US Department of Defense (DoD) Provisional Authorization at Impact Levels 2, 4, and 5

DoD and DISA overview

The Defense Information Systems Agency (DISA) is a combat support agency of the US Department of Defense (DoD). It provides an enterprise information infrastructure, communications support, and a secure, resilient enterprise cloud environment for the DoD, the White House, and any other organization that plays a role in the defense of the United States.

To implement its mandate, DISA developed the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements for cloud service providers (CSPs) that host DoD information, systems, and applications, and for DoD's use of cloud services. It replaces the DoD Cloud Security Model, and maps to the DoD Risk Management Framework and NIST 800-37/53.

DoD Cloud Service Support defines the policies, security controls, and other requirements in the SRG, which it publishes and maintains. It guides DoD agencies and departments in planning and authorizing the use of a cloud service provider. Cloud Service Support also evaluates CSP offerings for compliance with the SRG — an authorization process whereby CSPs can provide attestations of compliance with DoD standards. It issues DoD Provisional Authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.

Microsoft and US DoD Provisional Authorization

Microsoft's government cloud services meet the demanding requirements of the US Department of Defense, from impact levels 2 through 5, enabling U.S. defense agencies to benefit from the cost savings and rigorous security of the Microsoft Cloud. By deploying protected services including Azure Government, Office 365 U.S. Government, and Dynamics 365 Government, defense agencies can use a rich array of compliant services.

DoD Impact Level 5 Provisional Authorization

DISA Cloud Service Support has granted a DoD Impact Level 5 PA for Microsoft Azure Government for DoD. DISA has also granted Office 365 U.S. Government Defense a DoD Impact Level 5 PA. Impact Level 5 covers Controlled Unclassified Information (CUI) deemed by law, other government regulations, or the agency that owns the information and needs a higher level of protection than Level 4 provides. It also covers unclassified National Security Systems.

DoD Impact Level 4 Provisional Authorization

DISA Cloud Service Support has granted a DoD Impact Level 4 PA for Microsoft Azure Government. This was based on a review of their FedRAMP authorizations and additional security controls required by the Cloud Computing SRG. (FedRAMP is a US program that enables secure cloud computing for the government.)

Impact Level 4 covers Controlled Unclassified Information — data requiring protection from unauthorized disclosure under Executive Order 13556 (November 2010) and other mission-critical data. It may include data designated as For Official Use Only, Law Enforcement Sensitive, or Sensitive Security Information. This authorization enables US federal government customers to deploy these types of highly sensitive data on in-scope Microsoft government cloud services.

Covered services for DoD Impact Level 2 Authorization

Based on FedRAMP authorizations, DISA Cloud Service Support granted a DoD Impact Level 2 PA to:

  • Azure and Azure Government Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) were granted this authorization based on the Provisional Authority to Operate (P-ATO) from the FedRAMP Joint Authorization Board.
  • Dynamics 365 U.S. Government Software as a Service (SaaS) was granted this authorization based on the Agency FedRAMP Authority to Operate (ATO) from the Department of Housing and Urban Development (HUD).
  • Office 365 U.S. Government was granted this authorization based on the Agency FedRAMP ATO from the Department of Health and Human Services (DHHS).

Impact Level 2 covers Non-Controlled Unclassified Information — data that is authorized for public release. It also covers other unclassified information that, while not considered 'mission critical,' still requires a minimal level of access control. This authorization enables US federal government customers to deploy non-sensitive information and basic defense applications and websites on in-scope Microsoft cloud services.

Microsoft in-scope cloud services

Covered services for DoD Impact Level 5

Covered services for DoD Impact Level 4

Covered services for DoD Impact Level 2

Audits, reports, and certificates

Once granted a DoD PA, Microsoft cloud services are monitored and assessed annually: Microsoft FedRAMP authorizations

Fast track your deployment of DoD solutions on Azure

Get a head start on taking advantage of the benefits of the cloud in government with the Azure Security and Compliance Department of Defense Blueprint. This blueprint provides tools and guidance to get you started building DoD-compliant solutions today. Start using the Azure DoD Blueprint.

Frequently asked questions

Can I use Microsoft's compliance in my organization's certification process?

Yes. All DoD agencies may rely on the certifications of Microsoft cloud services as the foundation for any program or initiative that requires a DoD authorization. (This also applies to other organizations that support DoD and require cloud services.) However, you need to achieve your own authorizations for components outside these services.

Does Microsoft's DoD certification meet NIST 800–171 requirements?

In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit 'covered defense information' through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800–171, Protecting Controlled Unclassified Information in nonfederal information systems and organizations, or an 'alternative, but equally effective, security measure' that is approved by the DoD contracting officer. And where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

The following Microsoft cloud services have received a FedRAMP moderate authorization: Azure, Azure Government, Dynamics 365 U.S. Government, Office 365 MT, Office 365 U.S. Government, and Office 365 U.S. Government Defense.

Also, Microsoft offerings outside the FedRAMP-certified boundary that could potentially be used by DoD contractors to process, store, or transmit 'covered defense information' are undergoing a review to meet a December 31, 2017, compliance deadline. Microsoft is working to document how these internal and customer-facing services comply with NIST SP 800–171 or an acceptable security equivalent, to meet the DFARS relevant clauses.