Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Shawn_Veney RichardWakeman 

Is it possible to not remove this article or be sure it's marked "Archived?"  There are a lot of Q&A in the comments that I'm sure folks find helpful that will be lost if the page is removed.  Right now there's 3 iterations of this article (this one, the Feb 2021 Update, and the March 2022 Update), so I understand how having all 2 out there could be confusing.  Maybe we can either roll-in the Q&A from this article or ensure it's covered in the latest update?

Shawn_Veney 
Thank you for the quick response.  Your answers point out why this thread is so incredibly important.  There is a LOT we (government IT and the end users) don't and seemingly can't know about the interaction of the systems we use.  Unfortunately we are the ones ultimately responsible for compliance even when we don't have all the answers and the visibility we need.

The problem with Word translate is a relatively easy one to solve.  Don't use it.  Sorry.  It is attempting to communicate with a blocked country.  I don't know WHY.  It didn't used to.  But it is now.  Use the translate service in Outlook instead.  It still works for now.

In the case of the Word document communicating with Dublin, that was picked up by our EDR before the firewall noticed it.  I guess it is possible that the process associated with the document was actually the application trying to send telemetry data.  Unfortunately we can't know that for certain.

I do appreciate your very thorough explanation.  Microsoft is certainly not the only company where we experience these types of concerns.  As long as the AHJ (Authority Having Jurisdiction) continues to hold us accountable, we are going to remain suspicious.

Dave; fair question and I get a lot of variations on this i.e. why do I see OCONUS IP data in my logs etc. There are numerous reasons for this that differ based on the product or service in question. At a high level there are 3 categories of issues. First is telemetry. We manage a global service fabric and there is telemetry infrastructure worldwide to support that. Often there are system level issues being logged into the most responsive infrastructure; other times one region is checking the health, performance or for other updates to validate across the global fabric. In each of these scenarios it is important to note that in our commitments to government services we commit we will not send or store your content outside the accreditation boundary. These interactions are limited to what we classify as system data. We've invested in, and implemented, significant automation to ensure data is appropriately 'scrubbed' before it's sent to or logged into any of our underlying service repositories. Second; there are a category of issues that fit into more complex 'by design' scenarios where analysis shows that users were engaging with services, content, etc. across regions which incurred logging of OCONUS addresses etc. Lastly there have been defects at times that erroneously log data that creates false positives. In all examples our commitment is to ensure we maintain the customer data within the accreditation boundary. We cannot prevent customers from cross regional interaction; and many government customers have justifiable OCONUS missions requiring such. Ultimately this becomes a balancing act where a black/whitelist; geofencing, etc. can have unintended performance requirements. Over time I have found data layer protections much more effective than network layer due to the increasingly complex dependencies on global infrastructure as well as increasing global composition of workforces and missions. By implementing a fuller range of ZT (zero trust) capabilities we've seen much more effective protections evolving at pace with more dynamic traffic needs. I do sympathize with the challenges having been there myself in previous roles. You should be able to engage your support team to help you find answers specific to the scenarios you encounter; any recommendations we may have; where geofencing or other constraints are known to create possible performance problems etc. 

RichardWakeman 
Great series of articles!  Have to read them a few times over to make certain I understand them entirely.  

What led me here (to this series of articles) is trying to determine why certain M365 applications operating under a GCC / G3 license are attempting to communicate overseas.  We documented MS Word attempting to communicate with Dublin, Ireland.  We have also seen the translate feature in MS Word attempting to communicate with Singapore and a number of other PacRim countries (most of which we are geofenced by our firewall).  Oddly enough, the translate feature in Outlook doesn't do that.  I have reached out to Microsoft but they have not been able to answer the question.  The communications are TLS so I do not yet know precisely WHAT they are attempting to send, but it should be relatively easy to answer the question WHY they are attempting to talk at all. 

Sean, I'd highly recommend an MSP request a copy of the System Security Plan to understand the scope of responsibility they incur in their role based on the scope of service(s) provided. This is where you would find the details to ensure parity between what the underlying service is providing in their control scope and what the MSP would need to implement. But specific to this one control it most definitely implies citizenship.

RichardWakeman what is the requirement from a Managed Service Provider support personnel to administer and support GCC High?  What does the term "screened US Persons" mean?  Does that imply personnel has to be a US citizen?

Hi VARenee, yes I will be updating this article in the next couple of weeks.  Typically, we do not update blogs, but re-post.  It may show up with the same title and "November 2020 Update", or something like that.  TBD.

Hi! Thank you so much for this great reference; it has been very helpful in my understanding. Will this be updated from what was brought up here: https://techcommunity.microsoft.com/t5/public-sector-blog/office-365-government-gcc-is-now-fedramp-high/ba-p/1833182?

Hi RogueAgent, while it is true the Microsoft Authenticator app does not currently use FIPS validated crypto modules, it is rather a moot point for many of our customers that require it.  At the end of the day, standards and regulations such as NIST 800-53/171 will require you to enforce an MDM solution on your mobile devices.  Should you choose a device with encryption that is either FIPS validated or even certified (e.g. iOS & Knox), then you pick up the required encryption from MDM enforcement.  That said, we do have a roadmap for native encryption to use validated crypto.  There is also discussion on Intune enforcing the encryption for MDM and MAM configurations.

Hi RichardWakeman! Can you please verify that the MS Authenticator Android/iOS app uses FIPS validated crypto modules to generate the TOTP codes? NSA's very recently updated MFA solutions documents (page 6) indicates that it does NOT. I haven't been able to locate any Microsoft documentation on this. Thank you in advance!