Government contractors and the federal customers they support are moving in mass to cloud solutions for meeting their growing security and compliance risks. By and large, these organizations are choosing one of the most secure and robust platforms available - Office 365 Government Community Cloud High (GCC High). Below are various explanations about the platform, why it is heavily relied upon by contractors, its role in meeting security and compliance goals(CMMC/NIST/DFARS/FAR/ITAR), and how to obtain licensing.
Office 365 GCC High is built on Microsoft Azure Government within 8 dedicated US-sovereign data centers. Azure Government is currently certified to FedRAMP High, and the entire suite of GCC High services is undergoing audits to upgrade its certification to FedRAMP High. For many entities interested in GCC High, the foundation of Azure Government is especially helpful because each Microsoft employee working those environments is a US Citizen and background checked. This factor is particularly important for companies handling ITAR data.
O365 GCC High includes many of the same feature sets and products of the commercially available Office 365 (Office 365 Commercial): SharePoint Online, Teams, Exchange Online, OneDrive for Business, etc. However, full parity is not achieved.
The following Licensing Guide gives a breakdown of security features and products available on the platform.
O365 GCC High can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. Additionally, Microsoft agrees to support all requirements for DFARS as part of this environment. This environment was previously available only through an enterprise agreement, requiring 500 or more licenses. However, it is now available to all organizations with a requirement to manage CUI/ITAR data or have the CMMC clause in one of their contracts.
Microsoft has three other environments for Office 365. Here’s a quick explanation of each:
Office 365 Commercial
This environment is built to FedRAMP Moderate standards and can be configured to meet CMMC and NIST 800-171. However, this offering will not currently meet paragraphs e) and f) of DFARS 7012. It leverages the Azure Commercial stack and is generally available through all licensing outlets from retail to Enterprise Agreement.
Office 365 GCC
This environment is largely equivalent to the Office 365 Commercial environment, except that its data is segregated from commercial organizations. It can be configured, with appropriate licensing, to be 100% CMMC and NIST 800-171 compliant. However, this also will not currently meet paragraphs e) and f) of DFARS 7012. It leverages the Azure Commercial stack and is available from Cloud Solution Providers and through an Enterprise Agreement.
Office 365 DoD
The DoD environment is built on Azure Government, within dedicated government data centers. The DoD environment is accessible for DoD organizations and cannot be purchased by private organizations.
Understandably, this decision can get confusing. There are so many different options to choose from (see: Google G Suite) and sometimes it can get hard to narrow it down. The bottom line is that for Government Contractors of all sizes, it now makes sense to deploy into Office 365 GCC High. While the per license pricing is slightly more than Commercial, for most organizations, the ability to become fully CMMC compliant outweighs the cost difference. DCMA is currently conducting DFARS audits on contractors within the Defense Industrial Base (DIB), and the DoD is taking steps reward businesses for their compliance programs. Furthermore, at the CMMC 1.0 Press Release, Ellen Lord (Under Secretary of Defense for Acquisition & Sustainment) stated "One of my biggest concerns is implementing CMMC for small and medium businesses, because that's where a large part innovation comes from. We need small and medium businesses in our defense industrial base, and we need to retain them... So right now, there are a number of primes who have come up with some ideas about how to more cost-effectively accredit small and medium businesses."
If you do work with the US Government, regardless of fund source or procurement process, you need GCC High. DFARS 7012 and CMMC have three basic requirements:
The first can be met with each option of Office 365, including GCC High. The second requirement requires you meet the first and third. The third requirement can ONLY be met with GCC High.
While there are still some contractors delaying their migration to Office 365 GCC High, it is not a decision that should be taken lightly as the government is getting more aggressive in how they are evaluating the SSPs and POA&Ms of prospective contractors as part of the source selection board process. Read more about why deploying in Office 365 GCC High is the best option to meet CMMC.
Also, Microsoft provides a helpful list of regulations and certifications they meet with Office 365 GCC High. It is also important to note that this version of the platform does not currently support sharing to external users using Office 365 Commercial. i.e. a user on an O365 GCC High Tenant cannot share a document (likely containing sensitive data) with another individual that does not have a similar secure environment. This capability is currently on the Microsoft roadmap for Microsoft365 GCC High.
Microsoft Office 365 GCC High isn't something you can simply buy from traditional sources. You have to go through the process of gaining eligibility and even then, there's some work involved. It is often a challenge to find the right site, the right form, and the right information to obtain O365 GCC High Licensing. Thankfully, here is a step-by-step video of the process to help guide you through it.
Once you receive notice of eligibility, you can do two things: work with a Microsoft Partner to obtain an enterprise agreement for 500 or more users OR work with one of the vendors capable of selling GCC High licensing under 500. Summit 7 is one of them, and you can contact the team here.
Once you have the licensing you need, begin configuring your tenant properly and establishing certain security/governance features like Azure Information Protection (AIP) before lobbing content in and turning on user access.
There are a litany of things to consider before migrating to GCC High, one of those being the obvious: How much does this cost? We've broken down why the cost of GCC High is considered "more expensive" in this blog to help you #StayInformed.
Here is a video of Richard Wakeman, from Microsoft's Aerospace and Defense team giving an overview of Microsoft Office 365 GCC High at the Cloud Security and Compliance Series.