Summit 7 Team Blogs

Office 365 DFARS Frequently Asked Questions (and Answers) - Part 6 (Christmas Edition)

There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know.  



29. What regulation mandates NIST 800-171 outside the DFARS 252.204-7012?

Currently, the only document that specifies NIST SP 800-171 is DFARS 252.204-7012.  NIST 800-171 is titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.  It is a special publication created as a subset of NIST SP 800-53 to apply specifically to nonfederal information systems.  NIST SP 800-53 is the standard for securing federal information systems.  Looking toward the future, it is expected that the FAR update - underway as GSA Case 2017-016 - will extend NIST 800-171 as the standard for protecting CUI across all of the federal government.



30. So all fed contractors using commercial Office 365 need to move to GCC? Same with Azure public as Office 365?

Office 365 Commercial meets many of the requirements set forth as part of the DFARS 7012 clause.  It is both FedRAMP Moderate and it can be secured to NIST 800-171 Standard with the appropriate licensing, configuration and policies to back it up.  However, there are specific sub paragraphs within DFARS 7012 relating to incident management that Microsoft will not provide support for within Office 365 Commercial.  

 New Call-to-action


31. Could the contract itself be considered CUI?

Yes, Contract information can be considered CUI.  This falls under the “Procurement and Acquisition” category of CUI.  The description for that category is “Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.”  You will need to determine if any of the information provided to you as part of your contract includes content covered by 48 CFR 3.104-4 or 48 CFR 52.215-1(e).  Some contracts will have this type of content, but many others may not.



32. Is there a recommended minimum license to support NIST 800-171?

Yes, we do have a recommended medium.  Please see our DoD Licensing Guide.





33. How long is it to convert to GCC from commercial Office 365 /Azure?

This is completely dependent on the size and complexity of your existing environments within Office 365 and Azure Commercial.  It could be as short as a couple of weeks (after tenant availability) or as long as 12+ months.  To get access to GCC High, it is currently taking about 6 weeks from contract signature with Microsoft to tenant availability.


34. Is there a different timeline for ITAR compliance and can you use the SSP/POAM approach for small clients?

ITAR content is also CUI content, so the compliance timeline is the same.  All DoD contractors with the DFARS 7012 clause must have an SSP / POA&M regardless of size.

Note: This FAQ is part of a series. Check out the previous FAQ's here: FAQ #1FAQ #2FAQ# 3FAQ #4, and FAQ #5.

Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!

New Call-to-action


About Scott Edwards

Scott Edwards is an accomplished computer engineer and organizational leader with experience in business, project management, systems engineering, training and security. Scott’s technical experience was honed at NASA as a Senior Computer Engineer and the Chief Engineer and Engineering Manager for the NASA Datacenter.

Scott received his Bachelor of Science from the United States Military Academy and his Master of Science in Computer Science with an emphasis in Information Assurance at James Madison University. Scott proudly served as an Officer in the US Army Signal Corps with both the 2-227th Aviation Battalion in Bosnia-Herzegovina and the 1-6 Air Defense Artillery Battalion in Fort Bliss, Texas.

Currently, Scott is the President and Managing Partner of Summit 7 Systems. Summit 7 Systems is Service Disabled Veteran Owned Small Business (SDVOSB) and a Microsoft Gold Cloud Productivity Partner that specializes in Office 365 security solutions.