Government Requirements & Microsoft 365 GCC High Solutions

First step to meeting your Public Sector related requirements is to know what you need and why.

Hero Image

Organizations working with the United States Government Public Sector, there is wide array of compliance requirements depending on the given department and agencies, type of data and communication you’re working with, and the type of work that required.

On this page, we’ll provide a quick primer on specific terms and where they come from. This is important to help understand how they’ll later map to your requirements. If you know this already, you navigate down to the Government Compliance Matrix to quickly dive deeper to what you’re looking for.

Leveraging Microsoft 365 and Azure services to reduce the risk and overhead in achieving the security and compliance requirements along with the productivity and innovation gains is a core motivator for many organizations.

Got all this?

You might know all this and ready to skip ahead


Where does GCC come from?

The term Community Cloud originated from the National Institute of Standards and Technology (NIST) Special Publication 800-145, “The NIST Definition of Cloud Computing” (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf).

The following is a snippet from that publication:

Deployment Models:

  • Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
  • Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
  • Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

What’s the difference between GCC Low, GCC Moderate, and GCC High?

The Government attachment to the phrase “Government Community Cloud” and the distinguishment of Low, Moderate and High also come from NIST and leveraged by FedRAMP.

The following snippet is from FedRAMP: https://www.fedramp.gov/baselines/

Federal Information Processing Standard (FIPS) 199 provides the standards for the security categorization of federal information and information systems. FedRAMP authorizes Cloud Service Offerings (CSOs) at the: Low (including Tailored Li-SaaS), Moderate, and High impact levels. FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use. Tailored policy and requirements provide a more efficient path for Low Impact-Software as a Service (LI-SaaS) providers. The LI-SaaS Baseline accounts for Low-Impact SaaS applications that do not store personal identifiable information (PII) beyond that is generally required for login capability (i.e. username, password, and email address).

Now we can put all this together and we get:

Buyer Beware

There are new offerings showing up on the Internet that say you don’t need GCC or GCC High and claim to meet government requirements. We recommend the following:

  • Visit the FedRAMP Marketplace to see if they're approved at the level you require.
  • Validate with an assessment/auditor

What is Microsoft GCC and GCC High

The term GCC by itself is commonly referenced by many to associate with GCC Moderate. We’ll continue with that here.

Quick Answers

  1. GCC/GCC Moderate on the commercial/global platform. Depending on your target compliance requirements and contract, this could meet your objective
  2. GCC High is a sovereign cloud offering where Microsoft ensures that their part of shared responsibilities for data storage location, access, operations/support staff background checks, etc. are met.

As defined by Microsoft: https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#about-office-365-government-environments

GCC

The Office 365 GCC environment provides compliance with federal requirements for cloud services, including FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), and requirements for criminal justice and federal tax information systems (CJI and FTI data types).

GCC High

The Office 365 GCC High and DoD environments deliver compliance with Department of Defense Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR).

GCC High isn’t just a marketing name and small differences in licensing and deployment. It’s way more than that.

And at this point, you’re probably just thinking about Microsoft 365. The majority of all deployments related to public sector include Azure Government as well.


Government Compliance Matrix

Use the following to help decide which Microsoft environment best meets your compliance requirements.

Feature comparison

FeatureBasicStandardPremium
Microsoft Datacenter US & Global
Yes YesNo
Microsoft Datacenter US Only
NoNo Yes
Microsoft Support Worldwide
YesNoNo
Microsoft Support U.S. Based
Yes Yes Yes
Microsoft Support US Based & Restricted
No Yes Yes
Criminal Justice Information Services (CJIS) - State
No Yes Yes
Criminal Justice Information Services (CJIS) - Federal
NoNo Yes
Controlled Unclassified Information (CUI)
No Yes Yes
Cybersecurity Maturity Model Certification (CMMC) Level 1
Yes Yes Yes
Cybersecurity Maturity Model Certification (CMMC) Level 2
No Yes Yes
Cybersecurity Maturity Model Certification (CMMC) Level 3
NoNo Yes
Export Administration Regulations (EAR)
NoNo Yes
DFARS 252.204-7012
No Yes Yes
Federal Contract Information (FCI)
Yes Yes Yes
FedRAMP High
NoNo Yes
FedRAMP Moderate
Yes Yes Yes
FedRAMP Low
Yes Yes Yes
FedRAMP LI-SaaS
Yes Yes Yes
Federal Energy Regulatory Commission (FERC)
Yes Yes Yes
International Traffic in Arms Regulations (ITAR)
Yes Yes Yes
North American Electric Reliability Corporation (NERC)
No Yes Yes
NIST 800-53
Yes Yes Yes
NIST 800-171
Yes Yes Yes

Cybersecurity Maturity Model Certification (CMMC)

For those companies that do business with the DoD, it is even more crucial that sensitive data is kept out of the hands of cybercriminals. To address this issue, the DoD launched the Cybersecurity Maturity Module Certification (CMMC) program to ensure that the companies they do business with are thoroughly protected from cyber activity. These businesses include all suppliers, commercial item contractors as well as subcontractors to larger companies. Prior to this certification requirement, companies were not subject to external audits to verify stringent data security measures.

Got all this?

You might know all this and ready to skip ahead

CMMC 2.0

With CMMC 2.0, the DOD intends to once again allow contracts to be awarded with a Plan of Actions and Milestones (POAM) in place to complete CMMC requirements. There will be a number of mandatory controls needed for award, with additional controls understood to be addressed with a clearly identified timeline.

Read a post on this topic

Understanding CMMC 2.0 Level 1

CMMC 2.0 Level 1 will include the 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 meant for basic cyber hygiene. This will apply to organizations handling ONLY Federal Contract Information (FCI). The department sees this foundational level as an opportunity to engage contractors in developing and strengthening their cybersecurity posture. CMMC 2.0 Level 1 will be achievable with a self assessment.

Understanding CMMC 2.0 Level 2

CMMC 2.0 Level 2 includes the 110 controls of NIST 800-171. Level 2 will be split based on the criticality of the information held by the organization. For organizations deemed to hold CUI identified as Critical National Security Information a third party assessment will be required every three years. For select organizations an annual self assessment against these controls will be sufficient.

Understanding CMMC 2.0 Level 3

CMMC 2.0 Level 3 is still under development, but the official website lists 110+ practices based on NIST 800-172, which we discussed in our blog and video here. The most important thing to know is that assessments at level 3 will be completed by the government and not C3PAOs.

What CMMC 2.0 Level will my company require?

For FCI handling organizations, this is greatly simplified as Level 1, removing the old transitional level that might be required for FCI. For organizations handling CUI, the required CMMC level for contractors and sub-contractors will be specified in Requests for Information and Solicitations. No CMMC requirements will be added to contracts until the formal rule-making process is complete.

Still not sure what you need?

We always recommend working with and an assessment/auditing organization. Have that or not, we can provide some guidance.


International Traffic in Arms Regulations (ITAR)

Navigating regulatory landscapes is a crucial aspect of digital transformation. With expertise in ITAR regulations, Agile IT ensures your Microsoft 365 GCC High tenant aligns with these stringent requirements.

Required

ITAR requires Microsoft 365 GCC High and Azure Government

By leveraging the ITAR-compliant environment of Microsoft 365 GCC High, we enable your agency to handle defense-related articles and services with unwavering confidence in data security and regulatory compliance.

To figure out what types of data, goods, and services are impacted by ITAR, we need to look at ITAR [22 CFR 120-130], which states that the following are covered under its scope.

  • Military items. Military items or defense articles (these are typically classified by USML categories)
  • Military Goods. Both military goods and technology that are designed to kill or defend against death
  • Space. Most space tech
  • Technical data. Technical data related to defense articles and services

In a cloud setting, the fourth objective on that list is going to be the primary driver of compliance. Securing ITAR-controlled data is a crucial step towards avoiding ITAR fines. While the fines themselves can be harsh (see below), actions can also result in the loss of contracts or relationships with federal entities — as well as civil or criminal actions.

Civil fines can cost you +$1 million per infraction. We can see a few examples of this in action.

“ITAR violations can have other consequences as well, including the denial/revocation of licenses and other export authorizations, compliance oversight, and the loss of business opportunities.”

Directorate of Defense Trade Controls (DDTC) – U.S. Department of State