The existing DoD requirements (i.e., DFARS 7012) and the pending Cybersecurity Maturity Model Certification (CMMC) rule demand any cloud service offering storing, processing, or transmitting Controlled Unclassified Information (CUI) must have a FedRAMP Moderate (or better) authorization or be FedRAMP Moderate (or better) equivalent.

First things first, is Microsoft’s Government Community Cloud – High (GCCH) FedRAMP Authorized? Not yet. As of June 2024, the FedRAMP Marketplace lists Microsoft GCCH “FedRAMP In Process.” Because of GCCH’s status, companies using GCCH must use some other method for knowing that GCCH is fit for purpose. Fortunately, the DoD published a memorandum that spells out how to establish FedRAMP equivalency.

In effect, the Defense Industrial Base (DIB) and elements of the DoD itself must complete a review of the GCCH Body of Evidence (BoE). The DoD’s Defense Industrial Base Cybersecurity Assessment Center has provided a handy checklist that makes it clear what to look for in a body of evidence.

To get the necessary document collection (the BoE) from Microsoft, DIB vendors must send an email from their GCCH tenant point of contact–frequently your tenant administrator–to O365FedRAMP@microsoft.com. The email should make the request for such access and explain why access is necessary. Microsoft should grant your GCCH persona access to the document collection through their Service Trust Portal under the “Resources for your Organization” section. Of course, Microsoft imposes a non-disclosure agreement on further release of this material so handle the material with care!

And if the above seems like more than you want to accomplish yourself, then email or call us and let us have a conversation between you, our Sales Team and our Security and Compliance Team. Let our 80+ years of combined experience help you!

Happy downloading and BoE reviewing!