Where does GCC come from?
The term Community Cloud originated from the National Institute of Standards and Technology (NIST) Special Publication 800-145, “The NIST Definition of Cloud Computing”(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf)
The following is a snippet from that publication:
Private cloud
The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Community cloud
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Public cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Hybrid cloud
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
What’s the difference between GCC Low, GCC Moderate,and GCC High?
The Government attachment to the phrase “Community Cloud” and the distinguishment of Low, Moderate and High also come from NIST and leveraged by FedRAMP.Â
The following snippet is from FedRAMP: https://www.fedramp.gov/baselines/
Federal Information Processing Standard (FIPS) 199 provides the standards for the security categorization of federal information and information systems. FedRAMP authorizes Cloud Service Offerings (CSOs) at the: Low (including Tailored Li-SaaS), Moderate, and High impact levels. FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use. Tailored policy and requirements provide a more efficient path for Low Impact-Software as a Service (LI-SaaS) providers. The LI-SaaS Baseline accounts for Low-Impact SaaS applications that do not store personal identifiable information (PII) beyond that is generally required for login capability (i.e. username, password, and email address).
Now we can put all this together and we get:
- Government Community Cloud, Low Impact (GCC Low)
- Government Community Cloud, Moderate Impact (GCC Moderate)
- Government Community Cloud, High Impact (GCC High)
Buyer Beware
There are new offerings showing up on the Internet that say you don’t need GCC or
GCC High and claim to meet government requirements.
We recommend the following:
- Visit the FedRAMP Marketplace to see if they’re approved at the level you require.
- Validate with an assessment/auditor
What is Microsoft GCC and GCC High
The term GCC by itself is commonly referenced by many to associate with GCC Moderate.
We’ll continue with that here.
Quick Answer
- GCC/GCC Moderate on the commercial/global platform. Depending on your target compliance requirements and contract, this could meet your objective
- GCC High is a sovereign cloud offering where Microsoft ensures that their part of shared responsibilities for data storage location, access, operations/support staff background checks, etc. are met.
As defined by Microsoft: https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#about-office-365-government-environments
GCC
The Office 365 GCC environment provides compliance with federal requirements for cloud services, including FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
GCC High
The Office 365 GCC High and DoD environments deliver compliance with Department of Defense Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR).
GCC High isn’t just a marketing name and small differences in licensing and deployment. It’s way more than that.
Cybersecurity Maturity Model Certification (CMMC)
For those companies that do business with the DoD, it is even more crucial that sensitive data is kept out of the hands of bad actors. These companies include all suppliers, commercial item contractors as well as subcontractors to larger companies that work within the Defense Industrial Base sector. To address this issue, the DoD launched the Cybersecurity Maturity Model Certification (CMMC) program. Currently in version 2.0, this iteration streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. Prior to this certification requirement, companies were not subject to external audits to verify stringent data security measures. GCC High helps ensure you are on your path to compliancy.
International Traffic in Arms Regulations (ITAR)
Navigating regulatory landscapes is a crucial aspect of digital transformation. With expertise in ITAR regulations, Agile IT ensures your Microsoft 365 GCC High tenant aligns with these stringent requirements. By leveraging the ITAR-compliant environment of Microsoft 365 GCC High, we enable your agency to handle defense-related articles and services with unwavering confidence in data security and regulatory compliance.
In a cloud setting, technical data related to defense articles and services is going to be the primary driver of compliance. Securing ITAR-controlled data is a crucial step towards avoiding ITAR fines. While the fines themselves can be harsh, actions can also result in the loss of contracts or relationships with federal entities — as well as civil or criminal actions. Civil fines can cost you +$1 million per infraction.
“ITAR violations can have other consequences as well, including the denial/revocation of licenses and other export authorizations, compliance oversight, and the loss of business opportunities.” By Directorate of Defense Trade Controls (DDTC) – U.S. Department of State
And at this point, you’re probably just thinking about Microsoft 365. However, the majority of all deployments related to public sector also include Azure Government.
We always recommend working with an assessment/auditing organization. Agile IT is here to help!
Learn more about the Microsoft GCC and GCC High offerings to align to your requirements.