In the age of CMMC and pending independent third-party assessments of defense contractors’ compliance with their contractual cybersecurity obligations, there is a lot of misinformation out there about which Microsoft 365 environment meets your regulatory compliant needs. As a Microsoft Direct CSP and Azure Government CSP partner, we (Ariento) figured we’d address the most frequent questions our team receives when working with clients on their government cyber compliance journey. Note: a lot of this evaluation can be applied to other public cloud service providers (e.g. Google, Zoom, Google, Amazon, etc.) as well.
What is the actual contractual requirement when it comes to a defense contractor using public clouds like Microsoft 365?
It all depends on if you use that public cloud to process, transmit or store controlled unclassified information (CUI). Simply put, if you do, it must be FedRAMP Moderate or equivalent and the cloud service provider must commit to providing digital evidence to the DoD in the event of a cyber incident. This requirement comes from the current DFARS 252.204-7012 clause, meaning it is actually a requirement in most DoD contracts today, not a future requirement for when CMMC is rolled out. CMMC will simply validate compliance. Here is what section D of the DFARS clause says:
If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
Pretty dense, lets break it down:
What does FedRAMP “Moderate” or “equivalent” mean?
FedRAMP Moderate means the cloud service provider’s particular product/service you are using/buying has been successfully assessed by a 3PAO and authorized by the FedRAMP PMO (which is part of GSA). This is relatively easy to know as the information is searchable on the FedRAMP marketplace (make sure you filter out FedRAMP tailored or low when you search as this does not meet the requirement).
If the cloud service is not found on the FedRAMP marketplace to be authorized Moderate or High, then the service must prove to be “equivalent”. This means you (not the vendor) can prove equivalent controls in the cloud service you use. This is usually done by mapping the security controls from another certification. It is a very time consuming and tedious process and requires the vendor to share a lot of information with you. In general, this is usually not worth the effort and risk.
What are the requirements in paragraphs (c) through (g) of the DFARS 252.204.7012 clause?
Suffice it to say section d through g is even more dense than above so we’ll take the summary approach. The gist of the requirements are that if something happens and there is suspected unauthorized access to a system that processed, transmitted or stored CUI, you must report it to the DoD and preserve, protect and provide any and all evidence to the DoD for systems that were part of the incident. This matters because if you are using a cloud service (hosted on another organizations hardware) they have no obligation to provide evidence to the DoD unless you have contractually obligated them to it.
What does this mean for Microsoft 365?
While all Microsoft 365 environments are FedRAMP Moderate or higher, Microsoft does not commit to the cyber incident reporting requirements (sections c through g) in their commercial environment. For that reason, any organization processing (e.g. Teams), transmitting (e.g. email) or storing (e.g. OneDrive or SharePoint) CUI in Microsoft 365 must be in M365 Government Community Cloud (GCC) or GCC-High. This includes voice conversations to discuss CUI through Teams or Teams phone. See Microsoft’s direct comparison of the environments here.
So which Microsoft 365 environment is right for my organization?
In summary, M365 Commercial is a no go if you process, transmit or store CUI in the Microsoft cloud environment. If you currently don’t and don’t foresee that changing, M365 commercial is the cheapest and most comprehensive solution, and there is no reason to migrate from it. For those that do process, transmit and store CUI in the cloud, both GCC and GCC-High meet the FAR and DFARS requirements. The main difference between GCC and GCC-High (other than cost and interoperability), is a contractual obligation to US Sovereignty (which matters for ITAR and export controlled CUI). For GCC, Microsoft states they meet US Sovereignty, but they won’t contractually obligate themselves to it. This means they could change this in the future if they choose. For GCC-High, Microsoft contractually obligates themselves to US Sovereignty. US Sovereignty means that your data (and the data given to you by the government) is only processed, transmitted and stored in the United States, and the systems are only serviced by United States personnel (e.g. help tickets, development of code, etc.). At the end of the day both GCC and GCC-High satisfy the US Sovereignty requirement today, so the decision of which to use comes down a comparison of features, cost and/or a business risk decision (do you want the signed contractual obligation from Microsoft, or is their committing to it publicly enough for you). The chart below summarizes this comparison for you.
How much does it cost and how long does it take to migrate to government community cloud (GCC)?
Average cost for a one-time migration project completed by our migration team has ranged from ~$2,500 to $40,000 depending on the amount of data (emails, files, folders, etc.) you are migrating and the depth of the M365 capabilities and services (SSO, Endpoint Manager, Teams phones, etc.) you are using. The average migration takes 4 to 12 weeks. More than time and money, this is a major IT change and users will feel it. We usually tell our clients to expect it to be like everyone in the company gets a brand-new computer and email account, and plan on all the usual change resistance and frustrations that come with that. This cost should not be overlooked.
What are the tradeoffs of moving to the government community cloud and how can I compare them?
What are the risks of not being DFARS compliant?
For now, the main risk is violating your contract with the DoD, which is subject to the False Claims Act. As CMMC roles out, independent third-party assessors like Ariento will evaluate this as part of you CMMC Level 2 assessment and you will fail your certification assessment which will preclude you from being on Defense contracts that have that requirement
What about ITAR?
ITAR is a State Department program and is not part of CMMC or DFARS, nor will it be assessed as part of a CMMC third-party independent certification assessment. The requirement as it relates to public cloud is similar to export-controlled CUI in that ITAR data must have US Sovereignty.
What are the DISA SRG Impact Levels?
This is specific to the government only and their use of the public cloud. This does not apply to contractors, unless they are providing IT-type services directly to the government and processing, transmitting, or storing data on their behalf. We only include it in the comparison chart above for situational awareness and because it is the standard the government uses for themselves, meaning there is always a chance they ultimately apply that standard to contractors. There is no indication of that at this time and the government of course moves slowly, however if you want to be conservative from a risk standpoint, this may factor into your decision when deciding between GCC and GCC-High.
How does this apply to on-premise?
It does not. Section D of the clause and FedRAMP in general are only applicable to information processed, transmitted, or stored by an external service provider in the public cloud.
Well, there you have the most common questions we get around Microsoft 365 and which version to use. In summary, if you currently have the DFARS 252.204.7012 clause in any of your contracts, and want to use Microsoft 365 for processing, transmitting, or storing CUI, you’ll need to be on GCC or GCC-High, and not the commercial version of Microsoft 365. As for which of the GCC versions, that is a business decision based on what we’ve laid out above. For assistance evaluating the environments, a migration quote, or any other questions you may have, please don’t hesitate to reach out here.