HOME       BLOG      CONTACT

 

BiggestIssuesDFARSx6.png

Summit 7 Team Blogs

UPDATE: Where should I deploy for DFARS 7012 compliance? Office 365 Commercial or Office 365 GCC High?

Through my blog series on DFARS 7012 and NIST SP 800-171, we have established that DFARS compliance requires three primary components. 

  1. To Provide Adequate Security to a System holding CUI/CDI content via configuration to NIST 800-171 and FedRAMP Moderate
  2. To provide Incident Reporting within 72 hours of a suspected incident
  3. To flow down all contract clauses to sub contractors

For a detailed review of the DFARS 7012 clause, see my blog post here: http://info.summit7systems.com/blog/how-does-dfars-impact-the-bottom-line-for-defense-contractors

 

 

However, also included in the DFARS 7012 clause are some often overlooked requirements that significantly impact how an organization must plan for and execute their compliance strategy.  These are labelled in the DFARS Clause as paragraphs (e) and (f). 

I have excerpted the (e) and (f) paragraphs below, but you can find the entire DFARS 7012 clause here: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012  and for a detailed review of the DFARS 7012 clause, see my aforementioned blog post here.

              (e)  Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

              (f)  Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

Paragraphs (e) and (f) cause a significant issue for SaaS providers as they largely ignore how SaaS providers manage their environments.  While most providers store logs for 90 days, system images move around fluidly across hardware and the SaaS provider may not be able to produce a “system image” of a server that reaches back 90 days.  Thus, if the government requests this information as part of a forensic analysis as called out in paragraph (f), the contractor must in turn request this information from their SaaS provider.  If the SaaS provider cannot produce the system image for forensic analysis, then the contractor would be out of compliance with the DFARS clause. Not good.OutofCompliancex6.png

This scenario is exactly the problem that contractors, subject to the DFARS 7012 clause, have when moving into Office 365 Commercial.  Microsoft has developed an environment where they can support the requirements of paragraphs (e) and (f), but they cannot support it in Office 365 Commercial.

Microsoft offers multiple SaaS environments to meet the needs of their customers across a wide range of security and compliance needs. We recently completed a webinar to break down the differences, but below are some of the high-level explanations.

 The Microsoft Environments to Know

Office 365 Commercial

              This environment is built to FedRAMP Moderate standards and can be configured to meet NIST 800-171. However, as previously mentioned, this offering will not currently meet paragraphs e) and f) of DFARS 7012.  It leverages the Azure Commercial stack and is generally available through all licensing outlets from retail to Enterprise Agreement.

Office 365 GCC

              This environment is largely equivalent to the Office 365 Commercial environment, except that its data is segregated from commercial organizations.  It can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. It leverages the Azure Commercial stack and is available from Cloud Solution Providers and through an Enterprise Agreement. 

Office 365 GCC High

            The GCC High environment is built on Azure Government, within dedicated government data centers.  It is currently certified to FedRAMP Moderate, but is undergoing the audits to upgrade the certification to FedRAMP High.  It can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. The technical support staff are all US Persons and undergo background checks beyond those provided in Office 365 Commercial.  Microsoft agrees to support all requirements for DFARS as part of this environment.  Previously, this environment was only available to those needing 500 or more licenses, but through a new program, it is now available to all DoD contractors with a requirement to manage CUI / ITAR data or who have the DFARS 7012 clause in one of their contracts. 

Office 365 DoD 

The DoD environment is built on Azure Government, within dedicated government data centers.  The DoD environment is accessible for DoD organizations and cannot be purchased by DoD contractors.  It is currently certified to FedRAMP Moderate, but is undergoing the audits to upgrade the certification to FedRAMP High.  It can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. The technical support staff are all US Persons and undergo background checks beyond those provided in Office 365 Commercial.  Microsoft agrees to support all requirements for DFARS as part of this environment.

A review of the requirements and how each environment meets those requirements:

 

Office 365 Commercial

Office 365 GCC

Office 365 GCC High

Office 365 DoD

Customer Access

All

Gov / Contractors

Gov / Contractors

DoD

NIST 800-171 Configurable

Yes

Yes

Yes

Yes

FedRAMP

Moderate

Moderate

Moderate (High In Progress)

Moderate

(High In Progress)

DISA SRG

Level 2

Level 2

Level 4

Level 5

7012 (e) and (f) Support

No

No

Yes

Yes

Infrastructure

Azure Commercial

Azure Commercial

Azure Government

Azure Government

Min Purchase

1

1

1

500

 

So, thanks for all of the information, but where does that leave me?

Given Microsoft’s official position on the lack of support for DFARS 7012 paragraphs (e) and (f) in Office 365 Commercial, we do not believe that you can be 100% DFARS compliant in that environment, despite the fact that you can meet all of the other requirements as called out in the regulation.  The environment is FedRAMP Moderate, it can be configured to NIST 800-171, you can properly submit incident reports and you can flow down the clauses to your sub-contractors.  You cannot, however, support (e) and (f) anywhere but in Government Community Cloud High (GCC High). To start the eligibility process for GCC High click here.

At this point, deploying a covered contractor information system on Office 365 commercial becomes a risk management decision on behalf of each organization.  You can fully secure and protect all CUI content as required by the regulation, but you may not be able to provide additional information on a security incident, if requested by the government. 

The bottom line is that for DoD Contractor organizations of all sizes, it now makes sense to deploy into Office 365 GCC High.  While the per license pricing is more expensive than Commercial, for most organizations, the ability to become fully DFARS 7012 compliant outweighs the cost difference.  While there are still some contractors delaying their migration to Office 365 GCC High, it is not a decision that should be taken lightly as the government is getting more aggressive in how they are evaluating the SSP and POA&Ms of prospective contractors as part of the source selection board process. 

If you are interested in Office 365 GCC High licensing, contact us to get more information. http://info.summit7systems.com/office-365-gcc-high-licensing

If you are choosing to stay in Office 365 Commercial and you are interested in a NIST 800-171 Gap Analysis, please take a look at our Gap Analysis solution.

https://info.summit7systems.com/nist-o365-gap-analysis


 Interested in learning more about security and compliance?

New Call-to-action 

SHARE THIS STORY | |
About Scott Edwards

Scott Edwards is an accomplished computer engineer and organizational leader with experience in business, project management, systems engineering, training and security. Scott’s technical experience was honed at NASA as a Senior Computer Engineer and the Chief Engineer and Engineering Manager for the NASA Datacenter.

Scott received his Bachelor of Science from the United States Military Academy and his Master of Science in Computer Science with an emphasis in Information Assurance at James Madison University. Scott proudly served as an Officer in the US Army Signal Corps with both the 2-227th Aviation Battalion in Bosnia-Herzegovina and the 1-6 Air Defense Artillery Battalion in Fort Bliss, Texas.

Currently, Scott is the President and Managing Partner of Summit 7 Systems. Summit 7 Systems is Service Disabled Veteran Owned Small Business (SDVOSB) and a Microsoft Gold Cloud Productivity Partner that specializes in Office 365 security solutions.