What are Microsoft’s Government Cloud Solutions?
Choosing the right government cloud solution is crucial when doing business with the government.
By Angie Hill
Compliance is expected for those doing business with the government. At Jadex Strategic Group (JADEX) we help the Defense Industrial Base (DIB) choose the right Microsoft cloud environment to meet the government’s stringent compliance requirements. Considering the new Cybersecurity Maturity Model Certification (CMMC) framework and the National Institute and Standards of Technology (NIST 800-171) requirements, choosing the right Microsoft government cloud solution is crucial for maintaining and targeting business with the government.
Not sure which Microsoft 365 cloud solution is best for your compliance needs? This article breaks down the best solution to help you meet your government compliance and secure your data!
Microsoft Environments for Compliance
Microsoft offers three Platforms as a Service (PaaS) environments to help organizations meet security and compliance requirements. Here is the high-level breakdown:
- Microsoft 365 Commercial – This environment is approved for the Federal Risk and Authorization Management Program (FedRAMP) Moderate standards and can be configured to meet NIST 800-171, except for DFARS 7012 c-g paragraphs. Microsoft 365 Commercial can be expected to meet CMMC Maturity Level (ML) 1 and 2 and protect Federal Contract Information (FCI). It also offers compliance frameworks within their Security & Compliance Centers to manage HIPAA/HITech, NIST 800-53, PCI-SS, GDPR, CCPA and other frameworks.
- Microsoft 365 Government Community Cloud (GCC) – This PaaS solution helps organizations, critical infrastructure, and the Defense Industrial Base (DIB) meet the requirements of the United States (U.S.) Federal, State, Local, and Tribal governments. GCC can handle Controlled Unclassified Information (CUI) and as of February 2021 handles The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 c-g requirements. GCC is used to protect federal, criminal justice, and federal tax information systems requirements. It does not protect international import or export tax controls; nor does it have the capability to manage sensitive data types specified for U.S. eyes only.
- Microsoft GCC High – A sovereign environment or ‘enclave’ that is essentially a copy of the Department of Defense’s (DoD) government cloud and is supported by Microsoft’s Azure Government. It was created to meet FedRAMP High and is intended for specified CUI dissemination controls and data types.
“GCC and GCC high offer protection of CUI data types, however GCC High provides U.S. residency and U.S. background checked citizens. GCC does not.”
Is GCC or GCC High Required?
Technically, no. However, if you are working towards a long-term cloud compliance strategy with a need to protect sensitive data types and CUI, then GCC or GCC High is the best solution on the market.
The major differences between GCC and GCC High are based on what data types they are approved to handle and the visibility of U.S. personnel. GCC complies with federal, criminal justice, and federal tax information systems requirements whereas, GCC High complies with FARS, Department of Defense Security Requirements Guidelines, International Traffic in Arms Regulations (ITAR), and is handled by U.S. personnel only. Microsoft does not guarantee only U.S. eyes have visibility for GCC.
Of Microsoft’s competitors, AWS GovCloud, and Google Workspace – JAB, GCC and GCC High are the only solutions that offer the most FedRAMP services (Hint, check out future articles as we discuss GCC High versus competitors).
In fact, GCC High is declared FedRAMP in process, which is the furthest along the path to FedRAMP authorization (there are different levels of FedRAMP readiness – Ready, In Process, and Authorized).
Ultimately, it is important to note that Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC’s requirements. Compliance can be met with native security products/capabilities and a security team.
GCC and GCC High Offer:
- Data residency
- U.S. Support personnel (GCC High only)
- FedRAMP status
- Defense Information Systems Agency (DISA) Impact Level
- Forensic information for reporting (DFARS 252.204-7012)
Top Reasons to Choose GCC High
- U.S. data residency
- Supported by background checked U.S. persons
- Closest to FedRAMP authorized among competitors
- Handles International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) marked data
- Meets DFARS 7012 para’s c-g flowdown requirements for protecting CUI/Controlled Technical Information (CTI)
- CUI data types:
- Covered Defense Information (CDI)
- EAR data/research
- DoD Critical Infrastructure Information
- Unclassified Controlled Nuclear Information (UNCI)
- Can protect specified CUI with dissemination controls of:
- REL TO USA
- Suitable to handle DISA IL 4 or greater (rated at DISA IL 5 and is FedRAMP High equivalent)
Top Reasons to Choose GCC
- U.S. data residency
- Manages federal, criminal justice, and federal tax information systems requirements – FBI CJIS (Criminal Justice Information Services)
- DoD SRG Level 2
- Unspecified CUI without dissemination controls
Are you a contractor to the government and working in the DIB? Contact JADEX to help with obtaining the right licensing and configuring your GCC environments for compliance. JADEX can answer your questions and pair your Microsoft solutions with our information security and compliance insights.
“We transform how people work.”