Introduction to GCC High, GCC, and Azure Government Cloud
Microsoft has made it easy to reach complex government-mandated compliance requirements, however, understanding which cloud, which environment, what type of licensing and how to approach migration to Microsoft’s Government cloud is almost as complicated. In this blog, we are going to attempt to simplify the hundreds of questions we have received as both Azure Government Cloud, GCC, and GCC High consultants and licensors. We are going to cover what the environments are, what their unique security and compliance features are, what environment is needed for specific compliance frameworks, how to license, and even how to make the case to internal stakeholders to explain the added costs. Any questions, please leave a comment. We’re here to help.
Microsoft 365 Environments: Commercial, GCC, GCC High, DOD
There are four Microsoft environments to understand in order to make sure you chose the right cloud for your organization (Not including Microsoft Cloud in Germany and 21ViaNet in China). These are Commercial, GCC, GCC High and DOD. Each has it’s own unique compliance abilities, features, pricing and licensing, and migration path.
Microsoft 365 - Commercial Environment
This is the good old Office 365 you are familiar with. Anyone can get an account here, for any number of users, and the full range of features are available. It is globally available and is where home, enterprise, commercial, non-profit, and academic tenants all reside.
Microsoft GCC Environment (Government Cloud Computing)
GCC is an isolated instance of Office 365 Commercial created specifically for government. GCC features additional compliance controls around its data centers. GCC is available for local, state, federal and tribal governments, and their approved contractors. GCC has near feature parity with the commercial environment.
Microsoft DOD Environment
On the opposite end of the security and compliance spectrum from commercial environments is Microsoft DOD. Microsoft 365 DOD is a completely isolated environment for use ONLY by the U.S Department of Defense. The DOD cloud is built for strict compliance controls, such as zero standing access to data, and all Microsoft employees operating in the environment must complete DOD IT-2 adjudication and a Tier 3 OPM investigation. Each service in this environment is vetted and approved by the DOD, which leads to a difference in features and release dates. As a rule of thumb, new products and features get introduced to DOD about 12-14 months after reaching commercial general availability.
Microsoft GCC High
Just as GCC is an isolated copy of Microsoft commercial environments, GCC High is a copy of the DOD environment. GCC High is intended for DOD contractors who work with controlled unclassified information (CUI) or who are subject to International Traffic in Arms Regulations (ITAR). As it is a copy of the DOD environment, it also lacks feature parity with the commercial environments, with some services, such as Yammer and Compliance Center expected to never be included due to compliance architecture conflicts. (Yes, there is some irony that Compliance Center is not DOD compliant, which we explain below.)
Compliance in GCC, GCC High, and Commercial Environments
The various government clouds are built to meet specific compliance frameworks within a shared responsibility model. Shared responsibility means that Microsoft manages some controls, while the customer manages others. In the case of FedRAMP moderate, for example, there are 1022 individual actions that are mapped to specific controls. Under shared responsibility, Microsoft manages 807 of those controls and provides full documentation behind them, while the customer manages a much more reasonable 215. However, it is still important to understand what cloud to choose based on your own compliance requirements. Below is a breakdown of the four clouds
|Accreditation||FedRAMP Moderate||FedRAMP Moderate||FedRAMP High|
|CUI / CDI||No||Only Unspecified||Yes|
|Customer Eligibility||Any||Federal / SLG / Tribal / DIB||Federal / DIB|
|Customer Support||Worldwide / Commercial Personnel||Worldwide / Commercial Personnel||US Based / Restricted Personnel|
|DFARS 252.204-7012||No||Yes (As of Feb 2021)||Yes|
|DOD SRG Level||N/A||Level 2||Level 4|
|Datacenter Locations||US & OCONUS||CONUS Only||CONUS Only|
|Directory / Network||Azure Commercial||Azure Commercial||Azure Government|
|HIPAA / HITECH||Yes||Yes||Yes|
|ITAR / EAR||No||No||Yes|
|NERC / FERC||No||No||Yes|
Feature Parity between Commercial and GCC High
Due to the additional requirements in GCC High, there is not feature parity between it and the commercial clouds. The following are services not yet in GCC High:
- PowerBI Pro
- Office 365 ProPlus
- Project Online
- Cloud App Security
- Calling Plans for MS Teams
- Microsoft App Store
Even when a product is available in GCC High, all of its features may not be. The Microsoft Office 365 US Government platform service description has further details on this: An excellent example is Microsoft Defender ATP in GCC High, which, while available, lacks the following features:
- Live Response
- Threat protection reporting
- Machine Health and compliance report
- 3rd party integrations
- Microsoft integrations with
- Azure Security Center
- Azure ATP
- Office 365 ATP
- Microsoft Intune
Note, this list is not exhaustive, and new features are released frequently. The canonical source for feature updates in GCC High is Microsoft’s service description.