Office 365 GCC High and DoD
To meet the unique and evolving requirements of the United States Department of Defense, as well as contractors holding or processing DoD controlled unclassified information (CUI) or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Available through Volume Licensing, interested organizations go through a validation process to ensure eligibility before an environment is established. Trials aren't available at this time.
Engage your account team or preferred partner to learn more or initiate the validation process. For more information on how to buy, see Microsoft 365 Government - How to Buy.
How to use this service description
The Office 365 US Government service description is designed to serve as an overlay to the general Office 365 service description. It defines the unique commitments and differences compared to Office 365 for enterprise offerings.
Office 365 GCC High and DoD meet the compliance requirements for the following certifications and accreditations:
Office 365 GCC High and DoD: Is assessed using the National Institute of Standards and Technology (NIST) Special Publication 800-800-53 controls at a FIPS 199 High Categorization.
Office 365 DoD: The security controls and control enhancements for United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).
Per the DoD requirements, only Department of Defense entities might purchase licenses for the Office 365 DoD environment that is certified as DoD SRG L5. Non-Department of Defense entities who meet the appropriate eligibility requirements might purchase licenses for the Office 365 GCC High environment that is assessed using NIST SP 800-53 controls at a FIPS 199 High Categorization and can demonstrate equivalency to IL4 or necessary inheritance for CMMC.
Office 365 staff don't have standing access to GCC High and DoD production. Any staff who requests temporary permission elevation that would grant access to customer content must first have passed the following background checks.
|Microsoft personnel screening and background checks1
|Verification of U.S. citizenship
|Employment History Check
|Verification of seven (7) year employment history
|Verification of highest degree attained
|Social Security Number (SSN) Search
|Verification that the provided SSN is valid
|Criminal History Check
|A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
|Office of Foreign Assets Control List (OFAC)
|Validation against the Department of Treasury list of groups with whom U.S. persons aren't allowed to engage in trade or financial transactions
|Bureau of Industry and Security List (BIS)
|Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
|Office of Defense Trade Controls Debarred Persons List (DDTC)
|Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
|Fingerprint background check against FBI databases
|Department of Defense IT-2
|Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation
1 Applies only to personnel with temporary or standing access to customer content hosted in Office 365 US GCC-High or DOD clouds.
Feature nuances based on compliant cloud architecture
Subscriptions in the GCC High and DoD environments include the core Exchange Online, SharePoint, and Skype for Business features. Given the increased certification and accreditation of the infrastructure, there are some feature differences between the general commercial Office 365 offerings and those available in GCC High and DoD.
Exchange Online Unified Messaging Support for On-Premises IP-PBX - Support for integrating on-premises IP-PBX systems with Exchange Online Unified Messaging isn't supported in GCC High and DoD subscriptions.
Users have multiple options for sharing files and folders in SharePoint and OneDrive. All the options are available in the GCC High and DoD environments. For more information about managing these options, see Manage sharing settings. Users in GCC-High will be able to share only with other organizations in GCC-High. Additionally, NON-GCC High email addresses attached to user profiles aren't supported and won't allow alert emails to be sent. For example, on premises User A is assigned a Gmail email address and then synced to an Azure GCC High organization. User A navigates to a library and creates an alert for any changes. The alert won't be sent to the Gmail address.
Users in GCC-High are currently unable to share with users using Office 365 operated by 21Vianet.
File requests aren't available for Office 365 Government.
Skype for Business Online
PSTN Calling & PSTN Conferencing - Due to the requirement to use the Public Switched Telephone Network (PSTN) for telephony-oriented services, PSTN Calling & PSTN Conferencing services are currently not available in GCC High and DoD.
Phone System and Audio Conferencing (via Direct Routing) - Phone System and Audio Conferencing for GCC High and DoD environments are being delivered via Direct Routing. For more information, see the service level documentation here:
Multifactor authentication using a federated identity model enables the use of PIV and CAC cards.
Viva Engage for enterprise isn't available in the GCC High and DoD environments.
Microsoft reminds you not to share any controlled, sensitive, or confidential information with customer support personnel as part of your support incident when using Office 365 GCC High/DOD, at least until you confirm the support agent's authorization to view or access such data.
Microsoft is committed to protecting your privacy). However, Office 365 GCC High/DoD support isn't included in the service accreditation boundary and doesn't provide FedRAMP, DOD SRG, ITAR, IRS 1075, or CJIS data handling compliance assurances.