Are you an IT leader in your organization, needing to choose the right Microsoft cloud platform for your company? Your security and compliance requirements play a key part here. Which of the available options, Microsoft 365 Commercial, Microsoft GCC, Microsoft 365 DOD, and Microsoft GCC High— meet your requirements? How do the security and compliance requirements vary for them? How can Observian help you to choose the right platform to get started? Read on, as we answer these questions below.
Most of the users of the Microsoft Cloud Platform know about Microsoft 365 Commercial. Not only is this Cloud Platform used by enterprises, but small and medium businesses use it as well. This platform is also applicable for a variety of other entities, such as academics, individual users of Office 365, and more.
Microsoft 365 Commercial offers the largest number of features and tools among all of the cloud platforms offered by the company. It’s been around for the longest. This platform uses the Azure commercial stack.
Microsoft 365 Commercial has near-global availability. It has the lowest price points among all of the Microsoft cloud platforms. Microsoft uses data centers in various countries to offer this platform, and furthermore, offshore teams also support it.
All kinds of organizations and individual users can buy a Microsoft 365 Commercial plan. You don’t undergo any validation concerning the type of organization you’re a part of. That’s a key difference from the other Microsoft cloud platforms that we will shortly talk about.
Microsoft 365 Commercial supports several common regulatory and compliance frameworks like:
Microsoft 365 Commercial offers commonly-known tools to manage compliance and security such as.:
Do you plan to meet FedRAMP (Federal Risk and Authorization Management Program) requirements using Microsoft 365 Commercial? Consider the following:
What if Microsoft modifies this commercial cloud platform after you undertake this complex exercise? This will require you to assess any gaps and create/apply patches.
You can think of Microsoft GCC (Government Community Cloud) as a copy of Microsoft 365 Commercial, however, there’s a key difference. GCC uses data centers that are physically located within the continental United States. FedRAMP Moderate controls mandate this.
GCC has some similarities with Microsoft 365 Commercial in terms of tools and features:
Team members supporting GCC need to meet several employee background check requirements:
You need GCC only if you have specific compliance requirements— FedRAMP Moderate for example. Consider using GCC only if your organization is classified as a US-based government organization.
Your organization must be authorized to handle data that meets these compliance requirements. Confirm with Microsoft whether your organization is eligible for GCC.
In addition to the compliance frameworks supported by Microsoft 365 Commercial, GCC supports the following:
Note: GCC doesn’t support the DFARS flow-down requirements. Microsoft doesn’t contractually agree to support DFARS on GCC. Microsoft won’t demonstrate DFARS compliance with your customers, vendors, or business partners.
GCC can’t support the following requirements:
GCC utilizes the identity component and network of Azure Commercial. Azure Commercial has global availability and isn’t limited to US citizens only. Therefore, it can’t satisfy import/export controls, nor can it support the above-mentioned requirements.
Microsoft 365 DOD is a cloud platform for the US Department of Defense (DoD) only. The US DoD might approve certain service providers or entities that qualify for Microsoft 365 DOD. There’s no exception to these stringent eligibility criteria.
Microsoft 365 DOD uses data centers in the continental United States only. Microsoft restricts the administration and support roles for this platform to US-based personnel only. This platform uses the Azure Government network.
Microsoft 365 DOD follows the employee background verification process. This requires all of the verification criteria of GCC above, however, it’s more stringent. It needs DoD IT-2 adjudication.
Microsoft 365 DOD supports all of the compliance and security requirements supported by Microsoft 365 Commercial. Furthermore, it supports the following requirements:
This platform does not support FBI CJIS requirements.
Organizations in the Defense Industrial Base (DIB), DoD contractors, and Federal agencies that need to meet specific security and compliance requirements, can use Microsoft GCC High. If you look at it technically, you will find that Microsoft GCC High is a copy of Microsoft 365 DOD. However, Microsoft GCC high exists in a separate environment. GCC High uses data centers in the continental United States only.
Only US-based government organizations qualify for GCC High. Furthermore, they need to confirm their eligibility with Microsoft.
Microsoft GCC High requires the same level of stringent employee background verification as Microsoft 365 DOD. The features in Microsoft GCC High vary from those in the Microsoft 365 Commercial cloud:
In addition to supporting all of the compliance and security requirements supported by Microsoft 365 Commercial, Microsoft GCC High also supports the following requirements:
GCC High does not support FBI CJIS requirements.
We talked about the 4 cloud platforms offered by Microsoft— Microsoft 365 Commercial, Microsoft GCC, Microsoft 365 DOD, and Microsoft GCC High. Now you need to get started, but this can be complex. How can you buy Microsoft GCC or Microsoft GCC High? Here at Observian, we can help.
Observian is an official Microsoft partner in the digital transformation landscape. Our cloud security and compliance services help businesses and small teams to safeguard their data. We help you to meet your compliance requirements and validate your eligibility for GCC or GCC High. Contact Observian today for help with licensing and transition to a suitable Microsoft cloud platform for your organization.