Protecting sensitive information such as Federal Contract Information (FCI), NOFORN, and Controlled Unclassified Information (CUI) has become a priority for the DoD and its partners or contractors, and Microsoft Office 365 GCC High Ensures that.
With constant technological changes, the security measures for sensitive data are also constantly changing to keep abreast. With new cloud-based solutions, the contractors and agencies should consider any risks of sensitive data ending up with the wrong entity or person. This also includes the inadvertent exposure of the said information to members of the public and the sophisticated cyberattacks by various foreign adversaries.
CMMC compliance is a big-time buzzword in the DoD contracting sector. So, what cloud environment should you operate in if you need to be CMMC certified? This is a question that organizations need to consider seriously because a wrong decision could have serious ramifications. To protect the confidentiality of the sensitive information held by the DoD and its contractors, Microsoft responded with highly compliant cloud solutions such as Microsoft Office 365 GCC and Microsoft Office 365 GCC High.
Microsoft GCC cloud tenants operate in the Azure Commercial Cloud and have global commercial personnel and directory services. On the other hand, Microsoft GCC High tenants operate in a physically separated Azure Government cloud environment which operates only within Continental United States (CONUS) with thoroughly screened U.S. personnel.
Most government contractors already have integrated Microsoft cloud solutions into their operations. However, Microsoft GCC High is a must for future and current DoD contracts subject to data sovereignty, CONUS, REL TO USA, Export Control (EAR/ITAR) or No Foreign Nationals (NOFORN) requirements. It is also a requirement for Federal contracts having certain Controlled Unclassified Information categories like CUI Specified.
What is Microsoft GCC High?
Microsoft GCC High is a version of Microsoft Office 365 that is designed to support the compliance requirements for the United States Defense Industrial Base (DIB). Although Microsoft Office 365 GCC has the same productivity services as those included in the commercial Office 365 Suite, like Teams Collaboration and file and email sharing, it is located within the U.S. and, as mentioned above, restricted only to thoroughly screened Microsoft staff that are U.S. citizens as defined in 15 CFR § 772.1 and 22 CFR § 120.15.
Microsoft GCC High is also physically and logically separated from commercial versions. It provides the DFARS security requirements for Cloud Service Providers (CSPs) to meet FedRAMP Moderate baseline and remain compliant with media protection and preservation, incident reporting, and damage assessment requirements on CUI processing, storage, and transmission in the cloud.
What Should You Consider When It Comes to Microsoft Office 365 GCC?
In the past, the qualification process for Microsoft GCC High was lengthy and required burdensome documentation. Only the U.S. Government (Category 1) entities and contractors handling and processing certain data types (Category 3) could buy GCC High. All other contractors and solution providers (Category 2) weren’t included. Contractors had to jump through various hoops, navigate a highly confusing process, and face extended delays to get qualified by Microsoft for Microsoft Office 365 GCC High.
Besides having to prove they had a contract specifying the controlled data types that Microsoft accepted and finding a sponsor organization, the contractors also had to provide a signed DD Form 254 or a signed contract. The difficult, long process left most contractors anticipating CUI requirements in their upcoming contracts but had no way of qualifying for Microsoft GCC high on time.
Today, Microsoft has relaxed the Microsoft Office 365 GCC High restrictions in response to the DFARS Interim Rule, CMMC 2.0, and NIST SP 800-171 requirements. As from January 2021, any of the three categories can purchase Microsoft Office 365 GCC High through a streamlined new qualification process that doesn’t need validation of sponsorships or contracts. An eligible Microsoft Office 365 GCC High can be defined by either:
Hence, the platform is inclusive to more DoD contractors, greatly speeding up the qualification process.
Steps towards migrating to Microsoft Office 365 GCC High
Any Department of Defense contractor having a CAGE Code or a DUNS Number through the GSA SAM (System for Awards Management) can migrate to Microsoft GCC High and take advantage of its compliance measures related to ITAR, NIST SP 800-171, FedRAMP High, among others, and enhanced cybersecurity posture. The DoD and Federal contractors today get to skip the tedious, long qualification process and leverage an online, automated service. Below are the simple steps toward Migration:
❖ Determining the Eligibility Status: A contractor needs to verify their CAGE Code or DUNS Number on the DLA search page.
❖ Filling an Online Validation Form from Microsoft: The company should fill a Microsoft online form carefully by specifying that “My organization is”: “customers handling government-controlled data.” Otherwise, a general form link could also be used. However, a trial subscription could be available.
❖ Providing the Necessary Documentation: Microsoft U.S. Government Cloud Eligibility Team will send a documentation request to the contractor. The contractor will provide either of the following:
- Valid CAGE Codes or a Full SAM Registration (including DUNS Number):The SAM registration should be for “All Awards.” Otherwise, Microsoft will deny your request if the SAM registration is for “Federal Assistance Awards” only.
- An Evidence of GSA Schedule Government contract (indirect or direct):This can be provided as a contact number or documentation.
- Signed Purchase Order, Contract, or Invoice (certified electronic or ink):This should be from a valid U.S. government agency or entity. The data owner’s entity name must be visible. The document must indicate the regulated data as a direct or indirect contract delivery.
- A sponsorship letter:It should be provided by a valid U.S. Government agency or entity, another government contractor previously approved by the government, or even a solution provider directly working with a valid U.S. Government agency or entity. However, this should include their ink or certified electronic signature and letterhead and specify the controlled information (CUI, CJIS, ITAR, and UCNI).
❖ Get Approval from Microsoft: After a contractor sends all the requested documentation to Microsoft U.S. Government Cloud Eligibility Team, Microsoft will take about 3-7 days to approve. The contractor should pay close attention to their email to ensure that you can promptly address any problems arising from your submission.
❖ Start the Migration: Upon approval by the Eligibility Team, the contractor can start mapping out their migration to the Microsoft GCC High platform. You can seek the assistance or guidance of a Managed Security Service Provider (MSSP) like Cleared Systems to help with migration. The company should have expertise in DoD contractor compliance, cybersecurity, and Microsoft GCC High cloud migration. The MSSP will get the operations securely and smoothly running with minimal downtime and maximum flexibility.
As aforementioned, the azure government servers that Microsoft GCC High uses are virtually and physically isolated for sole use by the Federal contractors and agencies. Unlike other commercial cloud solutions, Azure Government uses US-only sovereign directory services, a more secure set-up than servers with global access. Data processing and transmission occur only within the continental United States (CONUS) borders, which adds a protection layer.
Background Checks Requirements
The average Office 365 users do not automatically have standing access to Microsoft GCC High. Although the background checks for granting access are similar to those used in Microsoft Office 365 GCC, there’re additional steps, especially with DoD IT-2 regulations and the Office of Defense Trade Controls Debarred Person List (DDTC). Below is a list of background checks by various agencies:
Barriers to Entry and Cost
Microsoft Office 365 GCC High is geared towards a narrower user base than Microsoft Office 365 GCC, and organizations are required to complete a Microsoft verification process. The contractor should present a signed contract that proves their eligibility and a GCC High sponsorship letter from the government agency or entity you’ll be working with.
Microsoft GCC High isn’t feature-rich, which is among its downsides. That is because various Microsoft 365 tools, such as Yammer, do not reach the necessary security standards to operate within the requirements of Microsoft GCC High. Further, other features such as Microsoft Defender will need to be rebuilt and restructured completely for use in the Microsoft GCC High. Therefore, Microsoft GCC High is a bit more expensive to operate and implement than Microsoft GCC.
A Description of Microsoft GCC High Services
Security and Enterprise Mobility for the U.S. Government
Built on the Azure Government cloud, the EMS (Enterprise Mobility +Security) offerings for the Microsoft Office 365 GCC High have been designed to interoperate with Microsoft GCC High and DoD Environments. The EMS E5 is available to both DoD and GCC High customers. However, Microsoft Defender for Identity and Microsoft Defender for the Cloud Applications are only available to Microsoft 365 GCC High clients.
Azure Information Protection P1/P2, Azure AD P1/P2, Microsoft defender for Cloud Applications, Microsoft Defender for Identity, and Microsoft Intune are all FedRAMP High Certified. The contractors using EMS for the U.S. Government Microsoft GCC High and DoD offering can benefit from the features below:
- ❖ Compliance with accreditations and certifications required for the U.S. public sector corporations, including the ITAR and DFARS 7012.
- ❖ The contractor’s customer content is logically and physically segregated from Microsoft’s commercial services customer content.
- ❖ Access to a company’s customer content is strictly restricted to the screened Microsoft personnel.
- ❖ A contractor’s customer content is always stored within the continental United States.
Microsoft Defender for Microsoft Office 365
This is a cloud-based email filtering service which can help in protecting a company against malware and unknown viruses by providing substantive zero-day protection. It also includes real-time features to protect an organization from harmful links. Such capabilities are essential in ensuring that a contractor meets the NIST 800-171 3.14 security controls that ensure system & information integrity. However, a company cannot achieve compliance by just turning Defender for Office 365 on.
Defender for Office 365 has highly powerful URL tracking and reporting capabilities. These reporting capabilities can cover the actions of particular system users and uniquely trace them so that they can be individually held accountable for their acts of omission or commission in compliance with NIST 800-171 section 3.3.2. This gives the Admins clarity and insights into the attacks their organizations may be facing. Defender for Office 365 also covers most Exchange architectures on-premise, Hybrid, or Exchange Online if properly configured.
SharePoint For U.S. Government
Organizations can manage and share content, applications and knowledge to empower teamwork, find information quickly, and collaborate seamlessly using SharePoint in Microsoft Office 365. Below are some of the differences between I.T. admin features for government cloud and commercial customers:
- ❖ Multi-geo isn’t available for all Microsoft GCC customers.
- ❖ Hybrid SharePoint Server isn’t available for Microsoft GCC High clients.
- ❖ The SharePoint Migration Manager and Migration Tool require a change in configurations.
- ❖ Microsoft GCC High clients cannot change their site addresses.
- ❖ Microsoft GCC High doesn’t support Moveover.io.
AIP Premium Government
AIP (Azure Information Protection) is a cloud-based solution that helps contracting companies classify and protect their emails and documents using Labels. The Admins who define the conditions and rules may automatically apply the labels manually or even use a hybrid approach where various users are provided with the recommendations.
Contractors can use AIP labels to classify their emails and documents. Whenever they do this, the classification is more identifiable no matter with whom the data is shared or where it is stored. The labels may include visual markings like a footer, watermarks, or headers. Metadata can be added to emails and files in clear text.
This test ensures that other services like DLP (Data Loss Prevention) solutions can easily identify the classification and take the necessary action. There are known gaps between Microsoft GCC High or DoD and AIP Premium that a company can find there. Classification and labelling using AIP can help an organization meet Section 3.13 of NIST SP 800-171 and CMMC Access Controls (CMMC AC.2.1.6).
Microsoft Forms for United States Government
Microsoft Forms doesn’t allow external sharing in Microsoft GCC High Environment. An organization’s employee’s cam only:
- ❖ Access Form results
- ❖ Fill out a form and submit the responses.
- ❖ Collaborate in a form or co-author a form
- ❖ Share or duplicate a template of a form.
More limitations imposed on Microsoft Forms regarding Microsoft GCC High are listed here.
Microsoft Teams facilitate teamwork within Microsoft Office 365. The service enables video and audio calling, instant messaging, instant web-conferencing, and mobile experience capabilities. Further, teams provide data and file extensibility and collaboration features.
Microsoft GCC High for Cybersecurity Maturity Model Certification (CMMC)
As mentioned above, CMMC compliance is critical in securing Controlled Unclassified Information (CUI) and using Microsoft GCC is a critical part of that.
What Is CMMC?
CMMC refers to a U.S. DoD program that applies to the Defense Industrial Base contractors. It’s a unifying standard and a certification model ensuring that all the DoD partners, subcontractors and contractors protect the sensitive information per the necessary laws, government policies, and regulations. The current version is CMMC 2.0, released by OUSD A&S in November 2021. It’s designed to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with the Department of Defense. It builds on and replaces NIST 800-171 and is heavily related to various DFARS Clauses.
CMMC 2.0 will be steadily phased into DoD contract Bidding. However, the other United States Federal Agencies on the GSA schedule will likely adopt CMMC 2.0 too. It is anticipated that over 300,000 contractors will have to maintain some CMMC certification. The main goals of Cybersecurity Maturity Model Certification include:
- ❖ Maintaining public trust via high ethical and professional standards.
- ❖ Ensure accountability and minimize barriers to compliance with the Department of Defense requirements.
- ❖ Safeguard sensitive information such as CUI and ITAR while protecting the warfighter.
- ❖ Contribute towards collaborative cybersecurity and cyber resilience culture.
- ❖ Dynamically enhancing the DIB cybersecurity to address the constantly evolving threats.
Journey to Achieving CMMC Compliance
Becoming CMMC Compliant is a journey and selecting the right cloud infrastructure is an essential step. However, using Microsoft cloud, whether GCC or GCC High, organizations can inherit any controls that Microsoft has put in place to ensure compliance. Hence, an organization is saved a considerable volume of work, unlike having to achieve CMMC compliance individually and owning their data centers. Are you a contractor in DIB that has to be CMMC compliant? You should begin thinking about CMMC 2.0 now. With over 300,000 DIB contractors required to upgrade to CMMC 2.0 soon, there is a high likelihood of large audit backlogs that will come with this large undertaking.
CMMC 2.0 Model
There’re three levels of Cybersecurity Maturity Model Certification.
Level 1 (Foundational)
There are 17 standards in CMMC 2.0 level 1. However, companies certified under CMMC level 2.0 should have an annual self-assessment.
Level 2 (Advanced)
Any Federal contractor creating or receiving Controlled Unclassified Information (CUI) must be level 2 certified. This level is based on NIST SP 800-171 security practices. Companies certified under CMMC 2.0 level 2 must have a tri-annual assessment from a CMMC Third Party Assessment Organization (C3PAO). Remember, any organization creating, receiving, disseminating, or storing CUI like ITAR should implement a Microsoft GCC High cloud infrastructure.
Level 3 (Expert)
CMMC 2.0 Level 3 has 110+ practices based on the NIST SP 800-172. Like in level 2, tri-annual assessments are required in this level. However, they are government-led. It is estimated that not more than 200 DIB contractors in the U.S. will require a level 3 certification. Additionally, this might likely require other provisions beyond Microsoft Office 365 GCC High.
Since CMMC 2.0 Level 2 requires most planning and decision making, let us consider it in relation to Microsoft Office 365 GCC and GCC High.
Microsoft Office 365 GCC High and GCC for CMMC 2.0 Level 2 Compliance
Is your company subject to the dictates of DFARS 7012? Then you have no choice but to operate in a Microsoft GCC High or GCC cloud environment. In fact, Microsoft GCC High, GCC, and DoD are the only cloud environments where Microsoft contractually agrees to meet the needs of its clients in relation to DFARS 7012, a core requirement of CMMC 2.0 Level 2. Suppose you have any operational requirements for International Traffic in Arms Regulations (ITAR), No Foreign Nationals (NOFORN), and Export Administration Regulations (EAR). In that case, you will need to migrate to Microsoft GCC High.
Organizations might think that moving to Microsoft GCC now and then moving to Microsoft GCC High later is easier. However, this will result in disruptions of day-to-day operations. Cloud migrations like those offered by Cleared Systems require lots of work at some downtimes. Unfortunately, Microsoft doesn’t have a simple way of moving into Microsoft Office 365 GCC High or GCC from a commercial cloud. The organization has to conduct a complete migration project whether it moves from commercial cloud platforms to GCC or from GCC to Microsoft Office 365 GCC High. Such projects are better handled and completed by experienced professionals.
Is Microsoft Office 365 GCC High CMMC 2.0 Compliant Out-Of-The-Box?
Simply No. Microsoft Office 365 GCC High can be considered a broad set of services which, with proper deployment, can offer a DIB contracting company robust support for various compliance requirements such as CMMC 2.0, DFARS 7012, and The Export Control Requirements such as ITAR. It’s a platform that organizations can build on to support various use cases, although it isn’t a compliant system boundary itself. The contractors will have to configure various features and services described above to ensure they meet the specific controls, practices, and requirements. However, it is recommended that the companies use Azure Blueprints as their starting point for implementing a secure baseline configuration.
Migration and Configuration Services
Cleared Systems specializes in helping various federal prime and subprime contractors adopt Microsoft GCC High for CMMC 2.0 audit readiness and DFARS 7012 compliance. Though many companies offer Microsoft Office 365 GCC High migration and Deployment services, Cleared Systems have an experience of over 25 years of helping defense contractors. We have robust documentation, vetted configuration baselines, compliance and managed security services. At Cleared Systems, we can help a company plan and orchestrate an organization’s move to Microsoft GCC High in a holistic compliance strategy. We offer the Following services:
- Pre-migration system design and consulting
- Migration and implementation services
- Managed Security Services
- Configuration baselines
- Program management
- Compliance Advisory
Are you planning for a migration to Microsoft GCC High or GCC to meet various compliance requirements? Contact us at Cleared Systems for a seamless migration and compliance consulting.