Understanding Microsoft Cloud Compliance

Confused about Commercial vs. Government vs. GCC vs. GCC High Terminology?

Microsoft cloud compliance offerings for 365 and Azure can be confusing if you need to comply with data protection requirements.

• Why are there two 365 Government levels?
• Why does 365 Government (GCC) use Azure Commercial?

We’re here to break down Microsoft cloud compliance offerings for Microsoft 365 and Azure, clarify the important distinctions, and explain how each offering affects the compliance types most important to our customers.

Let’s get some terminology and acronyms out of the way first.

Microsoft Cloud Compliance Terminology

Being clear on these acronyms and terms will help for the following discussion.

Overview of Microsoft Cloud Compliance offerings

This table packs in a lot of distinctions; let’s unpack them.

Microsoft Cloud: Microsoft 365 vs. Azure

• Microsoft 365 is a family of software products and online services, with three levels: “Commercial,” GCC, and GCC High. Despite the names, GCC and GCC High are fundamentally different since they use different Azure offerings.

• Azure is a cloud computing platform, like AWS, with two levels: “Commercial,” and Government.  GCC is only a 365 offering, and has nothing to do with Azure.

Each 365 level pairs with an Azure level, but not in a 1:1 way, since 365“Commercial” and GCC both pair with Azure Commercial.

Microsoft Cloud: MS 365 Commercial vs. MS 365 Government (GCC)

• Commercial is open to all customers. All datacenters, customer support, and network/directory are global. It meets the fewest compliance requirements.

• Government (GCC) is restricted to certain customers. All datacenters are in CONUS, and more compliance requirements are met.  It does NOT include any specifications about where customer support personnel are located, or the network and directory used.

Microsoft Cloud: GCC vs. GCC High

As noted, the language is a bit confusing: GCC and GCC High are not variants of each other. The only element they share is compliance with a few low-level requirements.

GCC

MS 365 Government (GCC) is a CONUS data enclave of Microsoft 365 Commercial, so it inherits all shared services from Commercial. These shared services may have data processing OCONUS, and they leverage a global follow-the-sun support model.  Most notably, this includes a global network and a global directory.  For example, Azure Active Directory (AAD) in Commercial is shared with GCC.  AAD is supported globally and may have data processing occur OCONUS along with service management by global support personnel. 

For the primary Office 365 workloads (as opposed to Azure services), GCC has a commitment to ensure data residency and data processing is in CONUS.

In addition, only screened US Persons in datacenters are authorized for restricted customer data.  However, Microsoft 365 Government (GCC) customer support is provided under the same terms and conditions offered to Microsoft 365 Commercial, without assurances for agent physical location or citizenship – so you have to ensure that your own internal data sharing controls, policies, and procedures are followed when engaging with Microsoft customer support.

Will GCC meet your needs? Since there are many CUI categories, we can only offer guidelines here.  Several categories may not require data sovereignty, such as Privacy, Legal, etc.  GCC does not support export-controlled data, such as ITAR and EAR natively.  If you’re absolutely clear on which CUI categories you deal with, and what level of compliance they require, GCC may work for you.  If you’re not sure, or if the categories or compliance level change over time, or if you don’t want to have to worry whether you’ve got it right, then GCC High is for you.

GCC High

Like GCC, all datacenters are all in CONUS and only certain customers are eligible. 

Unlike GCC, the network is sovereign and constrained to CONUS.  The GCC High directory services with AAD are provided by Azure Government and are sovereign to the US. It meets all listed compliance requirements.

Customer support is provided 24×7 by screened US Persons in a US Location, but MS customer support relies on support engineers in other countries for their expertise in certain topics.  If you require your support ticket be restricted to “screened US Persons in a US Location” only, be aware that the response time and mitigation level may suffer.

As a result of the above, GCC High is suitable for any level of compliance you need.

Microsoft Cloud: Azure Commercial vs. Azure Government

For clarity, Microsoft’s own official distinction is between Azure and Azure Government, but we use “Azure Commercial” to minimize confusion.

• Azure Commercial is supported with a global follow-the-sun support model, with a global network and a global directory.
• Azure Government contains every aspect of the data and its handling to CONUS.  The network is sovereign and constrained to CONUS.  Directory services with Azure AD are provided by Azure Government and are sovereign to the US, to holistically safeguard all categories of CUI.

Note that because all services must meet all the applicable compliance requirements, adding them to Azure Government often takes longer or may come with limitations, so be sure to check Microsoft’s documentation for the latest service offerings.

Compliance: CMMC 2.0 Level 1 vs. Levels 2-3

The goal of the Cybersecurity Maturity Model Certification (CMMC, which we’ve blogged about before) is to increase the trust in measures of compliance to a variety of NIST standards.

Level 1

This level applies to FCI – information that is not intended for public release, but does not require safeguarding like CUI does.  It relies on self-assessment. GCC provides compliance with CMMC 2.0 Level 1 for protection of FCI, but not for absolute protection of CUI.

Level 1 may may meet your need if you have CUI that does not require explicit commitments to protect CUI Specified and ITAR export-controlled data.  Or if you add additional compensating controls, such as FIPS 140-2 validated end-to-end encryption to protect ITAR export-controlled data.

If you’re absolutely clear on which CUI categories you deal with, and what level of compliance they require, GCC may work for you.  If you’re not sure, or if the categories or compliance level change, or if you don’t want to have to worry whether you’ve got it right, GCC High is for you.

Levels 2-3

These levels aim to safeguard CUI/CDI, which is a safeguarding system for unclassified information (CDI is the DoD's almost interchangeable term for CUI). Although this type of information is not considered “classified,” it is still sensitive, important, and requires protection. They involve many more practices and objectives that protect your information. Level 2 requires a mix of third-party assessments and self-assessments, while Level 3 requires government-led assessments.

You may demonstrate compliance with all maturity levels of CMMC with Azure Government, so as with GCC, if you’re not sure whether Level 1 meets your needs, or if your the categories of your CUI change, or if you don’t want to have to worry whether you’ve got it right, Levels 2-3 are for you.

Compliance: ITAR/EAR

ITAR and EAR regulate export controls of certain items, and compliance with both necessitates screened US Persons and data residency/sovereignty in CONUS.

• ITAR (International Traffic in Arms Regulations) regulates the export of items, both physical objects and technical data, that are built for defense and military use. It dictates that information and material pertaining to these technologies may only be shared with US Persons (where “person” does not mean “citizen”, but includes some permanent resident non-citizens, legal entities incorporated in the US, and federal government bureaus, departments, offices, etc.) unless authorization from the Department of State is received to export the material or information to a foreign person.

The Department of State interprets and enforces ITAR.

• EAR (Export Administration Regulations) regulates the export of items, both physical objects and technical data, that may have defense/military use in addition to commercial use. This necessarily means that EAR covers a much wider range of items than ITAR – for example, radar systems have broad use in commercial enterprises, but because they can also be a component in missiles, their export is regulated by EAR.

EAR contains a list of 10 General Prohibitions that restrict export-related activity for the regulated items, and require that you receive either a license or a license exception from the Bureau of Industry and Security, an agency in the Commerce Department.

The Commerce Department interprets and enforces EAR.

Using ITAR-compliant and EAR-compliant systems ensures that foreign persons won’t accidentally gain access to your data without the federal government’s authorization – as can happen, for instance, if a data center or customer service center is OCONUS.

There’s More to Microsoft Cloud Compliance

As we said at the beginning, this article focuses on the compliance types most important to our customers, but there are plenty more, including DFARS, FedRAMP, StateRAMP, SRG, and NIST SP-800.

You can find more in-depth information at this article, Understanding Compliance Between Commercial, Government and DoD Offerings – written by Richard Wakeman, Published Mar 17 2022, Source: Techcommunity.microsoft.com.

We can help you sort through which Microsoft cloud offerings best meet your compliance needs.