As your company works to improve its security posture and meet the requirements of NIST 800-171 and CMMC, the mission-critical clouds from Microsoft can provide the foundation you need to move forward.
Recently Richard Wakeman, the chief architect for Cybersecurity of Aerospace and Defense at Microsoft, joined us at CMMC CON 2023 to discuss how Microsoft’s government cloud works. Richard specializes in developing solutions for the defense industrial base and engaging with Microsoft partners and customers to drive adoption of Microsoft cloud services.
Microsoft 365 Government offerings
Microsoft offers solutions made specifically for CMMC, and their government cloud offerings have unique characteristics to meet your needs. “A number of our platform’s capabilities enable us to work with our partners and our customers to achieve certification on all three levels of CMMC as it’s released,” states Richard.
Office 365 DOD / Azure Government / Dynamics 365 DOD
Microsoft worked with the US Department of Defense (DOD) and was tasked with meeting their restrictive cloud computing security requirements guide (SRG). Using the SRG, they built a true sovereign cloud for the DOD, purpose-built to protect controlled unclassified information (CUI) and including the requirement for a US person to manage the cloud services.
“It began with a deployment of Azure Government that was specifically for infrastructure as a service and platform as a service, but also provided a foundation upon which to build our productivity suite,” Richard shares. “We released Office 365 DOD approximately eight years ago, which is in the same environment as Azure Government, and have since released a number of additional products and capabilities such as Dynamics 365 DOD.”
These offerings align with FedRAMP High and DISA SRG Impact Level 5.
Office 365 GCC High / Azure Government / Dynamics 365 GCC High
To be able to accommodate the defense industrial base and other non-DOD entities such as federal cabinet level agencies, like the FBI, DOJ, and DHS, Microsoft has a twin environment to the DOD, which is branded Microsoft 365 GCC High.
The GCC High environment has equivalency with DISA SRG Impact Level 4. “All of our security capabilities such as Microsoft Defender Antivirus, Purview, Entra, and Priva are now hosted within this environment,” continues Richard. “We refer to this as the US Sovereign Cloud. It is a fully physically and virtually segmented environment from our commercial side.”
Office 365 GCC High was also purpose built to protect CUI. Azure Government is the infrastructure as a service platform that provides the foundation for both the GCC High and DOD cloud.
Office 365 GCC / Azure Commercial / Dynamics 365 Government
These additional offerings available for the defense industrial base reside in Microsoft’s GCC environment. “This dates back nearly a decade to where we carved out a piece of the cloud from our commercial side environment,” continues Richard. “It predominantly services state and local government and federal civilian agencies but it is also available to the DIB.”
As it leverages Azure Commercial as its platform and foundation, these solutions meet FedRAMP High accreditation as well as DFAR 7012. They do not, however, meet the requirements for export control data and most of the CUI specified categories of data as this cloud shares common components with Azure Commercial, which is a global infrastructure.
The difference between GCC and GCC High is around having a commercial cloud versus a sovereign cloud. Microsoft’s sovereign cloud (for GCC High) uses a US only based network and set of data centers that are managed by screened US persons. For those without export control data such as ITAR and EAR, you could select GCC and get compliant with CMMC levels one and two.
Other Microsoft Government Environments
Microsoft also has additional enclaves built for their government environment. They replicated the US sovereign cloud and provide additional US sovereign clouds that have even more restrictive requirements such as their Secret and Top Secret Azure cloud offerings.
Azure Secret is authorized by the DOD with a cloud computing SRG Impact Level 6. That is for protection of secret collateral as well as special access programs with collateral secrets. Azure Top Secret primarily serves the intelligence community.
“Many of you will start your journey by adopting Office 365, migrating your email into it, and being able to take advantage of our email hygiene capabilities with Office Defender and more,” concludes Richard. “We’re excited to see CMMC come to life via your ability to leverage our cloud service offerings to help you demonstrate compliance with CMMC Levels 2 and 3.”
Microsoft is continuously evolving their technology stack and partnerships to best meet the regulatory demands of CMMC. CyberSheath is a trusted member of Microsoft Intelligence Security Association, Microsoft Cloud Solutions Provider, Microsoft Premier Support Partner, and more. In addition, CyberSheath has had the privilege of becoming part of a select few official resellers for Microsoft GCC High and Office 365 GCC licensing. Join us at our upcoming webinar, Solving a Piece of the Compliance Puzzle with Microsoft GCC, or contact us with any GCC or GCC High specific questions you have regarding your organization.