To GCC or Not to GCC? That Is the Question!
To GCC, or not to GCC, that is the question:
Whether 'tis nobler in the cloud to suffer
The slings and arrows of outrageous hackers,
Or to take arms against a sea of regulations
And, by opposing, exceed them. To log out—to unplug,
No more; and by unplug to say we end
The heart-ache and the million electrical shocks
That IT is heir to: truly 'tis a compilation
Devoutly to be wish'd. To log out, to unplug;
To unplug, perchance to live—ay, there's the glitch:
For in that final logout of unplugging, what life may come,
When we have placed upon the table a final time
The proverbial smartphone, this cyber-coil,
Must give us pause—there's the respect
That makes calamity of so long our IT life.
This article is a follow-up response to questions from numerous clients and can be used as a [partial] companion to Tom's presentation "Understanding Security in Office 365: Beyond SharePoint" given Oct. 20, 2018 at SharePoint Saturday Baltimore.
The topics discussed in this article do not require any special IT skills. However, they do go into federal law and regulation, so they can be quite technical and complex in spite of this.
This article is intended for those customers who may be facing a decision about Office 365 and the Government Community Cloud, specifically contractors for the US federal government and/or Department of Defense. This includes those doing business (or seeking to do business) with the US federal government, and some who business who may be affected by international export laws. (If you're a federal employee working at a govt. agency, you might learn something, but this article wasn't specifically meant to address your needs)
If you find this article helpful and you need assistance untangling the intricate web of information security regulations surrounding cloud solutions (DFARS/ITAR/NIST/FISMA/FedRAMP/etc.), please feel free to check out our security offerings and contact us right away, so we can learn more about your company and apply this information to your specific business concerns.
What Is The GCC?
Let us take a step back, because surprisingly not everyone knows about this - and some people who have heard about GCC may need some clarification.
In response to the U.S. Government's needs, primarily around security, Microsoft has divided their US data centers into three areas:
- US Commercial Cloud
- Government Community Cloud
- GCC High / DoD
It is important to understand why this was done. It is our understanding that the data centers for options 2 and 3 above are both physically and logically separated from option 1. The GCC environments are at the same physical location, but they are logically separated from each other and there are other protections between them that protect data in the GCC High systems.
Option 1, the commercial cloud, has been around the longest. There are several US data centers. It also has many customers, some of whom have global scope user base. Some of the people who work in Microsoft support or in the data center may be doing so through offshoring arrangements or under US immigration programs such as h2B.
Option 2, the GCC, was created in part to meet the needs of federal agencies where regulations require that their systems do not share physical or logical space with those of non-government entities. Only the US Government - and it's approved suppliers - are permitted to subscribe to and operate in GCC.
As the name implies, option 3 "GCC High / DoD" was designed to meet the needs of the Department of Defense. This includes some - but not all - defense contractors; more on that later.
Is Being in the GCC a Good Things or a Bad Thing?
We would say it depends on who you ask.
Personally, from a business perspective, being told that you MUST be in the GCC would be a very bad thing. That's because you'll not only suffer great expense in the process (license costs, up-front yearly payments, migration work, etc.), but also being in GCC means that you won't be getting the latest features available to commercial Office 365 customers for a long time (or in some cases, maybe never).
On the other hand, where your work with the federal government requires it, being in the GCC (or GCC High) can help you qualify (and stay qualified) for certain federal contracts. Having a presence in GCC provides a level of confidence that you are meeting all the government's requirements, and will continue to do so even if they change in the future.
So Which Office 365 Do I Need?
We wish we could say the answer is simple, but we'll do our level best to demystify this as much as possible.
First, we know there are those out there we do not like to read. (But seriously, what are you doing here? The Internet is made of words! Did we write all this only to generate authority points and SEO for Google?) Even so, let's throw you TL/DR folks a bone with this nice info graphic/chart:
|We are a… -->||Foreign Owned Business||US Commercial Business||US Federal Contractor||DOD Contractor||Federal Agency|
|Who Needs to Meet… v|
|DFARS||See "DoD Contractor" >>>||Office 365 [E3 + EMS]|
|FISMA/NIST Moderate or Low Risk||Office 365||Office 365||Office 365 or|
|Office 365 or|
|ITAR||Own a US Business||See "Fed Contractor"||GCC or|
|FISMA/NIST High Risk||Uhhh... Nope!||See "Fed Contractor"||GCC High||GCC DoD||GCC High|
For federal contractors, there are a few federal agencies and/or regulations that specify rules determining what version of Office 365 you need:
Let's talk about each of these in a bit of detail - but plain language anyone can understand:
NIST is an organization that is responsible for setting IT security standards for the government that also serve as best-practices in the industry as a whole.
When you hear folks talking about "NIST compliance", in most cases they are referring to meeting the requirements spelled out in two documents called Special Publication 800-53 and 800-171 written by NIST. While these documents are sometimes slow to keep up with the times, they are continually maintained, and recent updates have started to specifically address cloud systems.
NIST mandates a different set of requirements depending on whether your work with the federal government is considered "low risk", "moderate risk", or "high risk".
The Office 365 Commercial Cloud is already certified under FedRAMP (more later) at the "moderate risk" level. So, if your contracts with the federal government do not require you to store or process information that is considered "high risk" you likely don't even need to consider the GCC as an option at all.
FISMA and FedRAMP
FISMA (the Federal Information Security Management Act) is a law that specified that IT systems that store or process government information need to follow certain rules. FISMA is the Act of Congress that gives NIST regulations their teeth, and has been the law of the land since 2002.
Among other things, FISMA also requires contractors obtain ATO (Authority to Operate) for their IT systems that serve government projects. ATO normally has to be obtained separately within each federal agency. This is a big pain in the rear, and it can have the effect of stifling innovation since it can slow or halt the adoption of new hardware and software.
One commonly cited rule for FISMA compliant systems to gain ATO is that they must be separated from those accessed by non-government users. Before the cloud craze, back in the early days of virtualization, it was very challenging to explain to purchasers, contracts, and security officers that this didn't necessarily require physical separation. Data centers that obtained FISMA certification were able to charge premium rates.
The government recognized the need to update and clarify FISMA requirements in order to properly adapt with the times. Thus, FedRAMP was born. FedRAMP was established in 2010 under the Obama administration through the GSA. Among other things, FedRAMP provided a mechanism to standardize security under FISMA across all agencies, putting an end to the need to chase separate ATO for every contract. Certify once under FedRAMP, and the whole federal government is your potential customer.
If you're not in the business of building hardware or software, this probably doesn't mean very much to you and your business. On the other hand, it helps to understand why Microsoft would be motivated to qualify for FedRAMP and the benefits that conveys to all Microsoft's customers in the cloud.
Simply put, build your solution or IT infrastructure on Microsoft's cloud and be assured it will meet the US government's requirements.
But this is not the end of the story, so let's talk about some other rules that may be at play.
ITAR (International Traffic in Arms Regulations) have been around since 1976 during the cold war. ITAR is published under the Federal Registry and is created and maintained by the executive branch. As such, its requirements can be modified by executive order and do not necessarily require a change in the law. ITAR was designed to help the federal government control the export of US military technology (e.g. "weapons").
Two fun facts about ITAR that many people do not know:
- Being a weapons manufacturer or even a military contractor does not necessarily imply that your business is subject to ITAR. This set of rules applies to a specific list of military weapons (e.g. not hunting knives or handguns!) and businesses subject to ITAR are required to register with the federal government. So, if ITAR applies to you, someone in your company will know. Though your mileage may vary, if you don't make advanced military tech and if you aren't involved in international trade, chances are very good that ITAR does not apply to you.
- Most encryption we rely on today to keep the Internet secure was considered a military weapon up until as recently as 1997, even though most banks worldwide had been using it for decades. In fact, back then all our copies of Windows 95 and NT had a "not for export" warning printed on the CD label. (So much for a common sense understanding of what constitutes "advanced military technology", huh?)
So, what does ITAR require? There's a lot there, but here are two things we often hear the most about:
- Information must be stored in a way that is physically isolated / separated from all other commercial entities.
- Non-US-citizens may not have access to the those information stores.
Sounds reasonable enough, considering what we're talking about protecting.
This was a huge problem in the Office 365 Commercial Cloud, because of course those systems are shared by many, many businesses and also there are people all over the world who may be answering your support calls for help with SharePoint, Outlook, Teams, or what-have-you. There was a time before the GCC where a SharePoint server sitting under the boss' desk was considered more ITAR compliant because he had a lock on his door and the cleaning people weren't given a key.
So, if you're subject to ITAR and you want to use Office 365, it seems pretty clear you're going to be in the GCC, though depending on your company size you may not be there now if you moved to the cloud before 2016-2018 when GCC was created and subsequently made available to smaller businesses. But do you need to be in GCC High / DoD?
We would say that if this is your situation, you might very well need GCC High. However, we can think of several examples of clients who manufacture and export products that are on "the list", who not only wouldn't be required to join GCC High but also aren't permitted to.
Basically, if you've been authorized for GCC High by someone in the Department of Defense, then you should start looking at how to leverage that. What if you know you're subject to ITAR, but you aren't working with any federal agency in particular. Well, this would be a very strange situation to find oneself in, but if that's you maybe it would be time to call up your best government customer and get them to agree to provide you a sponsorship letter at least for GCC if not GCC High.
All that being said, moving your whole business into GCC because you make one specific model of airport screening equipment that puts you under ITAR would probably be a colossal mistake. Read on for some ideas about how to resolve this issue.
Wow, that was a lot about ITAR (and pretty heavy stuff), but we're not done yet. Let's change gears and talk about the other big DoD rule, DFARS.
DFARS (Defense Federal Acquisition Regulation Supplement) is derived from FAR (the Federal Acquisition Regulation). Like its cousin ITAR, it is part of the federal registry and maintained by the defense department under the executive branch (and therefore it is subject to executive order). When we talk about DFARS and IT, most folks are talking about the changes made that took effect at the end of 2017 under the rule "DFARS 252.204-7012".
For the most part, these rules require that contractors for the military must follow NIST practices, or risk being debarred from federal contracts if they are found to be non-compliant.
There were a couple of interesting points developing out of the 2017 rules changes:
- Most DoD contractors aren't doing anything sensitive or classified, so they are likely perfectly fine to be in the Commercial Cloud, though those who do need to be in GCC probably need to just go directly to GCC High / DoD.
- DoD is on record stating that Office 365 E3 [is the cheapest level Office 365 plan that] meets DFARS requirements. (Many customers have told us that the same cannot be said about Google Apps for Business.)
- DoD wants all contractors to start using secured email services when they communicate with the military, such as S/MIME based signatures and encryption.
- DoD hasn't provided much guidance regarding under which circumstances they will provide such secure email accounts themselves, and when they will require the contractor to obtain their own.
- DoD also wants contractors to meet NIST requirements, which may mean you need to start using Office 365's bigger brother, Microsoft 365, instead.
- To further complicate things, there are a limited number of certificate authorities who are trusted by the federal government to issue certificates needed for such schemes. (Comodo is out of the question. Symantec was in this business but sold it off. Options are limited.)
Hopefully that makes everything perfectly clear with respect to the rules governing IT security and working with the US government and/or Department of Defense.
O.K. We Know We Need GCC; How Do We Get It?
Alright, your people agree that for one reason or another that some part of your business needs to be in the Government Community Cloud. But how do you get there?
Number one, it makes a big difference if you need GCC High or not.
If you require GCC High, there are currently only 5 vendors in the USA that can get this to you, since Microsoft has been playing it very close to their vest on this. (We have been working since spring 2018 to change this, and if it ever does, we'll update this article.)
Two good choices are Planet Technologies and Summit 7. Personally, we really respect the security experts at Summit 7 and know that they do a very good job. We have been able to work effectively to mutually support Office 365 customers, with Summit 7 providing licenses and us providing consulting, additional support, and other professional services.
If you only need regular GCC licenses, you can rely on Liquid Mercury Solutions to provide those to you. We're working with Microsoft to get everything in place in Q4 2018. Feel free to reach out if this is what you need.
But, Do We Really Need to Move All 30/300/3000 People in Our Company Into GCC?
Perhaps you are thinking "This is terrible! What can we do?"
These strategies will not work for everyone, but here are a few tips that might be effective:
Tip #1 Future Proof, Not Bulletproof
There is a tendency when working with government spec to over-engineer things somewhat. People will run to the most secure offering as a knee-jerk response, motivated by the fear of what may happen if they don't. We tend to want to know that nothing will ever - ever - undermine or change the decisions that we make today. However, the truth is none of us know what tomorrow will bring, so plan for the worst, but don't overdo it. There's no requirement to cover your Office 365 tenant in gold plating or reactive armor.
Perhaps your concerns revolve around the idea that maybe "moderate risk" is OK today - but down the road you worry about Microsoft's compliance certifications shifting, or your business developing a higher need or upgraded risk. Consider for a moment all that Microsoft would stand to lose if someday they were told that Office 365 would no longer meet FedRAMP/FISMA requirements. What steps might they be willing to take to ensure that never happens? Take a deep breath; remember that even if you suddenly win a "high risk" project, everything will likely be just fine if you planned ahead of time for what costs and changes go along with that.
Tip #2 For Your Eyes Only
You can structure your business to compartmentalize the aspects of it that require GCC / GCC High. Frankly, this should be common sense. If your business is organized in a way that keeps government dealing apart from commercial ones, it will not only be less restricted by security rules, it'll also naturally eliminate potential risks. The government knows this and builds compartmentalization into their system for handling classified or sensitive information. Why not consider building your government business on a "need to know basis" as well?
For example, you probably don't need GCC High e-mail for all your sales and marketing people, especially if only a handful ever deal with selling to the military or federal agencies. Do your executives or board need the same level of security as those people working on federal projects?
As an ultimate step, you might avoid over-regulation by breaking your company in two. We've seen this happen at companies like AvePoint, where the government side of the business eventually became AvePoint Federal.
If your current organization is just too disorganized or deeply embedded with the government, such as if you are already registered with ITAR or GSA, then how about forming a parent company to control it that does not need to worry about these things. It may be worth looking into. (Remember to keep in mind that there are rules about who can own such a business and how communications should be tracked between the regulated subsidiary and the unregulated parent.)
Tip #3 GCC High is more secure, but it's not in a SCIF!
There seems to be some kind of weird misunderstanding going around that, just because it says "DoD" on the label, GCC High must be in some kind of bunker at an undisclosed location, behind a serious of Maxwell Smart security doors, and without any Wi-Fi!
Nothing could be farther from the truth. GCC High is accessible over the Internet - maybe even from Germany, our fiercest of allies!
You can connect to e-mail in GCC High using a plain old smart phone, just like the one POTUS uses to send out the Twitter. No special mobile application required, just plain old POP/IMAP/SMTP with a login and TLS encryption will work just fine.
Sure, it is true that I can't use my GCC account to login to anything at all in the commercial Office 365. However, I can log in to both my GCC account and a commercial one at the same time. (How would we ever migrate people's email if we could not do this? Portable USB drives and PST backups, we suppose. However, BitTitan does exactly what we just described - no PST or thumb drive required.)
From a technical perspective, it's entirely possible to form connections between information in regular Office 365 tenants and those in GCC or GCC High. It just hasn't been done very often - probably too expensive and maybe just a bit scary for some folks.
There's even paperwork you can fill out to authorize the connection between GCC High and your office; what the systems in your offices do from there is up to you. It easy to imagine something along the lines of "Sync the GCC High folder in OneDrive for Business to a network share at the office, then also sync that same share over to Office 365." Even so, asking your FSO if this violates any security rules would probably be a good idea before trying it.
What we mean to say is that GCC and GCC High are built to be mostly the same as regular Office 365; they use the same kinds of open, Internet based services. Most of their value comes from being accessible. Today, people may be wary, because GCC High is new and not well understood. Over time, some things that work now may even get locked down. Better guidance about what kind of connections and integrations are allowed will likely follow.
Within reason, you should not be afraid to develop solutions that work for your organization, even if they have to make a few connections to-and-from the GCC. Having a policy in place to document such connections is a NIST requirement, and if you follow that, we're confident you'll stay clear of any trouble as long as you keep the other side of those connections within a US data center.
Tip #4 "A man can do two things!" - Phillip J. Fry
As far as we know, there is no rule published in any federal registry that says you must choose one and only one solution for your business.
Have you thought about operating in Office 365 for most things and GCC only when you really need to? There may be circumstances under which this would be a perfectly acceptable option - and it may save you a lot of money.
Things to Consider
Of course, doing any all of these depends greatly on many factors. Consider these points as you plan your strategy:
- Is the need for GCC coming from contracts that you have or contracts that you hope to win someday?
- Things change over time. How certain are you that the environment(s) you choose will meet the requirements you need five or ten years down the road?
- Can your entire organization live without the features or updates you'd be giving up if you went all-in on GCC?
- Could you meet the need by running two systems (e.g. GCC *and* commercial 365), instead of forcing people to exist only in one or the other?
- People using Office 365 in different tenants may not be able to share documents that way, but they can certainly send emails to each other and attend one-another's meetings in Skype or Teams. Things will be OK if you develop plans for how people with different tools can still work together when they need to.
In this article, we've described the different Offerings for Office 365 in the USA for commercial customers, government agencies, and contractors. We' walked about what makes each offering different and why they were created that way. We summarized the history of federal regulations surrounding IT security, and we explained where these can have their most significant impacts on choosing which cloud platform you need. We also provided several strategies for dealing with needing a more secure and costly versions of Office 365.
We hope this information helps inform your path forward, but we know your journey is only starting. The topics described here are far more complex than can be contained in a single article. There are many things to know that we couldn't fit here, and every business' needs are unique to its own specific situation.
If you'd find value working with a Microsoft partner who's experienced in these security concepts - both from a regulatory standpoint and in their specific technical implementation - Liquid Mercury Solutions is here to help. Give us a call today to start a conversation about Office 365 and/or GCC. We'd love to hear from you!