Office 365 GCC High and DoD

To meet the unique and evolving requirements of the United States Department of Defense, as well as contractors holding or processing DoD controlled unclassified information (CUI) or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Available through Volume Licensing, interested organizations go through a validation process to ensure eligibility before an environment is established. Trials are not available at this time.

Please engage your account team or preferred partner to learn more or initiate the validation process. For more information on how to buy, see Microsoft 365 Government - How to Buy.

How to use this service description section

The Office 365 US Government service description is designed to serve as an overlay to the general Office 365 service description. It defines the unique commitments and differences compared to Office 365 Enterprise offerings.

Compliance

GCC High and DoD meet the compliance requirements for the following certifications and accreditations:

  • The Federal Risk and Authorization Management Program at a Moderate baseline (FedRAMP Moderate), including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.

  • The security controls and control enhancements for United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).

Department of Defense subscribers to Office 365 will receive services provided from the DOD exclusive environment that meets DOD SRG L5. Non-Department of Defense subscribers will receive services from the US Government Defense environment which is assessed at L5, but uses L4 segmentation.

Background screening

Office 365 staff do not have standing access to GCC High and DoD production. Any staff who request temporary permission elevation which would grant access to customer content must first have passed the following background checks.

Microsoft Personnel Screening and Background Checks1
Description
U.S. Citizenship
Verification of U.S. citizenship
Employment History Check
Verification of seven (7) year employment history
Education Verification
Verification of highest degree attained
Social Security Number (SSN) Search
Verification that the provided SSN is valid
Criminal History Check
A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
Office of Foreign Assets Control List (OFAC)
Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions
Bureau of Industry and Security List (BIS)
Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
Office of Defense Trade Controls Debarred Persons List (DDTC)
Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
Fingerprinting Check
Fingerprint background check against FBI databases
Department of Defense IT-2
Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation

1 Applies only to personnel with temporary or standing access to customer content hosted in Office 365 US GCC-High or DOD clouds.

Feature nuances based on compliant cloud architecture

Office 365 subscriptions in the GCC High and DoD environments include the core Exchange Online, SharePoint Online, and Skype for Business features. Given the increased certification and accreditation of the infrastructure, there are some feature differences between the general commercial Office 365 offerings and those available in GCC High and DoD.

Exchange Online

Exchange Online Unified Messaging Support for On-Premises IP-PBX - Support for integrating on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported in GCC High and DoD subscriptions.

SharePoint Online

Document sharing - SharePoint Online and OneDrive for Business enable seamless information sharing and collaboration between users and teams. Document owners can provide other users with access to their documents through the web interface or modern attachments in Outlook. When sharing a document, there are multiple options for managing permissions:

  1. Only me

  2. Anyone within my company

  3. Anyone with this link

  4. Specific people

Customers using SharePoint Online and OneDrive for Business in the GCC High or DoD environments can keep documents private (first option), share with anyone in their organization (second option), share with anyone who has the link to the document (third option), and share with specific people (fourth option). These options can be restricted based on tenant-level access controls as well.

When sharing with specific people, SharePoint will verify that users are the intended recipients of a link by sending them a one-time passcode to the email address that was shared to. However, when a GCC-High tenant shares with another GCC-High tenant, a Guest account will be created for the recipient in Azure AD, and they will sign in with their username and password.

Other examples:

  • GCC High tenant A can share with GCC High tenant B, and B users sign in using Azure AD username and password.

  • Non-GCC High tenant C can share with GCC High tenant A or B, and A or B users sign in using one-time passcodes.

  • GCC High tenant A or B can share with Non-GCC High tenant C, and C users sign in using one-time passcodes.

Additionally, non-GCC High email addresses attached to user profiles are not supported and will not allow alert emails to be sent. For example, on premises User A is assigned a Gmail email address and then synced to Azure GCC High tenant. User A navigates to a library and creates an alert for any changes. The alert will not be sent to the Gmail address.

External Application Access - Connections to external applications such as data sources for Add-Ins are limited to sources that are located within the system security boundaries supported by GCC High and DoD.

Business Connectivity Services - BCS functionality is supported for connectivity scenarios in which the data sources remain reachable within the security boundary for your cloud service.

Sandbox Solutions - This feature has been deprecated and is not available. Any sandboxed solutions should be migrated to the SharePoint Add-in extensibility model .

Skype for Business Online

PSTN Calling & PSTN Conferencing - Due to the requirement to use the Public Switched Telephone Network (PSTN) for telephony-oriented services, PSTN Calling & PSTN Conferencing services are currently not available in GCC High and DoD.

Microsoft Teams

Phone System and Audio Conferencing (via Direct Routing): Phone System and Audio Conferencing for GCC High and DoD environments are being delivered via Direct Routing. For more information, see the service level documentation here:

Identity

Multi-factor authentication using a federated identity model enables the use of PIV and CAC cards.

Yammer

Yammer Enterprise is not available in the GCC High and DoD environments.

Customer support

Microsoft reminds you not to share any controlled, sensitive, or confidential information with customer support personnel as part of your support incident when using Office 365 GCC High/DOD, at least until you confirm the support agent's authorization to view or access such data.

Microsoft is committed to protecting your privacy). However, Office 365 GCC High/DoD support is not included in the service accreditation boundary and does not provide FedRAMP, DOD SRG, ITAR, IRS 1075, or CJIS data handling compliance assurances.