Understanding FedRAMP in Microsoft

Before 2011, government IT architecture was fractured across thousands of isolated systems. Compliance needs varying by the department, each government entity handled its own unique IT ecosystem, and the physical equipment that handled the bulk of IT needs was chained to geographic areas.

Then, in 2011, the DOI released the Cloud First Policy, which was designed to help accelerate government cloud adoption by requiring agencies to move to the cloud in a timely and secure manner. To help with the latter (security,), the Federal Risk and Authorization Management Program (FedRAMP) was established to ensure that cloud environments handling government data were secured enough to handle their needs. The DOD is currently drafting it’s new Cybersecurity Maturity Model Compliance framework(CMMC) in 2020.

Today, we’re going to look at what FedRAMP is, why it’s essential, and how government agencies and contractors can utilize Office 365 and Azure to operate within a FedRAMP environment.

What is FedRAMP?

In the past, federal agencies were left to determine which cloud providers to use based on guidelines provided in the Federal Information Security Management Act of 2002 (FISMA). While FISMA does a great job defining security standards, it doesn’t standardize security on both the cloud-side and agency side.

After the Cloud First Policy was rolled out, and the government got serious about rapidly adopting cloud infrastructure, FedRAMP was created to help streamline cloud adoption. Since security standards were now applied to BOTH cloud providers and agencies, government agencies and contractors could rapidly choose a secure cloud environment without all of the guesswork.

This was critical for agencies. Since the Cloud First Policy called for agencies to “default to cloud-based solutions whenever secure, reliable, cost-effective cloud options exist” many agencies were under pressure to quickly assess providers and dump resources into their cloud environment. Indeed, FedRAMP removes stress from agencies and contractors — since they can be sure that the environment is secure enough to handle their government data.

All cloud services that meet FedRAMP qualifications must adhere to NIST 800-53 and obtain FedRAMP authorization (or FedRAMP ATO). While many cloud providers have rolled out their own unique government cloud solution, Microsoft stands out as one of the core services providing FedRAMP compliant environments.

Microsoft and FedRAMP

Currently, Microsoft has three solutions that are FedRAMP compliant.

1. Azure Government
2. Office 365 U.S. Government (including GCC High)
3. Dynamics 365 Government

Let’s quickly go over each of these solutions.

Azure Government

“If I had to describe Azure Government in one sentence, I would say that it’s a sovereign cloud that’s dedicated to U.S. government workloads.” - Steve Michelotti, Principal Program Manager, Microsoft.

Microsoft’s Azure Government gives government agencies the tools and resources to migrate critical workflows to the cloud. Not only is Azure Government FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS compliant, but its physical servers are located in the US and are extremely secured. In fact, Microsoft has pledged $1 billion on physical security alone.

To see just how secured these centers are, check out our blog on Microsoft Government Security

We won’t go over all of the ways that Azure’s key combination of Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) can benefit governments. Indeed, there’s simply too much to cover.

Additionally, to get a more detailed look, check out: What is Azure Government?

Office 365 U.S. Government

The core offerings of Office 365 come in government form. This provides government agencies with the convenient, easy-to-use apps that are included in Office 365, but with the security measures — like FedRAMP — that they need to operate.

_It’s important to note that Office 365 Government may not be suitable for every government environment. In particular, DOD and DOD contractors have additional layers of security standards that they must adhere to — which are included in GCC High (we’ll cover this in a moment).

Office 365 U.S. Government offers all of these FedRAMP-compliant features.

• Outlook
• Online meetings (via Teams)
• Skype connectivity
• OneDrive
• Company-wide intranet
• Word
• OneNote
• PowerPoint
• Excel
• Sharepoint
• Apps for Office and Sharepoint
• Tons of support features
• Active Directory
• the list goes on

Basically, Office 365 U.S. Government is Office 365 that meet U.S. government compliance standards, like FedRAMP and the upcoming Cybersecurity Maturity Model Compliance framework(CMMC).

Office 365 GCC High

While Office 365 Government is great for smaller agencies, any agency that works directly with the DOD (in terms of data) requires additional security. This is covered with Office 365 GCC High. GCC High meets the following safety standards.

• ITAR capabilities
• DOD Impact Level 4 and Impact Level 5 capabilities*
• FedRAMP Moderate — (NIST) Special Publication 800-53

*DOD subscribers receive DOD SRG L5, and non-DOD subscribers (typically contractors) receive a DOD SRG L5 environment that is segmented in DOD SRG L4. Because of the nature of these standards, Office 365 GCC high does miss out on a few Microsoft apps. These are:

• Yammer Enterprise
• and PSTN Calling & PSTN Conferencing via Skype

Otherwise, GCC High features all of the same applications, though there are some nuances in the way that they are set up.

It’s important to note that GCC High is only available to those with over 500 seats in Office 365 UNLESS you partner with one of the 6 Microsoft Partners worldwide that are currently permitted to sell Office 365 GCC High licensing to those with under 500 seats. Agile IT is one of these 6 providers. If you think you require GCC High, you should start your Microsoft Government Validation Now.

Dynamics 365 Government

Microsoft also has a government version of Dynamics that meets FedRAMP requirements. These come in both 365 Government and GCC High. 365 Government and GCC High both have the following Dynamics licenses:

• ProDirect Support GCC or GCC High
• Customer Engagement Plan GCC or GCC High
• Case Management GCC or GCC High
• Sales GCC or GCC High
• Sales Professional GCC or GCC High
• Team Member GCC or GCC High
• Customer Service Professional GCC or GCC High
• Enhanced Support GCC or GCC High
• Field Service GCC or GCC High
• Customer Service GCC or GCC High

Conclusion

The Cloud First Policy introduced additional security complexities into government ecosystems. To better clarify security conditions, FedRAMP was rolled out to give government agencies and contracts visibility into cloud architectures. As long as a cloud environment is FedRAMP-compliant, agencies know that they can utilize it for government assets (as far as compliance is concerned).

Microsoft Office 365 Government, Microsoft Office 365 GCC High, Microsoft Dynamics Government, Microsoft Dynamics GCC High, and Azure Government are all FedRAMP compliant.

Are you looking for a Microsoft solution for your DOD environment? Agile IT is one of only SIX Microsoft AOS-G partners worldwide. We’re endorsed by Microsoft to help DOD agencies and contractors migrate to GCC High as well as provide critical assistance via managed services for GCC High.

This means that we can provide GCC High licenses to those with under 500 seats. Overall, we have a long history with Microsoft, and we’re excited to streamline DOD and DOD contractors cloud experience.

If you are looking for a solid and secure partner to manage your government cloud, Request a quote: