There is an update to this article found at:
https://aka.ms/MSGovCompliance
Updated Sep 23, 2024
Version 18.0
RichardWakeman
Microsoft
MicrosoftBlog Post
1 MIN READ
Understanding Compliance Between Commercial, Government and DoD Offerings - September 2023 Update
RichardWakemanMicrosoft
Microsoft
Shawn_VeneyMicrosoft
MicrosoftThere are two issues often at play here; one is that the customer ultimately decides what to purchase. many factors drive those decisions and cost is obviously one. we try to ensure customers can make the most informed decisions, but I've been witness to many decisions that were regretted. We do not 'police' the customer and force them to choose one service over another. Sometimes the customer makes a well-informed decision but is driven by price or other factors; sometimes they do not make that well informed decision regardless of how much we try to get the right information to them. Secondly is the issue of understanding what you buy. The way the question above is framed demonstrates a consistent challenge i.e. a common misconception that the purchase of one of the services equates to the same level of compliance in whatever support channel the customer purchases or engages in. We try to make very clear that support is a different system. We also have many cautions we publish for our government customers that might engage support to ensure they understand what cautions they should take (and assumptions to avoid) when engaging support. I could add that there is a third possible issue at play which is that a customer may overextend their perception of their government requirements into an assumption that they can only engage with US based support personnel. If there is no exchange of CUI; the customer may engage a support person and receive assistance necessary to unblock their situation having never exposed anything sensitive to the support persons involved. Many customers choose to enact their own internal Tier 1 type support functions to ensure that any escalation to an external service provider remains 'sanitized' and that a user has not provided more data than necessary to the wrong parties perhaps not knowing they needed to request specific support for their issue if sharing controlled data etc. Hope that helps provide some context.
