Confused about Commercial vs. Government vs. GCC vs. GCC High Terminology?
Microsoft cloud compliance offerings for 365 and Azure can be confusing if you need to comply with data protection requirements.
We’re here to break down Microsoft cloud compliance offerings for Microsoft 365 and Azure, clarify the important distinctions, and explain how each offering affects the compliance types most important to our customers.
Table of contents
- Microsoft Cloud Compliance Terminology
- Overview of Microsoft Cloud Compliance offerings
- Oxalis Is Here to Help
Let’s get some terminology and acronyms out of the way first.
Microsoft Cloud Compliance Terminology
Being clear on these acronyms and terms will help for the following discussion.
Officially means Non-Federal Information Systems, which includes more than commercial organizations.
GCC – means Government Community Cloud.
CONUS – stands for Continental United States.
OCONUS – stands for Outside the Continental United States.
Data Enclave, in this context, refers to a segregated environment, with servers residing in regional Azure data centers.
Data Residency vs. Data Sovereignty
Data residency means the hosted data is stored entirely on servers in the U.S.
Data sovereignty builds on data residency by specifying that the data will be handled and supported only by US persons, and accessed via a US-only network and directory.
Overview of Microsoft Cloud Compliance offerings
This table packs in a lot of distinctions; let’s unpack them.
Microsoft Cloud: Microsoft 365 vs. Azure
Each 365 level pairs with an Azure level, but not in a 1:1 way, since 365“Commercial” and GCC both pair with Azure Commercial.
Microsoft Cloud: MS 365 Commercial vs. MS 365 Government (GCC)
Microsoft Cloud: GCC vs. GCC High
As noted, the language is a bit confusing: GCC and GCC High are not variants of each other. The only element they share is compliance with a few low-level requirements.
MS 365 Government (GCC) is a CONUS data enclave of Microsoft 365 Commercial, so it inherits all shared services from Commercial. These shared services may have data processing OCONUS, and they leverage a global follow-the-sun support model. Most notably, this includes a global network and a global directory. For example, Azure Active Directory (AAD) in Commercial is shared with GCC. AAD is supported globally and may have data processing occur OCONUS along with service management by global support personnel. For the primary Office 365 workloads (as opposed to Azure services), GCC has a commitment to ensure data residency and data processing is in CONUS. In addition, only screened US Persons in datacenters are authorized for restricted customer data. However, Microsoft 365 Government (GCC) customer support is provided under the same terms and conditions offered to Microsoft 365 Commercial, without assurances for agent physical location or citizenship – so you have to ensure that your own internal data sharing controls, policies, and procedures are followed when engaging with Microsoft customer support. Will GCC meet your needs? Since there are many CUI categories, we can only offer guidelines here. Several categories may not require data sovereignty, such as Privacy, Legal, etc. GCC does not support export-controlled data, such as ITAR and EAR natively. If you’re absolutely clear on which CUI categories you deal with, and what level of compliance they require, GCC may work for you. If you’re not sure, or if the categories or compliance level change over time, or if you don’t want to have to worry whether you’ve got it right, then GCC High is for you.
Like GCC, all datacenters are all in CONUS and only certain customers are eligible. Unlike GCC, the network is sovereign and constrained to CONUS. The GCC High directory services with AAD are provided by Azure Government and are sovereign to the US. It meets all listed compliance requirements. Customer support is provided 24×7 by screened US Persons in a US Location, but MS customer support relies on support engineers in other countries for their expertise in certain topics. If you require your support ticket be restricted to “screened US Persons in a US Location” only, be aware that the response time and mitigation level may suffer. As a result of the above, GCC High is suitable for any level of compliance you need.
Microsoft Cloud: Azure Commercial vs. Azure Government
For clarity, Microsoft’s own official distinction is between Azure and Azure Government, but we use “Azure Commercial” to minimize confusion.
Note that because all services must meet all the applicable compliance requirements, adding them to Azure Government often takes longer or may come with limitations, so be sure to check Microsoft’s documentation for the latest service offerings.
Compliance: CMMC 2.0 Level 1 vs. Levels 2-3
The goal of the Cybersecurity Maturity Model Certification (CMMC, which we’ve blogged about before) is to increase the trust in measures of compliance to a variety of NIST standards.
This level applies to FCI – information that is not intended for public release, but does not require safeguarding like CUI does. It relies on self-assessment. GCC provides compliance with CMMC 2.0 Level 1 for protection of FCI, but not for absolute protection of CUI. Level 1 may may meet your need if you have CUI that does not require explicit commitments to protect CUI Specified and ITAR export-controlled data. Or if you add additional compensating controls, such as FIPS 140-2 validated end-to-end encryption to protect ITAR export-controlled data. If you’re absolutely clear on which CUI categories you deal with, and what level of compliance they require, GCC may work for you. If you’re not sure, or if the categories or compliance level change, or if you don’t want to have to worry whether you’ve got it right, GCC High is for you.
These levels aim to safeguard CUI/CDI, which is a safeguarding system for unclassified information (CDI is the DoD's almost interchangeable term for CUI). Although this type of information is not considered “classified,” it is still sensitive, important, and requires protection. They involve many more practices and objectives that protect your information. Level 2 requires a mix of third-party assessments and self-assessments, while Level 3 requires government-led assessments. You may demonstrate compliance with all maturity levels of CMMC with Azure Government, so as with GCC, if you’re not sure whether Level 1 meets your needs, or if your the categories of your CUI change, or if you don’t want to have to worry whether you’ve got it right, Levels 2-3 are for you.
ITAR and EAR regulate export controls of certain items, and compliance with both necessitates screened US Persons and data residency/sovereignty in CONUS.
The Department of State interprets and enforces ITAR.
EAR contains a list of 10 General Prohibitions that restrict export-related activity for the regulated items, and require that you receive either a license or a license exception from the Bureau of Industry and Security, an agency in the Commerce Department.
The Commerce Department interprets and enforces EAR.
Using ITAR-compliant and EAR-compliant systems ensures that foreign persons won’t accidentally gain access to your data without the federal government’s authorization – as can happen, for instance, if a data center or customer service center is OCONUS.
There’s More to Microsoft Cloud Compliance
As we said at the beginning, this article focuses on the compliance types most important to our customers, but there are plenty more, including DFARS, FedRAMP, StateRAMP, SRG, and NIST SP-800.
You can find more in-depth information at this article, Understanding Compliance Between Commercial, Government and DoD Offerings – written by Richard Wakeman, Published Mar 17 2022, Source: Techcommunity.microsoft.com.
We can help you sort through which Microsoft cloud offerings best meet your compliance needs.
Oxalis Is Here to Help
As experts in Microsoft cloud compliance, we provide consultancy services to better enable businesses to be more productive while maximizing the ROI of their tools. Get in touch with an Oxalis expert and get secure today.