How to Educate Clients on Microsoft 365 Government Community Cloud (GCC) Levels

Microsoft 365 Government Community Cloud

Estimated Reading Time: 5 Minutes

Helping Clients Meet Compliance & Security Requirements

Organizations in highly regulated industries and the public sector must meet a variety of compliance and security requirements; to do that, many turn to Microsoft 365 (M365) because the cloud computing environment offers familiar services, such as Office applications, Microsoft Teams, and Azure Active Directory. The Government Community Cloud (GCC) level provides additional security and compliance features to help organizations comply with a wide range of industry regulations and meet high security standards.

M365 GCC is hosted in Microsoft’s government-only cloud environment, separate from the public cloud, to ensure an additional layer of security. It offers three levels to meet the needs of different stakeholders, including federal, state, and local government agencies, as well as cloud service providers (CSPs), systems integrators (SIs), and other organizations operating in heavily regulated industries. Misunderstanding these levels and what they provide can result in your clients facing compliance-related issues unnecessarily. By educating your clients, you can help them mitigate these risks, use the correct GCC environment, and choose a cloud backup and recovery solution that meets these requirements.

For managed service providers (MSPs), educating clients on the M365 GCC levels is critical because it directly impacts client compliance, security, and overall operational efficiency. Frequently, MSPs find themselves speaking with clients who need help understanding which GCC level they belong in. It’s common for clients to think they need to be at a higher level than required to meet their use case, creating unnecessary complexity and expense. This blog provides clear talking points to help educate your clients and identify the correct GCC environment based on their needs and requirements.

Government Community Cloud

Microsoft offers GCC cloud computing platform to US government agencies, contractors, and other organizations that need to meet strict compliance requirements. GCC is a more secure version of Microsoft 365, but the three environments (GCC, GCC High, and DoD) each provide distinct levels of security and meet different compliance frameworks. Helping your clients understand the different GCC levels within M365 can help them choose the right environment for their specific needs.

Key differences between the different GCC levels

GCC is a segregated environment of Azure Commercial designed for general government and vendor users. It’s available at a lower cost and meets FedRAMP Moderate requirements, the Defense Federal Acquisition Regulation Supplement (DFARS), the Department of Defense’s Cloud Computing Security Requirements Guide (CC SRG) Level 2, and the Federal Bureau of Investigation’s Criminal Justice Information Service (CJIS) State. This environment is available to federal, state, and local government (SLG), tribes, and eligible contractors. It has data locations in the Continental United States (CONUS) only. This was referred to as Moderate and IL2 in the past, but Microsoft is trying to reduce confusion by calling it simply GCC. Most of the clients you interact with will fall into the GCC level.

GCC High is in the Azure Government network. In addition to meeting the requirements for GCC, it also meets FedRAMP high requirements. It is intended for high-security clearance users and adds support for International Traffic in Arms Regulation (ITAR)/Export Administration Regulations (EAR), Impact Level 4, and CJIS Federal. It also provides support using only US-based restricted personnel.

DoD is also in the Azure Government network but is available only for the DoD and their approved service providers. It meets all the preceding requirements but adds support for Impact Level 5 (IL5), which is controlled unclassified information (CUI) that requires a higher level of protection than provided by IL4. DoD does not include a CJIS agreement.

Key differences between the different GCC levels

Meeting Secure Cloud Service Requirements

The Federal Risk and Authorization Management Program (FedRAMP®) was created to provide a standardized approach to security authorizations for Cloud Service Offerings (CSOs). As cyber threats have grown more sophisticated, it has become increasingly important to use FedRAMP-compliant cloud products and services. Meeting multiple data privacy regulations and security frameworks can be overwhelming for your clients. Choosing the right cloud provider to work with can be even more challenging if you don’t understand what the FedRAMP impact levels include.

FedRAMP provides security assessment and authorization for cloud computing products and services that process unclassified federal information. CSOs are categorized at different impact levels (Low, Moderate, and High). For Low impact data, there are two baselines (Tailored LI-SaaS Baseline and Low Baseline). When loss of confidentiality, integrity, and availability would result in minimal adverse effect on an agency’s operations, these low baselines are appropriate.

Almost 80% of cloud service provider (CSP) applications receive Moderate authorization; it is the standard for cloud computing security CUI across federal government agencies. High impact is typically used only for law enforcement and emergency services systems — areas where loss of confidentiality, integrity, or availability could result in catastrophic adverse effects. GCC is typically the best choice for local governments, municipalities, healthcare, law firms, and finance organizations. In addition to helping clients identify the correct GCC environment based on their security requirements, it’s also important to ensure that they use cloud backup and recovery that meets the same rigorous requirements.

Who Requires GCC?

Local governments and municipalities: Local governments, such as cities, counties, and school districts, often need to store and process sensitive data, such as citizen information and financial data. GCC meets the compliance requirements of most local governments.

Healthcare organizations: Hospitals, clinics, and doctor’s offices often need to store and process sensitive data, such as patient information and medical records. For most healthcare organizations, choosing GCC will enable them to meet relevant industry compliance requirements.

Law firms: Law firms often need to store and process sensitive data, such as client information and legal documents. GCC also meets the compliance requirements of most law firms.

Finance organizations: Finance organizations, such as banks, investment firms, and accounting firms, often need to store and process sensitive data, such as customer information and financial data. Most finance organizations can rely on GCC to meet data privacy and security compliance requirements.

Secure, Scalable Cloud Backup & Recovery

Authorization to Operate (ATO) is a formal approval from a federal agency that a CSO meets the security and compliance requirements of FedRAMP by undergoing a rigorous assessment process conducted by a third-party assessor. This means that federal agencies do not need to conduct tsheir own security assessments of CSOs that have already been authorized by FedRAMP.

Dropsuite’s GovCloud Backup and Archiving solutions are FedRAMP ATO at the Moderate Impact Level, offering a dedicated US-based team to oversee the operations of the infrastructure. Dropsuite meets the same security requirements as GCC using Amazon Web Services (AWS) GovCloud. Importantly, this ensures that the data held in that environment is isolated from M365, ensuring the backup is available even if M365 is not.

GovCloud Backup also provides easy and automated backup and restore of sensitive and classified data in the cloud, allowing your clients to download, restore, and migrate data with a single click. In addition, clients incur no ingress or egress fees for moving or transferring data. Dropsuite also provides granular role-based access control to ensure that no users have unauthorized access to sensitive information. GovCloud Backup ensures that disaster recovery is secure and straightforward without putting any data at risk.

Help Clients Understand GCC & Why It’s Important

Understanding the GCC levels in Microsoft 365 is indispensable for your clients, especially for those bound by stringent compliance requirements. Many clients must adhere to GCC compliance requirements due to the nature of the data they handle. GCC offers enhanced security features that exceed what’s available in standard commercial offerings and aligns closely with compliance frameworks, including FedRAMP. This focus on security and compliance reduces the risk of breaches and the potentially devastating repercussions of cyberattacks. As an MSP, you are vital in guiding your clients toward cloud storage and backup solutions that align with these requirements. Ensuring that your clients fully understand and choose the appropriate GCC environment protects them from the consequences of compliance violations and enhances their overall data security posture.

Talk to our experts to learn how Dropsuite’s GovCloud Backup meets GCC requirements to provide secure, compliant cloud data backup and recovery for the public sector.

Share on