CMMC, Technology

DFARS Compliancy and Microsoft 365

An important component regarding information systems security is the specific cloud platform your organization utilizes. Many organizations have been digitally transformed over the last year- if not before the Covid-19 Pandemic. A popular option for cloud security and productivity is the Microsoft 365 Suite. While it comes with a broad range of benefits, will it meet the compliance requirements for your business operations?

The Defense Federal Acquisition Regulation Supplement (DFARS) compliancy for government contractors and subcontractors have specific requirements from your hosted providers. If your cloud service provider is used to store, process, or transmit any covered defense information, the cloud service provider will need meet a Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and comply with requirements in paragraphs (c) through (g) of DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

If your organization is currently leveraging the Office 365 Commercial environment as one of your cloud providers, it’s important to understand that the Microsoft commercial tenancy is not able to fully cover the requirements for this requirement. Specifically, DFARS requires the following two items which is not available in the commercial tenancy.

  • Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
  • Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

Microsoft has a specific offering to address these needs for the government contractor network. Microsoft’s Office 365 Government, GCC High, was established to provide the necessary security and media preservation systems to meet these requirements. Many of the same features and capabilities of Office 365 Commercial exist within Office 365 Government.  However, organizations benefit from the following features that are unique to Office 365 Government – GCC High:

  • Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
  • Your organization’s customer content is stored within the United States.
  • Access to your organization’s customer content is restricted to screened Microsoft personnel.
  • Office 365 Government – GCC High complies with certifications and accreditations that are required for US Public Sector customers.

Our team is equipped with the tools and resources to help guide you through the complete compliance preparation process. Speak with our experts today to learn how we can help you stay up to date with both DFARS and CMMC throughout its implementation.

Patrick Maese