Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Government Community Cloud: Primer on GCC High, GCC and DOD

Office 365

Data security is paramount for federal agencies and contractors. This is especially true when it comes to doing business in the cloud. This is why many government teams utilize Government Community Cloud (GCC), a highly secure version of Office 365 built by Microsoft specifically for government entities, vendors, and contractors within the federal ecosystem.

While the GCC is closely related to Microsoft 365 Commercial, GCC and GCC High are quite different from private sector clouds. The Microsoft DOD product is yet another level meant strictly for Department of Defense (DOD) usage. Each has varying levels of security, target user, and use cases. The key for federal agencies and contractors is to understand each model in-depth, and therefore be armed with the information to migrate to the proper Microsoft cloud infrastructure.

Quick Look: GCC vs GCC High vs DOD

First, let’s take a quick look at the key differences between GCC, GCC High, and Microsoft DOD. Each environment provides varying levels of security and meets various compliance frameworks such as NIST 800-171 or FedRamp.

GCC GCC High DOD
Users General government and vendor users High-security clearance users For federal DOD personnel only
Cost Low Cost Medium Cost High Cost
Regulations FedRAMP Moderate

DFARS

DoD SRG Level 2

FBI CJIS

DFARS

FedRAMP High

NIST 800-53

NIST-800 171

DFARS

ITAR

United States Department of Defense Cloud Computing Security Requirements Guide (SRG) Level 5 (L5)
Cloud infrastructure Azure Commercial Azure Government Azure Government

What is Microsoft GCC?

what is microsoft gcc

Microsoft GCC is essentially a clone of the Microsoft 365 productivity suite, but custom-built for the government environment rather than commercial. The GCC has most of the same features and functionality as Office 365, except that its data centers are located only within the continental United States (CONUS) as mandated by the FedRAMP Moderate standard.

Eligibility

State, local, federal, and tribal governments are eligible for GCC installation and usage. GCC is for screened personnel who can access secure data which resides on CONUS servers. While normal personnel can use GCC cloud, only those who have passed specific background checks can gain access to classified information.

Security Measures

The GCC’s primary security measure in comparison with standard Microsoft 365 is that the servers are located in CONUS per FedRAMP. GCC resides on the Azure Commercial infrastructure and therefore contains fairly standard security features and configurations. Although the servers are only located in North America, access to the data is on a global basis.

Background Check Requirements

Run-of-the-mill staff don’t have automatic access to customer content hosted in the Office 365 GCC environment. Personnel who want temporary permission to access said data need to pass the following background check requirements before they are granted access:

U.S. citizenship Verification of U.S. citizenship
Employment history check Verification of seven (7) year employment history
Education verification Verification of highest degree attained
Social Security Number (SSN) search Verification that the provided SSN is valid
Criminal history check A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
Office of Foreign Assets Control List (OFAC) Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions
Bureau of Industry and Security List (BIS) Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
Fingerprinting Check Fingerprint background check against FBI databases
CJIS background screening State-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program

Cost and Barriers to Entry

GCC pricing is done on a custom basis and can be purchased directly through Microsoft or certified GCC partners. Interested organizations do need to complete a validation process before the environment is established, and volume licensing discounts are available. Currently, only US government agencies are eligible for a free trial of Microsoft GCC.

Other Considerations

Microsoft GCC is the most basic infrastructure of government agencies and contractors. It’s important to note that GCC isn’t completely sufficient to comply with most Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling. That also makes it unable to comply with the International Trafficking and Arms Regulation (ITAR) and the Export Administration Regulation (EAR). That’s because Azure Commercial doesn’t meet import/export control standards.

What is GCC High?

what is gcc high

GCC High is a copy of the DOD cloud environment, intended for use by DOD contractors, cabinet-level agencies, and other cleared personnel. It’s called GCC High because it meets the FedRAMP high impact requirements. GCC High sits on the Azure Government infrastructure, making it a more secure cloud environment than normal GCC.

Eligibility

GCC High can only be used by organizations within the Defense Industrial Base (DIB), DOD contractors, and federal agencies. Anyone seeking to implement GCC High must go through a rigorous validation process with Microsoft before receiving approval.

Security Measures

Azure Government servers used by GCC high are isolated both physically and virtually for sole use by federal agencies and contractors. Unlike the commercial version, Azure Government has US-only sovereign directory services, a more secure setup than servers with global access. Data transmission and processing occur only in the continental US, adding an extra layer of protection.

Background Check Requirements

Average Office 365 users don’t have automatic standing access to GCC High. While the background checks needed to grant access are similar to GCC, there are additional steps with regards to the Office of Defense Trade Controls Debarred Persons List (DDTC) and Department of Defense IT-2 regulations.

U.S. citizenship Verification of U.S. citizenship
Employment history check Verification of seven (7) year employment history
Education verification Verification of highest degree attained
Social Security Number (SSN) search Verification that the provided SSN is valid
Criminal history check A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
Office of Foreign Assets Control List (OFAC) Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions
Bureau of Industry and Security List (BIS) Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
Office of Defense Trade Controls Debarred Persons List (DDTC) Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
Fingerprinting Check Fingerprint background check against FBI databases
Department of Defense IT-2 Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must-pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation

Cost and Barriers to Entry

GCC High is geared towards a more narrow user base than GCC, and organizations will need to complete the Microsoft verification process. This includes presenting a signed contract proving eligibility as well as a GCC High sponsorship letter from the government entity you’ll be working with.

Other Considerations

One of the downsides to GCC High versus normal GCC is that it’s not as feature-rich. That’s because many Microsoft 365 tools like Yammer don’t reach the security standards necessary to operate within GCC High requirements. Other features like Microsoft Defender have to be completely rebuilt and restructured to be used in GCC High. This makes GCC High more expensive to implement — and potentially operate — than GCC.

What is Microsoft 365 DOD?

what is microsoft 365 dod

Microsoft 365 DOD is purpose-built for DOD use exclusively. It’s one of only four clouds to meet the stringent requirements of DOD SRG Levels 5 and 6. This means that the DOD cloud is legally allowed to house and own the most classified of CUI and CDI.

Eligibility

The eligibility requirements for Microsoft DOD are strict and straightforward. If you’re not a team, agency, or department within the DOD then this product is not available to you.

Security Measures

Since GCC High is a copy of Microsoft 365 DOD for vendors and contractors, security measures are nearly identical in the Azure Government cloud. Once again, data storage transmission takes place on a non-global basis within US borders, with mandatory multi-factor authentication for all user access.

Background Check Requirements

Non-DOD personnel will not have access to Microsoft DOD data and content. Those within the DOD will need to pass background checks identical to GCC High.

U.S. citizenship Verification of U.S. citizenship
Employment history check Verification of seven (7) year employment history
Education verification Verification of highest degree attained
Social Security Number (SSN) search Verification that the provided SSN is valid
Criminal history check A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
Office of Foreign Assets Control List (OFAC) Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions
Bureau of Industry and Security List (BIS) Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
Office of Defense Trade Controls Debarred Persons List (DDTC) Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
Fingerprinting Check Fingerprint background check against FBI databases
Department of Defense IT-2 Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must-pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation

Cost and Barriers to Entry

To implement Microsoft DOD, you’ll need to submit an application directly with Microsoft prior to being able to purchase the product. Obviously, the main barrier to entry will be whether or not you’re DOD. These deployments are likely to be the most expensive due to the security and customization requirements and are done on a custom basis.

Other Considerations

One important functionality distinction between DOD and normal GCC is the lack of capability to host and conduct live events for security and compliance purposes. Moreover, Microsoft OneNote is not available on DOD, while it can be used in GCC and GCC High.

Which Government Cloud Option is Right for You?

In light of recent government data breaches, it’s critical to select the right Microsoft GCC for optimal data security. With Varonis as a Microsoft Silver Partner, you’ll be able to assess your use case, budget, and security requirements to select GCC, GCC High, or DOD. Moreover, Varonis functions as a cloud data security platform to help you manage and protect data stored in the Azure Commercial or Government clouds, adding critical functionality that isn’t baked into the native Microsoft security and compliance tools.

In general, non-defense-related government agencies and contractors will be best served by the normal GCC. You’ll have access to the full suite of the functionality of Microsoft 365 at a lower cost and fewer headaches as it relates to approvals and background checks.

It’s you work with highly sensitive CDI or CUI, then GCC High is probably the best cloud infrastructure. While you’ll lose a bit of functionality, GCC High will ensure compliance with regulations like FedRAMP High and ITAR.

Integrating GCC into Your Cybersecurity Posture

No matter which Microsoft government cloud you choose, Varonis will help you take a data-first approach to cybersecurity and compliance. This is especially critical in ensuring the data integrity of information used in the defense industrial base. When selecting a government cloud, you’ll also need to familiarize yourself with which regulatory frameworks you need to comply with and have a technology platform to monitor and track compliance.

Productivity in the cloud is the standard operating procedure for all organizations, federal agencies and contractors included. By knowing the ins and outs of GCC, GCC High, and Microsoft DOD, you’ll be able to handle classified information and utilize the Microsoft suite of tools necessary to stay productive and serve the public interest.

David Harrington

David Harrington

David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.