Protecting sensitive data like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) has become a top priority for the U.S. Department of Defense (DoD) and its associated contractors.
As technology evolves, security measures concerning sensitive data are constantly adjusting to keep up. New cloud-based solutions require contractors to consider the risk of data ending up in the wrong hands. This includes inadvertent exposure to the public and sophisticated attacks by foreign adversaries.
To protect the confidentiality of DoD and DoD contractors’ sensitive data, companies like Microsoft responded with highly compliant solutions like the Azure Government Community Cloud High (GCC High) cloud platform. Unlike the standard GCC environment that operates in the Azure Commercial cloud with global directory services and global support personnel, GCC High is in the physically segregated Azure Government cloud environment that only operates in the Continental United States (CONUS) with U.S.-based, screened personnel. This is a must to be compliant for current and future DoD contracts that are subject to requirements for Export Control (i.e. ITAR / EAR), CONUS, data sovereignty, U.S. Citizenship, or NOFORN (no foreign nationals). Including contracts with certain CUI data categories (i.e. “CUI Specified”) that are also subject to these requirements.
Qualifying to use GCC High was previously a difficult and time-consuming process that Microsoft has greatly simplified. In this post, we'll explain the recent changes to GCC High, walk through the new GCC High qualification process, and help jumpstart your migration plan.
In the past, only U.S. Government entities (Category 1) and contractors processing certain data (Category 3) could purchase GCC High. Excluded were Solutions Providers (Category 2) and all other contractors. The GCC High qualification process was lengthy, in-depth, and required burdensome documentation. Contractors had to provide a signed contract or signed DD Form 254 that specified one of the few eligible controlled data types; or a signed sponsorship letter. This long, difficult process left many contractors anticipating CUI requirements in upcoming contracts, with no way to get qualified for GCC High in time.
Microsoft loosened GCC High restrictions in response to the DFARS Interim Rule, current NIST SP 800-171 requirements, and future CMMC requirements. This makes the platform inclusive of more DoD contractors and greatly speeds up the qualification process.
As of January 2021, all three categories of eligible customers may purchase GCC High through a new, streamlined qualification process that no longer requires validation of contracts or sponsorships.
Contractors had to jump through several hoops, wait out extended delays, and navigate a confusing process to get qualified for GCC High by Microsoft.
First, each contractor had to prove they had a contract that specified the narrow categories of controlled data types accepted by Microsoft. Then, they had to find a sponsor organization to spend hours communicating and coordinating with Microsoft throughout each step in the process. Finally, contractors and their sponsors had to compile and send extensive documentation to Microsoft for approval.
Any DoD contractors with a CAGE Code or DUNS Number via the GSA System for Awards Management (SAM) can migrate to GCC High and leverage its enhanced cybersecurity posture and compliance measures related to NIST SP 800-171, FedRAMP High, ITAR / EAR / Export Control, and more. Contractors now get to skip what was along, tedious qualification process in favor of an automated, online service. Here are the simple steps:
The GCC High cloud environment represents a strong commitment by Microsoft to enhance cybersecurity and compliance for the DoD and the Defense Industrial Base (DIB) of DoD contractors. Migrating to GCC High provides a secured environment, restricted to DoD / U.S. Government agencies and their contractors, that is the foundation for being able to sufficiently protect sensitive CUI and comply with DFARS 252.204-7012, the DFARS Interim Rule, NIST SP 800-171, and future CMMC requirements.
The numerous Microsoft cybersecurity tools and capabilities available for the GCC High platform and customized for DoD / Government – many of which integrate with Microsoft Office 365, Office Online, Exchange Online, SharePoint, OneDrive, and Teams – can significantly reduce the complexity and costs of implementing your long-term cybersecurity and compliance strategy.
Peerless is a Microsoft partner with the expertise to help your business migrate to GCC High quickly, securely, cost-effectively, and easily. We'll walk you through every step in the migration process, offering clear guidance and success strategies along the way.
Book a Discovery Session to start your GCC High migration.
These Stories on Compliance