQ_27.png27. Does O365 provide any remediation strategies for after an incident occurs?

Microsoft does not dictate specific procedural controls for an organization when responding to an incident.  These vary by organization and may or may not include technical controls from within Office 365. 

DFARS_FAQ_28.png28. Can Microsoft employees access our tenant data? What controls are in place to keep our data private?

Microsoft is not able to access your data without your consent.  Please see the Microsoft Privacy Policy for detailed information.  If you provide consent during a support request, a Microsoft support technician can gain access to your tenant for the specific incident that is bounded by a specific time requirement. 

If you would like to further limit this access, Microsoft highly recommends enabling your Customer Lockbox. Once enabled, Microsoft can only access the content that you allow access to through the Customer Lockbox.

Note: This FAQ is part of a series. Check out the previous FAQ's here: FAQ #1FAQ #2, and FAQ# 3, and FAQ #4

Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!

New Call-to-action


About Scott Edwards

Scott Edwards is an accomplished computer engineer and organizational leader with experience in business, project management, systems engineering, training and security. Scott’s technical experience was honed at NASA as a Senior Computer Engineer and the Chief Engineer and Engineering Manager for the NASA Datacenter.

Scott received his Bachelor of Science from the United States Military Academy and his Master of Science in Computer Science with an emphasis in Information Assurance at James Madison University. Scott proudly served as an Officer in the US Army Signal Corps with both the 2-227th Aviation Battalion in Bosnia-Herzegovina and the 1-6 Air Defense Artillery Battalion in Fort Bliss, Texas.

Currently, Scott is the President and Managing Partner of Summit 7 Systems. Summit 7 Systems is Service Disabled Veteran Owned Small Business (SDVOSB) and a Microsoft Gold Cloud Productivity Partner that specializes in Office 365 security solutions.