Microsoft provides numerous options for its public cloud offerings. Microsoft 365 Commercial, also known as MS 365 Commercial or Commercial Microsoft 365, is the “standard” cloud. The Commercial cloud version offers the most features and tools, global availability, and requires no validations to use it.
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized way for federal agencies to assess the security controls implemented by cloud service providers (CSPs). It also helps them to decide whether a particular cloud service offering (CSO) is secure enough to handle sensitive government data.
MS 365 Commercial is not meant for government or defense compliance as it shares a global infrastructure and workforce, meaning its security does not match the security requirements of these users.
Moreover, it can only meet FedRAMP “Moderate Impact” level. This FedRAMP level is appropriate for CSOs where the loss of data confidentiality, integrity, and availability would seriously harm the agency’s operations or assets, or individuals.
For federal agencies looking for a cloud that meets FedRAMP High standard, Microsoft offers another version called Microsoft 365 GCC High. Let’s explore Microsoft 365 GCC High and see how it meets the requirements of FedRAMP High.
Microsoft 365 GCC and Microsoft 365 GCC High
U.S. federal, state, and local government agencies hold controlled unclassified information (CUI), criminal justice information, and export-controlled data. For these users, Microsoft 365 Commercial is not sufficient. They need a cloud with more robust capabilities that also meets stringent and necessary security controls. Here’s where Microsoft 365 Government Community Cloud (GCC) comes in.
MS 365 GCC is a government-focused version of Microsoft 365 Commercial with many of the same features. GCC also includes additional features to meet the unique and evolving needs of the U.S. public sector, as well as its enhanced security and compliance requirements.
One difference between MS 365 GCC and MS 365 Commercial is that the former’s data centers are all in the continental United States (CONUS), as mandated by the requirements of the FedRAMP Moderate level.
In addition, MS 365 GCC also supports all these compliance frameworks and standards:
- FBI CJIS (Criminal Justice Information Services)
- IRS 1075
- Defense Federal Acquisition Regulations Supplement (DFARS)
- DISA Level 2 Security Requirements Guidelines
- DoD SRG Level 2 (with no provisional authority)
Microsoft 365 GCC includes Microsoft Office 365 GCC, which also complies with federal requirements for CSOs, including FedRAMP High and DFARS, and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
What Is Microsoft 365 GCC High?
MS 365 GCC High is a “copy” of the Microsoft 365 DoD cloud that was purpose-built for the U.S. Department of Defense (DoD). Microsoft created the copy for the agencies and federal contractors that need to meet the stringent cybersecurity and compliance requirements of the FedRAMP High Impact level.
Microsoft 365 GCC is insufficient to handle controlled unclassified information (CUI) or controlled defense information (CDI) because it resides on the Azure Commercial network. Also, its access is not limited to U.S citizens, which creates security risks for government data and information systems.
MS 365 GCC High is suitable for government users who need to handle and manage CUI or CDI. This cloud exists in its own sovereign environment and is logically separated from MS 365 Commercial.
Unlike Microsoft 365 GCC, the infrastructure of Microsoft 365 GCC High is located entirely in the United States and can only be accessed or operated by U.S. persons. Moreover, Microsoft screens all these personnel via thorough background checks.
MS 365 GCC High is only available for use by federal agencies, the Defense Industrial Base (DIB), and DoD contractors. Any entity that wants to move to GCC High must first receive validation from Microsoft to confirm its eligibility. No such validations are required for using Microsoft 365 Commercial.
What Is FedRAMP?
FedRAMP is a U.S government-wide program that allows federal agencies to standardize the application of the Federal Information Security Management Act (FISMA) to cloud computing services. Its primary goal is to assure that government data remains secure in the cloud environment.
FISMA defines information security standards for federal agencies and government information systems. The law does not, however, standardize security requirements on both the agency’s side and the CSPs’ side – which FedRAMP does.
FedRAMP provides a widely accepted security assessment framework (SAF) to help agencies streamline how they perform the security assessments, authorizations, and monitoring of CSOs. That’s why agencies need the standards and guidelines defined in FedRAMP.
CSPs that want to provide cloud services to government agencies also need FedRAMP to streamline the authorization process across multiple agencies. CSPs must achieve FedRAMP certification to provide their CSOs to agencies.
In short, FedRAMP acts as a seal of approval for CSPs. When the CSP achieves FedRAMP compliance, government agencies know the provider’s offerings meet a basic set of cybersecurity standards and can then bring that CSP into the agency’s IT systems more efficiently.
What Is FedRAMP High?
All CSOs that serve U.S. federal agencies are categorized into one of three impact levels: Low, Moderate, and High, according to the potential impact of a data breach. These impact levels are based on the Federal Information Processing Standard (FIPS) 199 (FIPS-199) standards from the National Institute of Standards and Technology (NIST).
CSOs must have security controls that achieve three security objectives:
- Confidentiality. Safeguards are in place to protect personal privacy and proprietary information.
- Integrity. Safeguards exist to prevent the modification or destruction of data.
- Availability. Authorized users get timely and reliable access to information.
As the name suggests, FedRAMP High refers to the highest security baseline level in FedRAMP. It accounts for the government’s most sensitive unclassified data in cloud environments, including data that involves the protection of life and financial ruin.
Until 2016, government agencies could only contract with CSPs for work at the Low and Moderate Impact levels. The introduction of the FedRAMP High level now allows agencies to use CSPs for high-risk systems and data.
Such High Impact data is usually in law enforcement, emergency services, financial, and health systems, which is why FedRAMP High covers the needs of many federal departments and agencies, including the Department of Defense (DoD).
High Impact data may be in any government system where the loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on agency operations, assets, or individuals.
FedRAMP High is based on 421 controls across multiple areas, including access control, incident response, configuration management, risk assessment, and contingency planning. In contrast, FedRAMP Moderate has 326 controls, and FedRAMP Low has only 125 controls.
The FedRAMP High baseline has a higher number of controls and requires extensive security protocols and authentication procedures because it is critical for federal agencies who need to migrate more High Impact level data to the cloud. These controls assure that CSPs provide the security protections necessary to handle High Impact, sensitive, unclassified data.
Does Microsoft 365 GCC High Meet FedRAMP High Requirements?
Microsoft 365 GCC High is best for FedRAMP High Impact data. It supports all the compliance and security requirements supported by Microsoft 365 Commercial. In addition, it also supports NIST 800-171, EAR, and ITAR.
Some other compliance requirements supported by MS 365 GCC High include:
- DFARS 252.204-7012 with flow-down requirements
- CMMC, the Cybersecurity Maturity Model Certification
- DoD Impact Level 4 and Impact Level 5 capabilities
And as mentioned earlier, this cloud can also handle CUI and CDI.
MS 365 GCC High is suitable for all defense contractors and organizations that hold CUI or CDI and need a CSO that complies with the FedRAMP High security baseline.
Manage FedRAMP Compliance with ZenComply
Manage FedRAMP compliance easily and confidently with ZenComply. This all-in-one platform for compliance, audits, governance, and risk management provides a single, integrated experience across all these processes.
With ZenComply, you can automate third-party risk management and build a unified foundation for all your compliance needs. The platform will help you identify gaps in your compliance program and automate critical tasks.
You can also uncover information security risks across your business and share compliance and risk information with multiple stakeholders. All of this is possible with ZenComply.
Schedule a demo to see how ZenComply can help you with your vital incident management, policy management, business continuity, and disaster recovery needs.