United Kingdom Government-Cloud (G-Cloud)

UK G-Cloud overview

Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store, the Digital Marketplace. These enable public-sector organizations to compare and procure those services without having to do their own full review process. Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.

The G-Cloud appointment process was streamlined in 2014 to reduce the time and cost to the UK government, and the government's security classification scheme was simplified from six to three levels: OFFICIAL, SECRET, and TOP SECRET. (G-Cloud certification levels are no longer expressed as an Impact Level, or IL; Microsoft formerly held an IL2 accreditation for Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365.)

Instead of the central assessment of cloud services previously provided, the new process requires cloud service providers to self-certify and supply evidence in support of the 14 Cloud Security Principles of G-Cloud. This has not changed either the evidence Microsoft produces or the standards that the company adheres to.

Microsoft and UK G-Cloud

Every year, Microsoft prepares documentation and submits evidence to attest that its in-scope enterprise cloud services comply with the principles, giving potential G-Cloud customers an overview of its risk environment. (As with previous G-Cloud accreditation, it relies on the ISO 27001 certification.) A GDS accreditor then performs several random checks on the Microsoft assertion statement, samples the evidence, and makes a determination of compliance.

The appointment of Microsoft services to the Digital Marketplace means that UK government agencies and partners can use in-scope services to store and process UK OFFICIAL government data, most government data. In addition, there are now more than 450 Microsoft partners included in G-Cloud who are resellers of Microsoft cloud services. They can directly assert the compliance of in-scope services with the 14 principles in their own applications. Customers and partners, however, will need to achieve their own compliance for any components that are not included in the attestation and determination of compliance for Microsoft cloud services.

Microsoft in-scope cloud platforms & services

  • Azure
  • Microsoft Defender for Cloud Apps
  • Dynamics 365
  • Intune
  • Office 365
  • Power Automate (formerly Microsoft Flow) cloud service (either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite)
  • PowerApps cloud service (either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite)
  • Power BI cloud service (either as a standalone service or as included in an Office 365 branded plan or suite)

Office 365 and UK G-Cloud

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Exchange Online, SharePoint Online, Skype for Business

Audits, reports, and certificates

To confirm that Microsoft cloud services maintain their compliance with G-Cloud agreements, the GDS accreditor may review evidence at any time, at its discretion.

Azure

Dynamics 365

Intune

Office 365

Frequently asked questions

Who is eligible to use the Digital Marketplace?

All UK government departments, devolved administrations, local authorities, wider public-sector bodies, and arm's-length bodies are eligible to buy services in the marketplace. If you're uncertain of your eligibility, consult the current Crown Commercial Service suppliers guidance.

What is an arm's-length body?

It is an organization or agency that is funded by the UK government but acts independently of it.

What do local datacenter locations mean for UK customers, and where are they located?

The Microsoft Cloud in the UK provides reliability and performance combined with data residency in the UK. This support provides customers with trusted cloud services that help them meet local compliance and policy requirements. In addition, replication of data in multiple datacenters across the UK gives customers geo-redundant data protection for business continuity, for both pure cloud and hybrid scenarios. We have datacenters in multiple locations across the UK.

  • You can see the new Azure regions, UK West, and UK South, on the global Azure map.
  • For Office 365, the UK datacenters collectively comprise the new UK Office 365 region. You can see more on the global Office 365 map.

Where are the other Microsoft EU datacenters located?

In addition to the UK datacenters, Microsoft cloud services has data centers in multiple locations. For the most up-to-date list of all data locations, visit Data Residency in Azure.

How can I get copies of the auditor's reports?

The Service Trust Portal provides independently audited compliance reports. You can use the portal to request audit reports so that your auditors can compare the Microsoft results with your own legal and regulatory requirements.

Resources