As a business, it is understandable that you want the highest security possible. You’ll be happy to know that there are different levels of cloud computing. There are several options in cloud computing.
- Commercial
- GCC
- GCC High
Each of the environments offers something different. Commercial Microsoft 365 is the base offering and has Enterprise, Business Essentials, Home, and Office 365. It meets many basic security needs.
GCC and GCC High offer more comprehensive technology. Government Community Cloud, GCC, is the environment that is dedicated to government focused options. There is also another option that only the Department of Defense quality for, and that environment was built explicitly for DOD usage.
Let’s now focus on GCC High.
What is GCC High?
The DOD and Federal contractors needed a more high-security stringent option for their cloud computing, and so GCC High was created. GCC High also has the following compliance requirements:
- ITAR
- FedRAMP High
- NIST 800-171
- CUI/CDI
GCC High offers several features that are unavailable in other plans but can be found in the DoD cloud. In contrast, the commercial plan offers Calling Plans and Compliance Manager, Microsoft Defender ATP, and more. There are a few reasons for these missing elements.
- Each feature is required to go through testing to meet federal approval.
- A staff member dedicated to the software passed a Department of Defense IT-2 will be required for development and support.
- Some of the Microsoft 365 will not meet the compliance requirements. Often Cloud App Security, Microsoft Defense, and Azure Sentinel will be rebuilt to meet the criteria.
It is worth noting that the parity of features changes regularly.
Can anyone use GCC High?
Those in the Defense Industrial Base (DIB) and DoD contractors and government agencies have access to GCC High. GCC High requires certification from Microsoft before any customers may use this software.
Which compliances do DoD and GCC High meet?
There are a few compliances that GCC High and the DoD environments need to meet for accreditations and certifications.
- FedRAMP – The Federal Risk and Authorization Management Program, security controls, control enhancement as dictated by the NIST – National Institute of Standards and Technology.
- Security controls and control enhancement of the USD Defense Cloud Computing Security Requirements Guide. Up to Impact Level 5.
Subscribers who are not Department of Defense employees will receive services from the US Government Defense environment, rated at L5 but segmented at L4.
GCC High background checks
As you would expect, the DoD and Microsoft GCC High run some of the most comprehensive background checks on their employees in the data center. The GCC High is similar to the GCC but has DoD IT-1 adjudication as an addition.
Here are some of the backgrounds checks performed:
- US Citizenship verification
- Verifications of 7 years of employment history
- Verifying the highest degree earned
- SSN verification
- A 7-year criminal record check
- Verification against the Department of Treasure list, Department of Commerce, Department of State
- Fingerprint checking
- Department of Defense IT-2
Is file-sharing available with GCC High?
In SharePoint and OneDrive, users have a variety of choices for sharing files and folders. In the GCC High and DoD settings, all of the options are available. Users in GCC-High will only be allowed to share with other GCC-High organizations.
NON-GCC High email addresses associated with user profiles are not supported, and alert emails will not be issued. A user, for example, is given a Gmail email address on-premises and subsequently synchronized to an Azure GCC High organization. Suppose a user navigates to a library and sets up a change alert. The Gmail address will not get the notice.
Can regular businesses buy GCC or GCC High?
Microsoft 365 Government can be used by government customers and non-government organizations sponsored to process or hold controlled information. Eligibility for these is consistent across the Microsoft Government Cloud.
Any customer that is eligible for the Microsoft Government Cloud environment can use GC and GCC High. The DoD environment remains exclusive to the US DoD.
There are clear definitions of that as an eligible government customer. Including but not limited to:
- A federal agency, defined as a bureau, office, agency, department, or other entity of the U.S. Government
- A tribal entity is a federally recognized tribal body that is eligible for financing and services from the U.S. Department of Interior due to its status as an Indian tribe, or, in Alaska, a native village or Alaska Regional Native Corporation.
If non-government organizations can provide proof of the following, they can also be eligible for Microsoft Government Cloud validation.
- ITAR – International Traffic in Arms
- CUI – Controlled Unclassified Information
- DoE – Department of Energy
There are several more government data types that are accepted too.
In short, GCC High is a government-focused Microsoft 365 Cloud environment and has some of the most stringent cybersecurity on the market.
