In the past, the technological requirements and needs of the US government have always been quite different and in many ways unique to how businesses in the private and public sectors typically operate. So in response to these unique and evolving requirements, Microsoft created a specific platform for their public and private sector customers – Microsoft 365 Government. This platform has addressed many of the compliance struggles that government cloud computing has faced in the past.
From their website Microsoft states the following about their Microsoft 365 Government platform:
Microsoft 365 Government is a set of productivity, security, and mobility cloud software capabilities tailored for US government agencies and contractors sponsored to hold controlled, unclassified information. Delivered through unique environments that meet the most stringent of compliance requirements, Microsoft 365 Government is a cloud offer for US government customers that matches as closely as possible the features and capabilities of Microsoft commercial cloud enterprise offerings.
Whether an organization is public or private sector, many are moving away from in-house data centers and into the cloud. However, if an organization will be handling government data, specifically data from the DoD or Federal government, there are certain cybersecurity regulations and compliance requirements that must be met before the data they are utilizing can be stored in the cloud.
For those organizations out there that are current Microsoft 365 Commercial customers and are either currently working towards, or planning on becoming CMMC compliant, a new change has been enacted that may require you to upgrade from Microsoft 365 Commercial to either Microsoft’s Government Community Cloud (GCC), or Government Community Cloud High (GCC High) platforms.
Microsoft’s Government Community Cloud(GCC) Government Community Cloud High(GCC High) is used across various US Federal, state, local, and other government entities. It is also used by organizations that deal with certain types of sensitive or controlled government data that may possess more strict regulatory or compliance requirements.
Different Versions of Microsoft 365
Microsoft actually offers three different environments for their Microsoft 365 platform, here is a quick explanation of each.
Microsoft 365 Commercial
This particular environment is built to FedRAMP Moderate standards and can be customized and configured to meet NIST 800-171 compliance, but does not fully meet the requirements for DFARS 7012 compliance.
Although not officially asserted, it is expected that Microsoft 365 Commercial will meet CMMC Levels 1-2.
Microsoft 365 GCC
Microsoft GCC, or Government Community Cloud, in a nutshell is a government focused copy of the commercial environment. What this means is that it has many of the same features and functionalities, but features data centers ONLY in the continental United States and segregated from commercial organizations, as mandated by FedRAMP Moderate. As with the Microsoft 365 Commercial environment, it can be customized and configured to be 100% NIST 800-171 compliant.
Microsoft 365 GCC High
Microsoft GCC High, or Government Community Cloud High was created specifically to meet the needs of DoD and Federal contractors that need to meet the strict cybersecurity and compliance requirements. GCC High can be thought of as a copy of the Microsoft DOD cloud environment for use by DOD contractors, cabinet-level agencies, and cleared personnel. One critical distinction: when handling classified data, environments have a high side and a low side, the high side existing so users can handle classified data. GCC High is not considered a high side environment, it only received the “High” name because it meets FedRAMP High impact requirements.
For many government regulations, standards, and compliance requirements, organizations must make sure any personnel working in the environment meets the requirements of specific government background checks. GCC High acts as a data enclave of Office Commercial. It’s compliant with DFARS, ITAR, NIST-800 171, NIST-800 53, and CMMC.
For organizations planning to or required to meet CMMC Levels 3-5, they should deploy Microsoft 365 GCC High.
GCC High is not required to meet CMMC compliance at any Level, however Microsoft recommends for organizations planning or required to meet CMMC Levels 3-5 should deploy Microsoft 365 GCC High. The Commercial and GCC versions of Microsoft 365 can be customized and configured to meet NIST 800-171, and the majority of CMMC’s requirements.
Put simply, there are 3 major steps that are required to be met in order to obtain access to the GCC High environment.
- Identifying Need and Confirm Eligibility
- Validating Eligibility
- Submit for Licensing
Identifying Need and Confirm Eligibility
Because not every organization that is part of or connected to the US government will need access to the GCC or GCC High environment, it is important to first identify if the need for either of these environments exists.
In order to be eligible, an organization must be classified as a government organization, or are currently authorized to purchase government contracts, and eligibility can be extended to cover entities or organizations that handle data that falls under specific governmental regulations and compliance requirements.
Validating Eligibility
After an organization has determined that Office 365 GCC or GCC High is the right solution for its requirements, it has to confirm and validate its eligibility with Microsoft in order to obtain access to a Microsoft 365 Government cloud environment. This step is crucial because Microsoft does not offer commercial trials for Office 365 GCC and there are no trials for the GCC High or the DoD environments.
Most often, companies fail these first two steps, and as a result are refused licensing for GCC High. Ensuring that your organization meets the baseline qualifications and requirements for GCC or GCC High is vital in order to obtain the licensing to access the GCC or GCC High cloud environment.
SME Can Help!
Once your organization has obtained approval to access the GCC or GCC High environment, our team of highly trained and qualified professionals here at SME can assist your organization by setting up tenants for the Microsoft GCC or GCC High cloud environments with the best security practices and standards, as well as migrating your currently existing data from Microsoft 365 Commercial environment.