Menu
Get Support
Book Discovery Session

What Contractors Need to Know About Microsoft Cloud Compliance (Commercial vs. GCC vs. GCC High)

Eric Bragger
March 26, 2021

Microsoft has recently made significant improvements to the Government and Department of Defense (DoD) compliance of its cloud offerings for Microsoft 365 (M365), Microsoft Office 365 (O365), and Microsoft Azure.

However, these changes have also resulted in significant misinformation and confusion in the marketplace. This article will explain the very important compliance details that are often omitted when discussing which cloud offerings are right for your current and future business needs.

Choosing the proper cloud offering is a critical, strategic business decision for contractors.

The cloud offering:

  • Provides the foundation for cybersecurity and compliance.
  • Directly impacts whether your business qualifies to work on future contracts, including contract modifications and extensions.
  • Directly impacts whether Prime contractors, partners, and customers are willing to work with your business today and in the future.
  • Directly impacts how your cybersecurity and compliance is evaluated when awarding contracts and choosing members of teaming agreements.

Deciding which cloud offering is right for migration of your services and data is a significant commitment of time, effort, and expense. Choosing the wrong cloud offering may result in non-compliance, disqualifying you from future contracts and partnerships. Making the right decision the first time is critical to keeping business flowing and avoiding the delays and costs of another cloud migration.

The cloud and compliance experts at Peerless are available to help you make the best decision possible for your current and future business needs, whether it is your first move to the cloud or you are considering a more compliant cloud offering.

Microsoft recommends three cloud offerings for Government contractors and DoD / Defense Industrial Base (DIB) contractors:

  • Commercial
    • Available to any businesses or individuals.
    • Datacenter locations are global.
    • Microsoft personnel supporting Commercial are global.

  • Government Community Cloud (GCC)
    • Available only to Government / DoD contractors.
    • Contrary to its name, GCC operates as part of the Commercial Cloud.
    • Datacenter locations are a combination of U.S. and Global.
    • Microsoft personnel supporting GCC are global.

  • Government Community Cloud High (GCC High)
    • Available only to Government / DoD contractors.
    • GCC High operates as part of a separate U.S. Government cloud.
    • Datacenter locations are in the Continental U.S. (CONUS).
    • Microsoft personnel supporting GCC High are screened U.S. citizens.

NOTE: Microsoft “DoD” and other Government cloud offerings are only available to Government agencies, not directly to contractors.

Bringing clarity to the many different compliance requirements and considerations.

Compliance requirements (as specified by contracts, laws, regulations, and industry) are complex, interconnected, and ever-changing.

In the following summary table, we demystify the most significant caveats and details associated with common Government and DoD contractor compliance requirements.

Click to enlarge the table below and click again to zoom in.
Peerless - Summary of Microsoft Cloud Compliance_20210506


What type of contractor you are may significantly affect the offering you choose.

Commercial Off the Shelf (COTS) suppliers:

  • Provide the Government / DoD with goods and services commercially available to the public.
  • Cloud offerings:
    • GCC High – Compliant
    • GCC – Maybe compliant
      • Depends on contract requirements (current and future).
      • Depends on specific DoD Agency requirements.
      • Not compliant for U.S. Sovereignty requirements.
      • Not compliant for Export Control requirements (ex. ITAR, EAR, NOFORN, FOCI).
      • Depends on what categories – if any – of Controlled Unclassified Information (CUI) are being created on behalf of and/or received from the Government.
    • Commercial – Maybe compliant
      • Depends on contract requirements (current and future).
      • Depends on specific Government Agency requirements.
      • Not compliant for Export Control requirements (ex. ITAR, EAR, NOFORN, FOCI).
      • Not compliant for U.S. Sovereignty requirements.
      • Compliant for Federal Contract Information (FCI) created on behalf of and/or received from the Government. For example, Government specifications for goods and services rather than use of those publicly available.
      • Not compliant for Controlled Unclassified Information (CUI) created on behalf of and/or received from the Government. For example, Government specifications or collaborative information for goods and services used in a sensitive Government program rather than use of those publicly available.
  • Compliance regulations currently applicable include:
    • FAR 52.204-21, if receiving FCI.
    • DFARS 252.204-7012, if receiving CUI.
    • Other requirements indicated in contracts.
      • Exceptions to some requirements are permitted for COTS suppliers in DFARS 252.204-7012 and other regulations; however, these exceptions may need to be requested and approved.

DoD Contractors (Non-COTS):

  • Cloud offerings:
    • GCC High – Compliant
    • GCC – Maybe compliant
      • Depends on contract requirements (current and future).
      • Depends on specific Government Agency requirements.
      • Not compliant for Export Control requirements (ex. ITAR, EAR, NOFORN, FOCI).
      • Not compliant for U.S. Sovereignty requirements.
      • Depends on what categories – if any – of Controlled Unclassified Information (CUI) are being created on behalf of and/or received from the Government.
    • Commercial – Not compliant
      • Because of the requirements in DFARS 252.204-7012.
  • Compliance regulations currently applicable include:
    • FAR 52.204-21.
    • DFARS 252.204-7012.
    • Other requirements indicated in contracts.

Government Contractors (Non-COTS, Non-DoD):

  • Cloud offerings:
    • GCC High – Compliant
    • GCC – Maybe compliant
      • Depends on contract requirements (current and future).
      • Depends on specific Government Agency requirements.
      • Not compliant for Export Control requirements (ex. ITAR, EAR, NOFORN, FOCI).
      • Not compliant for U.S. Sovereignty requirements.
      • Depends on what categories – if any – of Controlled Unclassified Information (CUI) are being created on behalf of and/or received from the Government.
    • Commercial – Maybe compliant
      • Depends on contract requirements (current and future).
      • Depends on specific Government Agency requirements.
      • Not compliant for Export Control requirements (ex. ITAR, EAR, NOFORN, FOCI).
      • Not compliant for U.S. Sovereignty requirements.
      • Not compliant for Controlled Unclassified Information (CUI) created on behalf of and/or received from the Government.
  • Compliance regulations currently applicable include:
    • FAR 52.204-21.
    • Other requirements indicated in contracts.

Multiple cloud offerings (e.g., separate cloud enclaves) can be used as a mitigation to meet specific requirements. For example, using the Commercial cloud for general employees while using the GCC High cloud for employees that handle sensitive information. This increases operational complexity and the risk of sensitive data spillage (i.e. cross-contamination) to a non-compliant environment, but may reduce costs. Other mitigations that may satisfy compliance in a lesser cloud environment include Virtual Desktop Infrastructure (VDI) / Remote Access technologies and third-party compliant encryption.

There is only one choice if you want to ensure your data is protected from foreign nationals, and/or has the highest available levels of cybersecurity and compliance, and/or is best prepared for future contractual requirements.
 

GCC High is the most secure and compliant offering currently available anywhere for Government and DoD contractors.

  • GCC High datacenters are U.S. Only, in the Continental United States (CONUS).

    • GCC datacenters are a combination of U.S. and global, outside the Continental United States (OCONUS).
      • Active Directory (AD) is hosted globally, potentially allowing foreign nationals access to confidential employee information, user authentication, and technical security settings.
      • Some services can be configured to only store data in U.S. datacenters.
      • Only certain “covered services” are stored in the U.S. These include the core Office Online and Office Mobile services, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.
    • Commercial datacenters are global, outside the Continental United States (OCONUS).

  • GCC High personnel are screened U.S. Citizens with background checks.

    • GCC personnel are global and include foreign nationals.
      • The “Customer Lockbox” feature is available for certain support licenses to require your authorization before customer support can access your data.
    • Commercial personnel are global and include foreign nationals.
      • The “Customer Lockbox” feature is available for certain support licenses to require your authorization before customer support can access your data.

  • GCC High supports all major Government and DoD compliance requirements, including:

    • FAR 52.204-21 (Federal Acquisition Regulation Supplement 52.204-21)
    • DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement 252.204-7012, “DFARS 7012”) paragraphs C thru G and K thru M
    • DFARS 252.204-7012 Interim Rule of 9/29/2020 (effective 11/30/2020)
    • NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171)
    • CMMC L1 thru L2 (Cybersecurity Maturity Model Certification Maturity Levels 1 thru 2)
      • L1+ required for FCI (Federal Contract Information)
    • CMMC L3 thru L5 (Cybersecurity Maturity Model Certification Maturity Levels 3 thru 5)
      • L3+ required for CUI (Controlled Unclassified Information)
    • NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53)
    • RMF (Risk Management Framework) for Government and DoD
    • DoD Cloud IL4 (DoD Cloud Security Requirements Guide: Impact Level 4)
    • FedRAMP High (Federal Risk and Authorization Management Program: High)
      • All Microsoft services and features are compliant.
      • Services and features are evaluated for compliance in advance of being made available.

  • GCC High supports the requirements for all types of unclassified, sensitive information:

    • FCI (Federal Contract Information)
    • CUI Basic (Controlled Unclassified Information Basic)
      • Non-specified CUI Categories
      • Legacy markings, such as: FOUO (For Official Use Only), Sensitive But Unclassified (SBU), and Sensitive Information
    • CUI Specified (Controlled Unclassified Information Specified)
      • Specified CUI Categories
    • CDI (Covered Defense Information)
      • Equivalent to CUI per DFARS 252.204-7012
    • CTI (Controlled Technical Information)
      • CUI Specified Category under the Defense group, marked as “SP-CTI”
    • Export Control
      • EAR (Export Administration Regulations)
      • ITAR (International Traffic in Arms Regulations)
      • No Foreign Nationals (NOFORN)
      • Foreign Ownership, Control, or Influence (FOCI)

  • GCC High supports U.S. Sovereignty requirements:

    • U.S. Persons
    • U.S. Citizens
    • No Foreign Nationals (NOFORN)
    • No Foreign Governments
    • No Foreign Organizations
    • Foreign Ownership, Control, or Influence (FOCI)

Microsoft added to confusion with release of their own compliance summary table.

The following table released by Microsoft combines different compliance requirements that should be distinct and does not indicate certain caveats that are very significant to determining compliance. We have seen industry marketing based on this table that communicates incorrect or incomplete information about compliance. This could lead Government and DoD contractors to choose the wrong cloud environment for their needs.

                   Microsoft's Table of Cloud Compliance (as of 3/2/2021)Microsoft Cloud Compliance table_20210302

We have clarified Microsoft’s table by providing our opinion of compliance, after consulting with the authors of the Microsoft table and evaluating the important caveats that were not represented. We recommend using the much more detailed Peerless Summary of Microsoft Cloud Compliance above for the most thorough and complete representation of this information.

Peerless Clarification to Microsoft’s Table of Cloud Compliance (as of 3/2/2021)

Peerless - Microsoft Cloud Compliance clarified table_20210202


We are here to understand your needs and help your business make the right decisions for IT and compliance

Peerless Tech Solutions has cloud and compliance experts ready to help your business choose the right cloud offering, migrate to your new cloud, and achieve / maintain compliance with current and future requirements.

Contact us to get started.


New call-to-action

Subscribe by Email