Microsoft 365 GCC High Guide for DoD Contractors

Microsoft 365 GCC High Guide for DoD Contractors

In today’s rapidly evolving cyber threat landscape, organizations, particularly those within the public sector and defense industries, face unprecedented challenges in securing sensitive data and ensuring regulatory compliance. The need for a comprehensive, cloud-based productivity and collaboration suite that empowers teams and meets stringent security and compliance requirements has never been greater. Enter Microsoft 365 Government Community Cloud High (GCC High), a powerful solution built to address these specific needs.

Microsoft 365 GCC High represents a critical evolution in cloud computing, tailored to meet the unique demands of government agencies, contractors, and organizations working with controlled unclassified information (CUI). With its robust set of features and stringent security controls, Microsoft 365 GCC High delivers a secure, collaborative environment that enables public sector entities to harness the full potential of cloud technology without compromising on data protection or compliance.

Versions of Microsoft 365 for Government, Defense and DIB

There are four versions of the Microsoft 365 offering:

• Microsoft 365 Commercial
• Microsoft 365 Government Community Cloud (GCC)
• Microsoft 365 GCC High
• Microsoft 365 DoD

The most feature-rich option is the original Microsoft 365 package dubbed “Commercial”; it is what most enterprise customers use. The other options offer a smaller feature set to meet the stringent compliance and security requirements for government, defense and the defense industrial base (DIB).

Microsoft 365 Commercial

Microsoft 365 Commercial covers the overwhelming majority of M365 users. It is the most affordable offering out of the four with the most diverse feature set. It does not require any validation for the customer to be able to purchase it, and a variety of built-in and third-party commercial tools can solve its security concerns.

M365 Commercial is compliant with some regulatory frameworks, including GDPR, FCI and CMCC Level 1, NIST 800-53, PCI-CSS, HIPAA, and CCPA, to name a few. However, this environment is not fit to work with defense or government organizations since its infrastructure and workforce are global (located in many different countries).

M365 Commercial has a FedRAMP Moderate ATO (Federal Risk and Authorization Management Program). However, it is important to note that M365 Commercial was not built for the regulations and standards that govern CUI.

Microsoft 365 GCC

Microsoft 365 GCC is a variation of the M365 Commercial package with a few differences tailored to working with government and defense. All the data in this package is always stored in the continental United States, referred to as ‘CONUS’ and is segregated from the data used by organizations with Microsoft 365 commercial tenants.

The purchase of Microsoft 365 GCC is restricted to:

• Commercial private entities with data subject to government regulations
• A federal agency of the U.S. Government, including a bureau, an office, an agency, a department, etc.
• Tribal entities recognized on a federal level
• Entities of a U.S. state or a U.S. local government

Microsoft 365 GCC meets compliance frameworks, including FBI CJIS (Criminal Justice Information Services), DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement), NIST-800-171, CUI (with caveats), CMMC L1 and L2-3,  and DoD SRG Level IL2  PA (Security Requirement Guides). It supports accreditation for FedRAMP High.

The entire network/identity component of GCC is located in Azure Commercial with little to no export/import controls, so Microsoft does not recommend it for handling CDI (Controlled Defense Information), CUI (Controlled Unclassified Information), or EAR (Export Administration Regulations) and ITAR (International Traffic in Arms) compliance.

Microsoft 365 GCC High

Microsoft 365 GCC High is the middle ground between the less restrictive GCC solution and a rigorous and case-specific Microsoft 365 DoD solution. It is designed for DIBs that require a cloud service capable of being compliant with ITAR, EAR, and other frameworks that require all data to be located strictly within the borders of the U.S. and supported by background-checked U.S. persons.

Microsoft 365 GCC High is built on Azure Government and complies with FedRAMP High and NIST 800-171, CMMC L1-3, and CUI corporately and on behalf of the Government, DISA IL 5, among other frameworks. It loses some features available in GCC. For example, Cloud App Security and Microsoft Defender ATP are missing some features in GCC High, and Compliance Manager or Calling Plans are unavailable.

Reasons for the omission of some features and apps from Microsoft 365 GCC High include the following:

• Some applications in the package have a dedicated staff that passed a specific adjudication (Department of Defense IT-2) to support and develop the app in question
• Each application and feature has to be tested in both GCC High and DoD clouds to ensure both security and compliance
• A small range of applications would be unable to reach DoD’s requirements by the very nature of the app in question – and it happens to various security applications more often than with any other app group

Microsoft 365 DoD

The DoD version of M365 was exclusively created for the U.S. Department of Defense’s internal tasks and is built on Azure Government. It cannot be purchased by private companies. This version is the only one compliant with some of the most demanding frameworks, including DoD SRG Level 5-6.

Compliance Standards Supported by Microsoft 365 Commercial & Government Versions

There are many different compliance frameworks and standards that DoD contractors must meet, and compliance varies across the M365 Commercial, Government and DoD offerings.

Do I need GCC High for CMMC 2.0 certification?

CMMC 1 and FCI compliance can be met with all four versions of Microsoft 365. However, Microsoft recommends using GCC High for customers needing to be CMMC 2.0 compliant or handling CUI for better overall security and compliance.

Do I need GCC High for DFARS 7012?

DFARS 7012, on the other hand, can only be met with the GCC version or higher – although there was a time when DFARS 7012 was only achievable by using GCC High. As ITAR compliance is stringent regarding data and service location, M365 GCC High is the minimum platform Microsoft recommended for compliance.

Compliance Matrix for the M365 Government Cloud Versions

The easiest way to understand the differences between Microsoft 365 versions is via the table below, which lists their capabilities and supported compliance frameworks.

Source:  Microsoft Public Sector Blog

Microsoft 365 GCC High’s Collaboration Capabilities

While M365 GCC High includes the Government versions of SharePoint Online, Teams, Exchange Online, OneDrive for Business, etc., the most significant difference is that Teams telephony, available in the Commercial offer, is missing. There are collaboration limitations as well, as users can only share data and documents with other GCC High and DoD tenants.

Here is a look at what is included in GCC HIgh:

• Microsoft Purview Information Protection (MPIP) – MPIP can discover, classify, protect, and govern sensitive information. Sensitivity labels apply classification to documents and emails and some DLP capabilities. However, there are limitations on the number of labels that can be used.
• Microsoft SharePoint – Content management platform to manage content, knowledge, and applications, and share with other users.
• Microsoft OneDrive – Online storage space that enables users to share files, collaborate on documents, and sync files to their computer.
• Microsoft Defender –  A cloud-based email filtering service that helps protect against unknown viruses and malware.
• Microsoft Teams – A workspace for collaboration that provides instant messaging, audio/ video calling, online meetings, and extensive web conferencing capabilities. It also provides file and data collaboration and acts as a front end for accessing SharePoint and OneDrive content.
• Microsoft Planner – Visual task management application to manage complex Project Management workloads.
• Microsoft Forms – Create, co-author and share forms within your organization (no external collaboration).

Managing CUI in GCC and GCC High

Regardless of the Microsoft cloud you ultimately implement, archTIS can help you dynamically enforce data-centric controls to comply with CUI visual marking requirements and apply fine-grain, access and unique protection capabilities that are not available using built-in M365 tools.

archTIS has developed a unique solution for solving Defense requirements for safely handling and applying visual markings for sensitive, controlled unclassified information (CUI), federal contract information (FCI) and classified data. Our NC Protect solution enables Microsoft customers to accomplish this using attribute-based access control (ABAC) and data protection policies that ingest Microsoft Entra ID (formerly Azure AD) attributes, Microsoft Purview Information Protection (MPIP) sensitivity labels, other classification labels and user and file attributes (location, device time of day, etc.). These dynamic contextual policies control access and apply file-level protection in real-time that automatically adjusts by comparing the attributes against the policies.

NC Protect’s ABAC-enabled policies can use attributes such as a user’s country, nationality, and security clearance to control what documents they can access and hide unauthorized files from the user in the Microsoft application UI to meet geolocation restrictions for regulations such as the International Traffic in Arms Regulations (ITAR).

It can also dynamically apply the required CUI Designation Indicator labels and other visual markings (e.g., headers and footers). The new CMMC 2.0 will require these markings, as well as FAR 52.204-21 (for FCI) and DFARS 252.204-7012 (for CUI) and apply to all Defense contractors that handle CUI.

NC Protect Capabilities for Government, Defense and DIB

Here’s a brief overview of the unique capabilities NC Protect provides for government and defense that earned archTIS a 2023 Microsoft Security Privacy and Compliance Trailblazer Finalist Award:

• Automatically classify, restrict access to and control distribution of CUI and FCI based on the presence of sensitive data, MPIP labels, or other third party classifications (Janusseal, Titus, etc.).
• Add multi-label and unlimited additional security labels to augment MPIP sensitivity label limitations.
• Evaluate multiple data and user attributes to determine appropriate access, usage and sharing rights (e.g. combining classification and caveats around special programs, nation-based releasability (including trigraphs}, MPIP label, IP ownership, etc.).
• Dynamic attributes – include information based on user location, app or browser to control access.
• Redact sensitive/classified information, including keywords or phrases in Word, Excel, PowerPoint and PDF files, or when the file is viewed using the built-in Secure Reader.
• Add visual markings, including headers/footers, CUI Designation Indicator label, including Owner Name, Controlled By, Category, Distribution/Limited Dissemination Control and POC, automatically into documents as a secure watermark.
• Dynamically encrypt files and SharePoint lists if sensitive information is present.
• Supports common file types, including Office documents, PDF, CAD files, OCR, images, text files and more.

NC Protect provides unique and valuable security capabilities made possible by the product’s tight integration with Microsoft Purview Information Protection, Microsoft Entra ID and Microsoft Sentinel to enhance data protection and labeling capabilities. It offers M365 Commercial, GCC, GCC High and Microsoft DOD customers a robust, dynamic solution for tackling sensitive data handling requirements to meet government, defense and enterprise needs.

Contact us to discuss our military-grade information protection solutions tailored for Defence contractors today.