Government contractors and the federal customers they support are moving in mass to cloud solutions for meeting their growing security and compliance risks. By and large, these organizations are choosing one of the most secure and robust platforms available - Office 365 Government Community Cloud High (GCC High). Below are various explanations about the platform, why it is heavily relied upon by contractors, its role in meeting security and compliance goals (NIST/DFARS/FAR/ITAR), and how to obtain licensing.
Office 365 GCC High is built on Microsoft Azure Government within 8 dedicated government data centers. Azure Government is currently certified to FedRAMP High, and the entire suite of GCC High services is undergoing audits to upgrade its certification to FedRAMP High. For many entities interested in GCC High, the foundation of Azure Government is especially helpful because each Microsoft employee working those environments is a US Citizen and background checked. This factor is particularly important for companies handling ITAR data.
O365 GCC High includes many of the same feature sets and products of the commercially available Office 365 (Office 365 Commercial): SharePoint Online, Teams, Exchange Online, OneDrive for Business, etc. However, full parity is not achieved. PowerApps and Flow, for example, are expected to be available in 2019. The following Licensing Guide gives a breakdown of security features and products available on the platform.
O365 GCC High can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. Additionally, Microsoft agrees to support all requirements for DFARS as part of this environment. This environment was previously available only through an enterprise agreement, requiring 500 or more licenses. Through a new program, however, it is now available to all organizations with a requirement to manage CUI/ITAR data or have the DFARS 7012 clause in one of their contracts.
Microsoft has three other environments for Office 365. Here’s a quick explanation of each:
Office 365 Commercial
This environment is built to FedRAMP Moderate standards and can be configured to meet NIST 800-171. However, this offering will not currently meet paragraphs e) and f) of DFARS 7012. It leverages the Azure Commercial stack and is generally available through all licensing outlets from retail to Enterprise Agreement.
Office 365 GCC
This environment is largely equivalent to the Office 365 Commercial environment, except that its data is segregated from commercial organizations. It can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. It leverages the Azure Commercial stack and is available from Cloud Solution Providers and through an Enterprise Agreement.
Office 365 DoD
The DoD environment is built on Azure Government, within dedicated government data centers. The DoD environment is accessible for DoD organizations and cannot be purchased by private organizations.
Understandably, this decision can get confusing. There are so many different options to choose from (see: Google G Suite) and sometimes it can get hard to narrow it down. The bottom line is that for Government Contractors of all sizes, it now makes sense to deploy into Office 365 GCC High. While the per license pricing is slightly more than Commercial, for most organizations, the ability to become fully DFARS 7012 compliant outweighs the cost difference. Furthermore, DoD and others are initiating steps to begin auditing and rewarding businesses for DFARS compliance.
If you do work with the US Government, regardless of fund source or procurement process, you need GCC High. DFARS 7012 and more government regulations to come, have three basic requirements.
The first can be met with each option of Office 365, including GCC High. The second requirement requires you meet the first and third. The third requirement can ONLY be met with GCC High.
While there are still some contractors delaying their migration to Office 365 GCC High, it is not a decision that should be taken lightly as the government is getting more aggressive in how they are evaluating the SSPs and POA&Ms of prospective contractors as part of the source selection board process. Read more about why deploying in Office 365 GCC High is the best option.
Also, Microsoft provides a helpful list of regulations and certifications they meet with Office 365 GCC High. It is also important to note that, for obvious reasons, these environments do not permit sharing to external users using Office 365 Commercial. i.e. a user on an O365 GCC High Tenant cannot share a document (likely containing sensitive data) with another individual that does not have a similar secure environment.
Microsoft Office 365 GCC High isn't something you can simply buy from traditional sources. You have to go through the process of gaining eligibility and even then, there's some work involved. It is often a challenge to find the right site, the right form, and the right information to obtain O365 GCC High Licensing. Thankfully, here is a step-by-step video of the process to help guide you through it.
Once you receive notice of eligibility, you can do two things: work with a Microsoft Partner to obtain an enterprise agreement for 500 or more users OR work with one of the five vendors capable of selling GCC High licensing under 500. Summit 7 is one of them, and you can contact the team here. Once you have the licensing you need, begin configuring your tenant properly and establishing certain security/governance features like Azure Information Protection (AIP) before lobbing content in and turning on user access.
There are a litany of things to consider before migrating to GCC High. Read this for starters, and consult with others before diving head-first.
Godspeed! Keep moving #cloudward.