Microsoft is furthering its commitment to U.S. Department of Defense (DoD) contractors and the Defense Industrial Base (DIB) by announcing support for Defense Federal Acquisition Regulation Supplement (DFARS) requirements for the Microsoft 365 Government (GCC) cloud service offering. This extends the existing commitment to support DFARS in the Microsoft 365 Government (GCC High) cloud service offering.
Microsoft 365 Government cloud offerings for GCC and GCC High both meet the applicable requirements of the DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Specifically, the requirements within the Clause that are applicable to the Cloud Service Provider (CSP) and their commitment to fulfill these requirements are provided in the table below.
|
DFARS Clause Requirements |
Microsoft Commitment |
|
(a) Definitions |
*Not applicable, as its purpose is to provide context for the document.
|
|
(b) Requirements pertaining to provision of Adequate security |
Microsoft has a Federal Risk and Authorization Management Program (FedRAMP) Moderate Authorization to Operate (ATO) for “Microsoft - Office 365 Multi-Tenant & Supporting Services”.
|
|
(c) Cyber incident reporting requirement |
Microsoft implements multiple levels of incident monitoring and reporting functions that service the Office 365 platform. The Office 365 Trust and Incident Response Teams coordinate incident response planning capabilities and engage with response personnel in live incident activities. Office 365 service team personnel are required to report suspected security incidents to the Office 365 Security Incident & Response (SIR) team in near real time upon discovering a suspected security incident. In addition, the Office 365 SIR team reports incidents to designated authorities (including U.S. Computer Emergency Readiness Team “US-CERT”) consistently with NIST SP 800-61 Rev. 2 as documented in the Office 365 Security Incident Response Standard Operating Procedures (SOP). US-CERT and customers are notified per the IR SOP.
Office 365 has implemented a structured Incident Response SOP that identifies roles and responsibilities and Microsoft’s incident management process in alignment with NIST Special Publication 800-61 Rev. 2. The Incident Response SOP defines personnel who manage the Incident Communications (ICC) Process. Office 365 is responsible for notifying all affected parties. ICC opens an internal ticket for tracking notifications. Microsoft will report security incidents to the customer in accordance with Incident Response processes. The customer will be responsible for any additional reporting if required.
Incident investigation and analysis flow procedures are included within the Office 365 Incident Response Detection and Analysis phase. Within this flow, triage, investigate, scope & classify and communicate steps are addressed for each incident. Incident response personnel review triage events to determine if they are a security incident and escalates the issue based on severity.
The Cyber Defense Operations Center Security (CDOC), Logging, Auditing, and Monitoring (SLAM) team and Microsoft Security Research Center (MSRC) support incident detection and response services to the Office 365 platform. Additional Microsoft resources are referenced in the Incident Response SOP. The Azure Commercial cloud services also provided incident response and reporting capabilities for Office 365.
|
|
(d) Malicious software |
Upon detection of suspected malicious software, Microsoft would promptly escalate an incident to the SIR team. The Incident Response SOP is activated and cyber incident reporting mechanisms are implemented based on severity of the incident and Office 365 service notification requirements.
Malicious software prevention mechanisms are provided by Azure Commercial as well as restricted ports, protocols and services which are configured for the Office 365 platform. Microsoft implements stringent system hardening, configuration management and software development procedures to control software produced and executed within the Microsoft Office 365 platform. Several stages of software development activities are tested outside the production system and deployment of code into production follows a series of peer code reviews and manager approval. Significant changes require Change Approval Board (CAB) approval.
Detection of malicious software may come from:
|
|
(e) Media preservation and protection |
The Microsoft Office 365 Incident Response SOP addresses preservation of evidence during the triage events. The O365 SIR team is comprised of security investigators with industry leading subject matter expertise in evidence gathering and forensic investigation. The SIR team will drive the process of identifying, acquiring and preserving the data. For all investigation matters involving legal chain of custody and evidentiary preservation in support of law enforcement engagement, the O365 SIR team will consult with internal groups such as Law & Corporate Affairs (LCA) Online Compliance Investigations team and leverage their capabilities. Preservation of evidence occurs in a secure location as constrained by customer contracts and federal regulations. Office 365 audit policy requires audit log retention for one year. Audit log data is retained in Microsoft’s Cosmos data repository which prevents modification of log data. Microsoft policy requires preservation and protection of all relevant forensic data of known affected information systems in support of an incident. Any relevant monitoring/packet capture data must be gathered and retained by the Customer.
Office 365 also works with Azure Commercial to preserve and protect system physical media, as required.
|
|
(f) Access to additional information or equipment necessary for forensic analysis |
Microsoft implements the Media Preservation and Protection sub-clause (e) to make audit log data available for additional forensic analysis. It is Microsoft policy to provide appropriate additional access to any relevant forensics information, upon request by the customer.
|
|
(g) Cyber incident damage assessment activities |
Microsoft implements the Media Preservation and Protection sub-clause (e) to make audit log data available for additional forensic analysis.
|
|
(h) – (j) |
*Not applicable, as the onus is on the DoD for this requirement.
|
|
(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. |
All in-scope applicable laws and regulations covered by FedRAMP (and other) authorizations are being met as it pertains to the interception, monitoring, access, use, and disclosure of electronic communications and data. For details, as it pertains to customers, refer to the publicly available Microsoft Online Services Terms and service level agreements.
|
|
(l) Other safeguarding or reporting requirements |
Microsoft requires all contractors and subcontractors to safeguard data and report cyber incidents as with prescribed methods and timelines defined by Microsoft policies and procedures, whether pertaining to its unclassified information systems (as required by other applicable clauses) or as a result of other applicable U.S. Government statutory or regulatory requirements.
|
|
(m) Subcontracts |
While this portion is only applicable to Government contracts, Microsoft maintains commitment in meeting the requirement of inclusion of the required language regarding DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information) in contracts and sub-contracts.
|
Microsoft 365 Government cloud offerings for GCC and GCC High have been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs. Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to cloud service providers (CSPs) covered by our FedRAMP authorizations. This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems.
Note: While Microsoft 365 Government (GCC) meets the CSP requirements for DFARS 7012, this by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) for data handling of Controlled Unclassified Information (CUI). For more information, please refer to:
Understanding Compliance Between Microsoft 365 Commercial, Government and DoD Offerings
Appendix
Please follow me here and on LinkedIn. Here are my additional blog articles:
Blog Title |
Aka Link |
|
New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base |
|
|
Microsoft CMMC Acceleration Update |
|
|
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government |
|
|
Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings |
|
|
The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In |
|
|
Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants |
|
|
Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants |
|
|
Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring |
|
|
Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty |
|
|
Microsoft expands qualification of contractors for government cloud offerings |