Government contractors and the federal customers they support are moving in mass to cloud solutions for meeting their growing security and compliance risks. By and large, these organizations are choosing one of the most secure and robust platforms available - Microsoft 365 Government Community Cloud High (GCC High). Below are various explanations about the platform, why it is heavily relied upon by contractors, its role in meeting security and compliance goals (CMMC/NIST/DFARS/FAR/ITAR), and how to obtain licensing.
Microsoft 365 GCC High is built on Microsoft Azure Government within 8 dedicated government data centers. Azure Government is currently certified to FedRAMP High, and the entire suite of GCC High services is undergoing audits to upgrade its certification to FedRAMP High. For many entities interested in GCC High, the foundation of Azure Government is especially helpful because each Microsoft employee working those environments is a US Citizen and background checked. This factor is particularly important for companies handling ITAR data.
M365 GCC High includes many of the same feature sets and products of the commercially available Microsoft 365 (Microsoft 365 Commercial): SharePoint Online, Teams, Exchange Online, OneDrive for Business, etc. However, full parity is not achieved. One notable example is found within Microsoft Teams for O365 GCC High. Unlike the Commercial offering of Microsoft 365, Audio Conferencing for Teams US Government does not include dial-in phone numbers and the underlying configuration in Azure Government to enable the capability. A solution is required for direct inward dial through Direct Routing to allow users to create meetings with Teams Dial-in conference numbers.
The following Licensing Guide gives a breakdown of security features and products available on the platform.
M365 GCC High can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. Additionally, Microsoft agrees to support all requirements for DFARS as part of this environment. This environment was previously available only through an enterprise agreement, requiring 500 or more licenses. Through a new program, however, it is now available to all organizations with a requirement to manage CUI/ITAR data or have the DFARS 7012 clause in one of their contracts.
Microsoft has three other environments for Microsoft 365. Here’s a quick explanation of each:
Microsoft 365 Commercial
This environment is built to FedRAMP Moderate standards and can be configured to meet NIST 800-171. However, this offering will not currently meet paragraphs e) and f) of DFARS 7012. It leverages the Azure Commercial stack and is generally available through all licensing outlets from retail to Enterprise Agreement.
Microsoft 365 GCC
This environment is largely equivalent to the Microsoft 365 Commercial environment, except that its data is segregated from commercial organizations. It can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. It leverages the Azure Commercial stack and is available from Cloud Solution Providers and through an Enterprise Agreement.
This guide to GCC vs GCC High was created to help make business risk decisions regarding the two platforms
Microsoft 365 DoD
The DoD environment is built on Azure Government, within dedicated government data centers. The DoD environment is accessible for DoD organizations and cannot be purchased by private organizations.
Microsoft's Enterprise Mobility + Security, or EMS, offerings for US GCC High and DOD customers are built on the Microsoft Azure Government cloud and are designed to inter-operate with the Microsoft 365 GCC High and DOD environments. The EMS E5 suite is available for both GCC High and DoD customers, however Microsoft Cloud App Security and Azure Advanced Threat Protection are available only to GCC High customers. Azure Active Directory P1/P2, Microsoft Intune, Azure Information Protection P1/P2, Microsoft Cloud App Security, and Microsoft Defender for Identity are certified FedRAMP-High. (The security product previously known as Azure Advanced Threat Protection is now known as Microsoft Defender for Identity. Read more about the name change here.)
Organizations that use EMS for US Government GCC High and DOD offerings benefit from the following features:
Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.
You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. The labels can include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action. There are known gaps between AIP Premium commercial and GCC High/DoD that can be found here.
Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your company against unknown viruses and malware by providing substantial zero-day protection and includes features to protect your company from harmful links in real time. These capabilities are critical to meeting the NIST 800-171 control family 3.14 System and Information Integrity. Although, it is important to understand Defender for Office 365 cannot simply meet compliance requirements by 'turning it on'.
The Defender for Office 365 license has powerful reporting and URL trace capabilities that give administrators insight and clarity into the kind of attacks happening in your organization. The reporting capabilities, moreover, can cover the "actions of individual system users [to] be uniquely traced to those users so they can be held accountable for their actions" (NIST 800-171). Defender for Office 365 covers most Exchange architectures – rather on premises, Exchange Online, or Hybrid if configured properly.
SharePoint in Microsoft 365 helps organizations share and manage content, knowledge, and applications to empower teamwork, quickly find information, seamlessly collaborate across the organization. Here are the differences between the IT admin features for commercial customers and those for government cloud customers.
OneDrive is online storage space in the cloud that's provided for individual licensed users in an organization. Use it to help protect work files and access them across multiple devices. OneDrive lets you share files and collaborate on documents, and sync files to your computer.
For more on OneDrive in GCC High, you can read the Microsoft article here.
Microsoft Teams is the hub for teamwork in Microsoft 365. The Teams service enables instant messaging, audio and video calling, rich online meetings, mobile experiences, and extensive web conferencing capabilities. In addition, Teams provides file and data collaboration and extensibility features, and integrates with Microsoft 365 and other Microsoft and partner apps. You can find more about Teams in GCC High in this blog.
Microsoft Planner comes with some versions of Microsoft 365 US Government. Find out what features are included in the government plans, and which aren't available in this blog.
Microsoft Forms does not allow external sharing in GCC High and DoD environments. People only within your organization may do the following:
Understandably, this decision can get confusing. There are so many different options to choose from (see: Google G Suite) and sometimes it can get hard to narrow it down. The bottom line is that for Government Contractors of all sizes, it makes sense to deploy into Microsoft 365 GCC High. While the per license pricing is slightly more than Commercial, for most organizations, the ability to become fully DFARS compliant outweighs the cost difference. DCMA is currently conducting DFARS audits on contractors within the Defense Industrial Base (DIB), and the DoD is taking steps reward businesses for their compliance programs. Furthermore, at the CMMC 1.0 Press Release, Ellen Lord (Under Secretary of Defense for Acquisition & Sustainment) stated "One of my biggest concerns is implementing CMMC for small and medium businesses, because that's where a large part innovation comes from. We need small and medium businesses in our defense industrial base, and we need to retain them... So right now, there are a number of primes who have come up with some ideas about how to more cost-effectively accredit small and medium businesses."
If you do work with the US Government, regardless of fund source or procurement process, you probably need GCC High. A few reasons are teased out below:
Adequate Security: Basically NIST 800-171's 110 distinct security controls plus several additional practices introduced by CMMC
Contractual Flowdown: Most of the major/large prime contractors are moving, or have moved to GCC High because of the ability to collaborate and communicate with subs that are also on GCC High. GCC High is also the only version of the platform that has B2B capabilities with DoD.
ITAR or NOFORN Data: Companies cannot handle or store ITAR data on Commercial or GCC because the data may be accessed by non-US persons as a part of Microsoft's administrative activities and can create an unlawful and unintended export.
The first can be met with each option of Microsoft 365, including GCC High. The third data point can ONLY be met with GCC High.
It is also important to note that currently external sharing and Teams messaging capabilities between Microsoft 365 Commercial and Microsoft 365 GCC High tenants/users are not possible. However, users can join Teams meetings in either situation without issue. These limitations are mostly due to purposeful separations in design, architecture, and data centers between the commercial version of the platform and the US-sovereign version.
The short answer – no. The long answer – it’s possible you will need to move from GCC to GCC High for your organization’s long-term compliance strategy.
For contractors who are seeking a cloud-based solution to store or process ITAR data, Microsoft 365 GCC is not an option. As it currently stands, GCC follows the Azure commercial “follow-the-sun” support model, meaning the access of sensitive data by non-US born citizens may occur as result of Microsoft’s administrative duties. This could create an unintended, yet unlawful export resulting in major fines, and / or the loss of contracts.
Technically, the Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC's requirements with native security products/capabilities. CMMC Level 3, for example, can be met in Commercial and GCC per the standards written to date.
Note: There are portions of the GCC / Commercial infrastructure (Preview/Beta capabilities) that do NOT meet DFARS standards making it difficult, and in some cases, impossible to turn those capabilities off. In other instances, the integration options available in GCC can easily put you in a non-compliant position unless you exercise very stringent change control and monitoring of all integrations with your environment.
Microsoft 365 GCC High isn't something you can simply buy from traditional sources. You have to go through the process of gaining eligibility and even then, there's some work involved. It is often a challenge to find the right site, the right form, and the right information to obtain M365 GCC High Licensing. Thankfully, here is a step-by-step video of the process to help guide you through it.
Once you receive notice of eligibility, you can do two things: work with a Microsoft Partner to obtain an enterprise agreement for 500 or more users OR work with one of the Microsoft AOS-G vendors capable of selling GCC High licensing under 500. Summit 7 is one of them, and you can contact the team here. Once you have the licensing you need, begin configuring your tenant properly and establishing certain security/governance features like Azure Information Protection (AIP) before lobbing content in and turning on user access.
There are a litany of things to consider before migrating to GCC High, one of those being the obvious: How much does this cost?
We've broken down why the cost of GCC High is considered "more expensive" in this blog to help you #StayInformed.
If you still have questions about GCC High, or anything around understanding the platform, feel free to submit any additional questions by filling out this form. Subscribe to our blog or follow us on LinkedIn to receive updates regarding all things security and compliance.
Feel free to check out this video of Richard Wakeman, from Microsoft's Aerospace and Defense team, giving an overview of Microsoft 365 GCC High at the Cloud Security and Compliance Series.