Choosing the Best Microsoft Licensing Option for DoD Compliance

May 20, 2021

As a contracted organization in the supply chain, manufacturing, Department of Defense (DoD) or aerospace realms, you need to be sure the licensing option you choose complies with Department of Defense standards and requirements. Generally, this means your technologies must protect Certified Unclassified Information (CUI) and be able to prove that they are compliant with NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC).

There are many options when it comes to Microsoft products and licensing options, and the best one for your organization might not be apparent right away. It’s important to understand the differences between Microsoft GCC and Microsoft GCCH, as well as the E3, E5, and F5 licensing options for Microsoft 365.

In order to help you make the best decision for your organization, we will be detailing the differences between each licensing option and how they fit into your compliance standards.

First, let’s touch on what NIST 800-171 and CMMC compliance means.

NIST 800-171 Compliance

NIST 800-171 is a Special Publication that offers the security measures an organization should take in order to protect the confidentiality of CUI. It’s important for organizations in the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal/state agency supply chains to implement these security measures and protect the information in their defense contracts.

CMMC Compliance

Cybersecurity Maturity Model Certification (CMMC) goes hand in hand with NIST 800-171, but it increases compliance requirements for organizations at different “levels”:

  • CMMC Level 1: Addresses FAR 52.204-21 cybersecurity principles.
  • CMMC Level 2: Includes CMMC Level 1 requirements; addresses a little over half of NIST 800-171 controls.
  • CMMC Level 3: Includes CMMC Level 2 requirements; addresses all NIST 800-171 controls and a few others.
  • CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks:
    • CERT RMM v1.2
    • NIST SP 800-53
    • NIST SP 800-172
    • ISO 27002
    • CIS CSC 7.1
    • Unattributed “CMMC” references that are not attributed to existing frameworks.

Microsoft GCC

How does Microsoft GCC Fit into DoD CUI Security Requirements?

Microsoft Government Community Cloud (GCC) is a version of Microsoft 365 that was adapted specifically for government entities. It has many of the same features (Enterprise Mobility and Security, Intune, Compliance Center, Cloud App Security, Azure Information Protection and the various Advanced Threat Protection (ATP) tools) but GCC data centers reside only in the continental United States.

GCC includes the following compliance frameworks:

  • DFARS 252.204-7012 (Excluding flow downs – Microsoft will not attest to their compliance)
  • DoD SRG Level 2 (with no provisional authority)
  • FBI Criminal Justice Information Services
  • FedRAMP Moderate (Accredited)

How Does GCC Perform Employee Background Checks?

GCC allows organizations to conduct thorough background checks that meet various federal, state, and local government requirements:

  • U.S. Citizenship Verification
  • Employment History – Previous seven years
  • Education Verification – Highest completed degree
  • Social Security Number Verification
  • Criminal History – Checks previous seven years of records for felony and misdemeanor offenses at the federal, state, county, and local levels
  • Office of Foreign Assets Control List (OFAC) – Ensures applicant is not barred from engaging in trade or financial transactions in the United States
  • Bureau of Industry and Security List (BIS) – Ensures applicant is not barred from engaging in export activities in the United States
  • Office of Defense Trade Controls Debarred Persons List (DDTC) – Ensures application is not barred from engaging in export activities related to the defense industry in the United States
  • Fingerprint Check (FBI Databases)
  • Criminal Justice Information Services Background Screening – Reviews applicant’s federal and state criminal history (by state that has signed up for the Microsoft CJIS IA program)

What Limitations Does Microsoft GCC Have?

GCC cannot be implemented in most organizations that are required to follow International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), most CUI and Controlled Defense Information (CDI).

This is because GCC High uses Azure Commercial, which is a global product, and thus can be accessed be citizens in other countries.

Licensing Options for Microsoft GCC

Microsoft has three licensing options for their customers: E1, E3, and E5. Within those licensing options are options for Mobility and Security Licensing and Operating System Licensing.

The E3 license is the minimum standard for all users to ensure compliance. E1 does not include Data Loss Prevention, although it can be added separately.

Mobility and Security Licensing has two variations:

  • EM+S E3
    • Azure AD Premium P1
    • Azure Information Protection Premium P1
    • Microsoft Intune
    • Azure Multi-Factor Authentication
  • EM+S E5
    • Azure AD Premium P1
    • Azure Information Protection Premium P1
    • Microsoft Intune
    • Azure Multi-Factor Authentication
    • Azure AD Premium P2
    • Azure Information Protection Premium P2
    • Microsoft Cloud App Security
    • Azure Advanced Threat Protection

Mobility and Security Licensing is required if your organization allows users to receive emails on a mobile device.

There are two types of Operating System Licenses for Microsoft GCC:

  • Windows 10 Enterprise E3
    • Manage Windows Store Access
    • Manage Consumer Experiences
    • Cortana Management
    • Microsoft Dynamic Management
    • AppLocker
    • Microsoft Application Virtualization (App-V)
    • Microsoft User Environment Virtualization (UE-V)
    • Direct Access
    • Device Guard
    • Credential Guard
    • Windows to Go
    • BranchCache
    • Microsoft Desktop Optimization Pack
  • Windows 10 Enterprise E5
    • All of the above, plus Windows Defender Advanced Threat Protection

Microsoft developed another version of Microsoft GCC that has additional security features for entities that are contracted by the federal government and must comply with DoD security requirements.

Microsoft GCCH

What is Microsoft GCCH?

Microsoft GCCH (Government Community Cloud High) is essentially a replica of the Microsoft version that was created specifically for the Department of Defense, but it is open to entities that are contracted by the federal government. GCCH meets the compliance requirements of NIST 800-171, The Federal Risk and Authorization Management Program (FedRAMP), ITAR, and CUI.

Microsoft GCCH can only be used for organizations in the Defense Industrial Base (DIB), DoD contractors, and federal agencies. Any organization that wishes to use GCCH must be approved by Microsoft to do so.

What are the Limitations of Microsoft GCCH?

With the added security features, there is an unfortunate loss of Commercial features. For example, Microsoft Defender ATP, Cloud App Security, and Intune are missing a few functions that their Commercial counterparts have.

There are a few reasons for this discrepancy:

  1. GCCH features must be approved by the DoD.
  2. Many GCCH applications need a staff that has passed the DoD IT-2 adjudication
  3. Some Microsoft applications fail to meet DoD compliance requirements. Critical tools are essentially rebuilt to meet said requirements, while others are left behind.

How does GCCH Complete DoD Background Checks?

Microsoft GCCH completes background check in the same manner as Microsoft GCC, with one additional check:

  • Department of Defense IT-2 – If an applications job required them to access customer data or DoD SRG L5 service capacities, they must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation.

Licensing Options for Microsoft GCCH

There are three licensing options for customers that use Microsoft GCCH: E1, E3, and E5. Within those licensing options are options for Mobility and Security Licensing and Operating System Licensing.

E1

  • Azure AD Basic
  • SharePoint Online Plan 1
  • Exchange Online Plan 1
  • Skype for Business Online Plan 1
  • Skype for Business Online Plan 2
  • Exchange Online Protection
  • OneDrive for Business Plan 1

E3 – All of the above, plus

  • SharePoint Online Plan 2
  • Exchange Online Plan 2
  • OneDrive for Business Plan 2
  • Office Pro Plus

E5 – All of the above, plus

  • Compliance Manager (NIST 800-171 and CMMC)
  • Advanced Threat Protection
  • Advanced eDiscovery
  • Threat Intelligence
  • Advanced Security Management
  • PowerBI Pro

Mobility and Security Licensing has two variations:

  • EM+S E3
    • Azure AD Premium P1
    • Azure Information Protection Premium P1
    • Microsoft Intune
    • Azure Multi-Factor Authentication
  • EM+S E5
    • Azure Cloud App Security
    • Azure AD Premium P1
    • Azure Information Protection Premium P1
    • Microsoft Intune
    • Azure Multi-Factor Authentication
    • Azure AD Premium P2
    • Azure Information Protection Premium P2

Mobility and Security Licensing is required if your organization allows users to receive emails on a mobile device.

There are two types of Operating System Licenses for Microsoft GCCH:

  • Windows 10 Enterprise E3
    • Manage Windows Store Access
    • Manage Consumer Experiences
    • Cortana Management
    • Microsoft Dynamic Management
    • AppLocker
    • Microsoft Application Virtualization (App-V)
    • Microsoft User Environment Virtualization (UE-V)
    • Direct Access
    • Device Guard
    • Credential Guard
    • Windows to Go
    • BranchCache
    • Microsoft Desktop Optimization Pack
  • Windows 10 Enterprise E5
    • All of the above, plus Windows Defender Advanced Threat Protection

Final Thoughts

The Microsoft licensing option for your organization will be partly based on the security measures that you have to comply with, and partly based on your unique needs. Contact Planet Technologies for assistance with purchasing the correct Microsoft licensure for your government contracted organization.