One of the most common questions we receive is “Which cloud is right for us?”. Understanding the differences between Commercial, GCC and GCC High Microsoft 365 environments is important, and almost directly aligns to your compliance needs. Before making the decision, it is important to understand the differences between these environments. Check out our video focused on Compliance in GCC High.
What is Microsoft 365 Commercial?
Commercial Microsoft 365 is the standard Microsoft 365 cloud. It is where Enterprise, Business Essentials, and Academic and even home Office 365 tenants reside. It has the most features and tools, nearly global availability, and the lowest prices. Everyone qualifies and no validations are needed. In many cases, security and compliance needs such as can be met in commercial through tools like Enterprise Mobility and Security, Intune, Compliance Center, Cloud App Security, Azure Information Protection and the various Advanced Threat Protection (ATP) tools.
Compliance frameworks that can reside in commercial include HIPAA/HITech, NIST 800-53, PCI-CSS, GDPR, CCPA, etc. It is not meant for government or defense compliance and should not be used for such as it shares a global infrastructure and workforce. There is the possibility that an organization could meet FedRAMP moderate impact in Microsoft 365 Commercial, but it would need to be heavily augmented with additional tools. The expense, complexity, and risk involved makes this an undesirable state, which would be impacted by any changes Microsoft makes to the environment, while leaving you on the hook to patch any gaps. Although it is not officially asserted yet, it is expected that Microsoft 365 commercial meets CMMC Level 1 and 2 requirements.
What is Microsoft GCC?
GCC, Government Community Cloud, can essentially be thought of as a government focused copy of the commercial environment. It has many of the same features, but features data centers ONLY in the continental United States (CONUS), as mandated by FedRAMP Moderate. Compliance frameworks that can be met in GCC include:
- DFARS 252.204-7012 (As of February 2021 Microsoft will now attest to compliance)
- DoD SRG Level 2 (with no provisional authority)
- FBI CJIS (Criminal Justice Information Services)
- FedRAMP High
It is important to note that GCC is 100% insufficient for ITAR, EAR and most Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling. The reason behind this is that the identity component and network that GCC resides on is Azure Commercial and does not meet import/export controls since it is global and access is not limited to U.S Citizens.
GCC Employee Background Checks
Additionally, with GCC we begin to see additional employee background checks to meet various federal, state, and local government requirements.
| U.S. Citizenship | Verification of U.S. citizenship |
| Employment History Check | Verification of seven (7) year employment history |
| Education Verification | Verification of highest degree attained |
| Social Security Number (SSN) Search | Verification that the provided SSN is valid |
| Criminal History Check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities |
| Office of Defense Trade Controls Debarred Persons List (DDTC) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| CJIS Background Screening | State-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program |
What is Microsoft 365 DOD? (Department of Defense Only)
We are only mentioning the DoD enclave here for completeness sake. You don’t qualify… unless you are DoD. The DoD cloud was purpose built for the Department of Defense and the DoD only. No contractors, no outside personnel, no exceptions. One thing to mention is that the DoD enclave is the ONLY of the four clouds to meet DoD SRG Levels 5 and 6.
What is GCC High? (A Copy of DOD)
GCC High was created to meet the needs of DoD and Federal contractors that needed to meet the stringent cybersecurity and compliance requirements of NIST 800-171, FedRAMP High, and ITAR, or who need to manage CUI/CDI. GCC High is technically a copy of the DoD cloud but exists in its own sovereign environment. With GCC High, you begin to see a noticeable loss of feature parity with commercial environments. Things like Calling Plans and Compliance Manager aren’t available, and several tools like Microsoft Defender ATP, Cloud App Security and Intune are missing a few functions. The reasons for this are threefold. [Update: Agile IT is now able to enable calling and audio conferencing in GCC High]
- First is the federal approval process. Each feature must be rigorously tested in the DoD and GCC High clouds to assure compliance and security.
- Secondly, for many of the applications, a dedicated staff that has passed Department of Defense IT-2 adjudication based on an Office of Personnel Management investigation is required for development and support.
- Finally, some of Microsoft 365 applications will fail to meet compliance requirements by their very nature. Ironically, this happens most frequently with security and governance tools, since they require standing access to data in order to be effective. In some cases, when the tools are critical, such as Azure Sentinel, Cloud App Security and Microsoft Defender the tools are almost completely rebuilt to meet these criteria. For other tools, like Yammer, they are simply left behind with no intent to bring them onto the roadmap.
Feature Parity changes constantly. There are two places where customers can keep up with what is available. The first is the Microsoft Service Description Pages for each product, secondly, you can filter the Office 365 development roadmap for GCC High under the “Cloud Instance” filter.
GCC High Eligibility
GCC High is reserved for the Defense Industrial Base (DIB), DoD contractors, and Federal Agencies. Every customer hoping to move to GCC High must first receive validation from Microsoft, which we cover in our blog, Getting GCC High Validation from Microsoft.
GCC High and DoD Background Checks
Microsoft GCC High and DoD feature the most stringent background checks for employees working in their data centers. It is largely the same as those for GCC with the addition of the DoD IT-2 adjudication. This adjudication is part of an Office of Personnel Management (OPM) level 3 background check.
| U.S. Citizenship | Verification of U.S. citizenship |
|---|---|
| Employment History Check | Verification of seven (7) year employment history |
| Education Verification | Verification of highest degree attained |
| Social Security Number (SSN) Search | Verification that the provided SSN is valid |
| Criminal History Check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities |
| Office of Defense Trade Controls Debarred Persons List (DDTC) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| Department of Defense IT-2 | Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation |
How to Buy GCC High or GCC?
Agile IT is one of the only AOS-G partners authorized to license GCC High for any size company (Including under 500 seats). We hold over 15 Microsoft Gold Competencies, are a Fast Track Ready Partner, and were also one of the first Microsoft Partners selected to license and manage Azure Government.