Simply having GCC High, GCC, or Azure Government does not meet any compliance framework all by itself. This should go without saying, but NO platform comes out-of-the-box compliant. No matter which cloud you are in, you must build upon their foundational compliance to your own uses to assure you are meeting your compliance requirements. One of the strongest benefits of GCC, GCC High, and cloud computing in general is the shared responsibility model.
The Shared Responsibility Model for Compliance
As you move further away from on-premises infrastructure, the number of things you need to manage and maintain are greatly reduced. When you move from on-prem to Infrastructure as a Service (IaaS), you stop needing to manage your own virtualization, storage, or networking, As you move through Platform and Software as a Service (PaaS and SaaS), you gradually remove more and more of the infrastructure components you need to configure and maintain. With this comes cost savings, both in hardware and licensing costs, but also you are able to lean on the compliance efforts and certifications of your cloud provider.
One important thing to understand is flow-downs. In many cases, Microsoft meets or exceeds the compliance requirements of frameworks, such as DFARS, in all of their environments and have audit documentation to prove it. This is needed so that Microsoft can provide services to the government. However, in the environments without flow-downs they will not provide you with documentation that YOU meet those frameworks in that environment, meaning you cannot use the shared responsibility model in those clouds. This is important to understand when audit time comes, and you find out that Microsoft will not provide attestation that you are meeting your compliance requirements.
Using Microsoft Compliance Manager’s template for NIST 800-171 in a commercial environment, you get a clear view of the overall impact of this shared responsibility model. When you run this report, you will get a listing of total controls, and how many of those controls are managed by Microsoft and how many must be managed by your organization. Out of 396 controls, 208 are managed by Microsoft, and only 188 must be managed by the customer. All of the controls managed by Microsoft are already documented, with audit references easily accessible. The financial impact of reducing regulatory burden will vary depending on your own organizational readiness and resources, but almost always comes out as a net win for companies who move to an appropriately compliant cloud.
Microsoft Compliance across GCC, GCC High, DOD, and Commercial
|Customer Eligibility||Any||Federal, SLG, DIB||Federal, DIB||DOD ONLY|
|DC Locations||US and OCUNUS||CONUS Only||CONUS Only||CONUS Only|
|Accreditation||FedRAMP Moderate||FedRAMP Moderate||FedRAMP High||FedRAMP High|
|DFARS||NO||YES (no flow downs)||YES (flow downs)||YES|
|ITAR / EAR||NO||NO||YES||YES|
|CUI / CDI||NO||NO||YES||YES|
|DOD SRG Level||N/A||L2||L4||L5|
|NERC / FERC||YES||YES|
|CMMC||Levels 1 and 2||Levels 1 and 2||Levels 3-5||Levels 3-5|
|Customer Support||Worldwide / Commercial||Worldwide / Commercial||US Based / Restricted Personnel||US Based / Restricted Personnel|
|Directory Network||Azure Commercial||Azure Commercial||Azure Government||Azure Government|
GCC Compliance Frameworks
Understanding why specific cloud environments meet specific compliance frameworks takes a deeper understanding of what those compliance requirements are, and how the various environments are structured. While all of the Microsoft clouds meet FedRAMP moderate, and NIST 800-53, this is because there is a contractual requirement that GCC meets these frameworks, and since GCC is an segregated enclave of Commercial, those frameworks exist there as well. However, there is no contractual requirement in commercial regarding data residency, nor the limitation of screened US personnel to administer the solutions. For most frameworks, the most important consideration is where the infrastructure and directory network exist. Within Commercial and GCC, your Azure Active Directory resides in the commercial Azure environment which is a global infrastructure, and support is delivered by a global workforce.
The Defense Federal Acquisition Regulation Supplement (DFARS) is another interesting case. While Microsoft meets DFARS for GCC, they will not sign a contractual flow-down that lets customers meet DFARS in GCC, nor will they provide any form of demonstration for DFARS . It was not built for Microsoft to provide to government agencies, and thus they must meet it, but it was not built for Microsoft customers to deliver services to government agencies. If you wish to take advantage of the shared responsibility model to demonstrate DFARS compliance to your customers, you will need GCC High.
Compliance Frameworks Achievable in GCC
- FedRAMP Moderate
- NIST 800-52
- IRS 1075 – Federal Tax Information (FTI)
- CJIS (DOJ/FBI) Criminal Justice Information Services
- DOD SRG Level 2
- CMMC Levels 1-2
GCC High Compliance Frameworks
As we have explained, GCC High is, in essence, a copy of the DOD environment. As we explained in our overview of the services this is the level where you get ONLY US Based, screened personnel working in the data centers and your infrastructure and directory services ONLY exist in the continental United States facilities. This allows GCC High to meet the more stringent requirements of the Defense Industrial Base. At this level Microsoft WILL provide needed flow downs, and has both audit documentation and a contractual obligation to provide a compliant environment.
Compliance frameworks achievable in GCC High
- FedRAMP High
- ITAR International Traffic in Arms Regulation (GCC High)
- DFARS Defense Federal Acquisition Regulations Supplement (GCC High)
- DOE CFR Part 810 (GCC High)
- NIST 800-171
- DOD SRG Level 4
- CMMC Levels 3-5
What about CUI?
If you have contractual obligations to handle CUI, you hopefully have other requirements in your contract that will clarify this for you. There are over 20 different types of CUI, and each of them have their own requirements for safeguarding. Mention of CUI in a contract is enough to get Category 3 validation from Microsoft which will get you into GCC High and our official guidance is that you should err on the side of caution and use GCC High rather than GCC. If you believe that you can meet your contractual obligations without GCC High, we strongly suggest that you have this conversation with your contract liaison to clarify what requirements you must meet. With the upcoming addition of CMMC language in DOD contracts, we hope this will be further clarified.
Meeting Your DOD Compliance Requirements
Agile IT is at the top of only 8 AOS-G partners capable of licensing, implementing, migrating and managing GCC High for Microsoft Customers. With 14 years as a Microsoft Partner, Over 16 Gold competencies, and a team of former military, government, and state department employees and contractors, we understand the importance of meeting your contractual compliance obligations. To find out more about moving to GCC or GCC High contact us today. Additionally, if you need assistance reaching CMMC or NIST 800-171 compliance, AgileAdvisor provides cloud compliance services for Microsoft 365.