Have concerns around managing your company’s environment in the cloud? Check out our upcoming webinar “Cloud Governance: Enforced Site & Team Recertification!”
This is the second post in our “FED UP” series. Check out the first, “How to Ensure Operational Governance for Microsoft Teams.”
Hi Everyone! Roxy here again with another post from the series Dux and I recently started, FED UP!
In this episode of FED UP we go over some of the major federal compliant standards and certifications that we are seeing customers bring up. This includes talking about FEDAMP, NARA, IRS 1075, and many others! We break down which Microsoft 365 applications are compliant today and which ones are coming. Be sure to check out the video below for all the details!
Dux: Hi everyone! Merry Christmas and Happy Holidays! Hey, Roxy!
Roxy: Hi everyone! Merry Christmas and Happy Holidays!
Dux: Where’re your Christmas decorations?
Roxy: You know, we’re a little minimalistic on this side. W
Dux: Alright, good! So, listen, thank you again for that first episode! I’ve gotten great feedback. People love the thought that we can provide bite-sized conversations on what’s top of mind for
So, in your world (the federal world), what are some of the top certifications in the cloud that a lot of your customers have to comply with?
Roxy: You know Dux, in my world, I would say there are a couple. There are some really really big ones, but I’ll just touch on a few, the first one being FedRAMP. There’s a lot of buzz around FedRAMP. FedRAMP is the most popular because as we look at IT modernization, we want to make sure that when we move away from these legacy systems and we’re standardizing this process, we have a kind of compliance that makes sure that that’s secure. There’s a certain level of authorization there, and we’re doing things in a more secure and efficient way for all of our customers. So FEDRAMP is the biggest one, the first one. And then I’ll touch on IRS 1075.
When we’re looking at dealing with tax documents, or different numbers as it pertains to the tax world, we have to make sure that those are encrypted. And our customers are really really really big on making sure that they’re in compliance with that encryption. So that’s the second one.
The other two I’ll say that are pretty big when FedRAMP doesn’t play a part are SOC 1 and SOC 2. These are huge for making sure that those processes and controls are really secure so that customers who don’t have that FedRAMP compliance for certain products are still doing things in a secure manner. So, I think those are the four big buzz ones that I hear throughout my accounts right now.Curious about US government certifications in the cloud? Check out this post: Click To Tweet
Dux: You know for me, I work a lot with government customers across federal, state and local. For example, state and local is the CJIS compliance (the Criminal Justice Information Service). So that’s big for a lot of state and local, and then with
Now, in light of all this, how does Microsoft support your customers across the US government in light of all these different regulations? You know, customers ask me “What cloud? What kind of capability does Microsoft offer?” And I think this is a good opportunity for us to break down the different government clouds that Microsoft provides.
Roxy: Yeah, absolutely! Thanks, Dux. I mean, that is very very important because at Microsoft we’re very big on the fact that we have six government data centers. That’s a big deal for us because when you look at a lot of our competitors, they don’t really have that.
Then when you start looking at government in particular, you have the government community cloud, which is the GCC environment, and then you’re looking at the DoD cloud, and then you’re looking at GCC High. It’s just that the different clouds offer different levels of certification.
So if you’re talking to a federal civilian agency they may not need that DoD cloud, they may just need the government community cloud which is still FedRAMP compliant and abides with all those other compliances. But it still offers them that level of security that commercial may not have today.
Dux: Let’s unpack that. You said GCC (Government Community Cloud). That, I assume, is not limited to Office 365, right? So for customers who still want Dynamics or Azure, that’s still available in the GCC as well.
Roxy: Yes, it is, absolutely. We’re looking at Office 365, Dynamics, Azure. That’s all available in GCC.
Dux: On top of being available, I think one important thing that customers have to know as well is that right now, it doesn’t necessarily mean all the capabilities that may typically be in what they call the “commercial” or “public” cloud are available in GCC. So for example, let me pick on Teams. Teams is now in the GCC which is great, but there’s still some functionality that’s not quite in Teams yet in GCC because it’s going through a FedRAMP certification and all that good stuff, right?
Roxy: Right, so as you look at connectors, bots, and Microsoft Stream and things of that sort, those functionalities are not available today in Teams. I’ll take Stream for example. Stream is still going through that FedRAMP process and will be available next calendar year, but it’s still going through that process to make sure that it is FedRAMP compliant so that when it does integrate with Teams, we’re compliant across the board. But connectors and bots, because there are certain connectors that are not FedRAMP, they’re just not available in GCC today.
Dux: And for those unfamiliar (with FedRAMP, I mean), I think it is great regulation compliance. But the way it works is
Roxy: It’s good though, so customers don’t have to sit and wonder, “Is this compliant?” “Can I use this?” “Does this work?” “Am I gonna kind of get out of my compliance factor when I touch this connector?” so it’s a really good thing.
Dux: Yeah, but then there’s this one other, essentially looming, activity that’s coming up with the NARA regulation. Roxy, maybe you can talk about what NARA is or NARA as an organization, what this regulation’s about, and specifically around records and retention.
Roxy: Yeah, absolutely. So as we look at NARA, a lot of my customers have the same questions:
- “Do we need to retain certain records?”
- “Do we need to retain emails?”
- “Do we need to retain physical documents?”
- “What are the regulations around that so that we can be you know kind of in lockstep with NARA?”
Those are all common questions that come up. NARA essentially provides basic guidance on how long we need to keep these documents, how long we need to retain these documents, and where they actually need to be stored (or how we need to keep them).
Dux: And there’s a deadline, right? By when federal agencies should be in compliance with this regulation? I believe it’s December 2019.
Roxy: Yeah, December 2019. And then depending on the agency, they can also tackle their own requirements on top of that initial NARA mandate and make it their own.
Dux: Awesome! So, with that, thank you again
Roxy: You know, in 2019, I’m really looking forward to this adoption that’s really happening with customers. Customers are just so excited
Dux: I love that word: the catalyst. Be the change agent. For me, just like you, just looking forward to another phenomenal year. You know, I’m grateful for 2018. Meeting you, meeting and seeing the world. But boy, there’s so much to come. And you know, in a sappy way, I’m always really excited that I’m a part of this transformation. Helping our customers, but more importantly impacting on a bigger scale. So, thank you, have a great Christmas and we’ll see you in 2019! Bye