Moving to GCC High

Written By John Igbokwe

Microsoft provides multiple Microsoft 365 Government offerings to address the compliance requirements of various US government agencies and contractors sponsored to hold controlled, unclassified information.

Microsoft has committed that its Microsoft 365 Government GCC High offering infrastructure is compliant with ITAR, DFARS, and DOD SRG L4 Controls - https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/microsoft-365-government-how-to-buy

A company needs to be approved by Microsoft as a Category 3 Entity before the company can be allowed to purchase GCC High licenses. To apply to be approved by Microsoft as a Category 3 Entity, follow the steps below:

Go to this link to apply for the Gov cloud eligibility: https://azuregov.microsoft.com/general (Select “Customers handling government-controlled data”)

Please note you will be required to provide one of the following:

·       A sponsor letter directly from a valid US Government entity specifying such requirements by a data owner and the duration of the requirement which is has been signed within the last 12 months.  This must be on the US Government entity’s letterhead, signed by the government representative, and specify the controlled data type (CUI, ITAR, CJIS, UCNI, etc.). 

·       A contract indicating the regulated data requirement as part of the delivery.

·       DDTC DS 2032 ITAR Registration Form

Typically, after you complete this step and are approved, you will get a Category 2 Entity approval from Microsoft. To receive category 3 Entity approval, reply the Category 2 approval email you received from Microsoft and ask to be re-validated for Category 3.

Provide one of the following required supporting docs to USGCCE@microsoft.com when asking to be re-validated for Category 3:

  • A signed contract (ink or certified electronic) indicating the regulated data requirement as part of the delivery (direct or indirect).  Please note, the data owner entity name must be visible.

  • A sponsor letter specifying the regulated data requirements and the duration of the requirement, which has been signed within the last 12 months.  This must be from a valid US Government entity or previously approved Category 3 entity holding the same data type, on the sponsor entity letterhead, signed by sponsor (ink or certified electronic), and specify the controlled data type (CUI, ITAR, CJIS, UCNI, etc). 

John Igbokwe https://techaxia.com
Previous

Is GCC High Required for CUI?
Next

How To Setup a Hybrid AD When Users Already Exist in M365