Since announcing our Azure Government DoD Region Preview last week at Microsoft’s Government Cloud Forum, we have had overwhelming interest from customers and partners in participating. We’ve spent time compiling answers to the most frequently ask questions we’ve heard to help customers and partners understand what this unprecedented investment from Microsoft means to the Department of Defense and its partners and how to qualify for access to the environment.
What are the Azure Government DoD Regions?
The US DoD East and US DoD Central regions are physically separated regions of Microsoft Azure architected to meet US Department of Defense (DoD) security requirements for cloud computing, specifically for data designated as DoD Impact Level 5 per the DoD Cloud Computing Security Requirements Guide (SRG).
What is the difference between Azure Government and the Azure Government DoD Regions?
Azure Government is a US government community cloud providing services for Federal, State and Local government customers, tribal, entities subject to ITAR, and solution providers performing work on their behalf. All Azure Government regions are architected and operated to meet the security requirements for DoD Impact Level 5 data and FedRAMP High standards.
The Azure Government DoD regions are architected to support the physical separation requirements for Impact Level 5 data by providing dedicated compute and storage infrastructure for the use of DoD customers only.
What is the difference between Impact Level 4 and Impact Level 5 data?
Impact Level 4 data is controlled unclassified information (CUI) that may include data subject to export control, privacy information protected health information and other data requiring explicit CUI designation (e.g. For Official Use Only, Law Enforcement Sensitive, Sensitive Security Information).
Impact Level 5 data includes controlled, unclassified information (CUI) that requires a higher level of protection as deemed necessary by the information owner, public law or government regulation. Impact Level 5 data is inclusive of unclassified National Security Systems. More information on the SRG impact levels, their distinguishing requirements and characteristics is available in section 3 of the DoD Cloud Computing Security Requirements Guide.
What is Microsoft doing differently to support Impact Level 5 data?
Impact Level 5 data by definition can only be processed in a dedicated infrastructure that ensures physical separation of DoD customers from non-Federal government tenants. In delivering the US DoD East and US DoD Central regions, Microsoft is providing an exclusive service for DoD customers that meets an even higher bar than DoD’s stated requirements and exceeds the level of protection and capability offered by any other hyperscale commercial cloud solution.
Do these regions support classified data requirements?
These Azure Government DoD regions support only unclassified data up to and including Impact Level 5. Impact Level 6 data is defined as classified information up to Secret.
What organizations in the DoD can use the Azure Government DoD Regions?
The US DoD East and US DoD Central regions are built to support the US Department of Defense customer base. This includes:
- The Office of the Secretary of Defense
- The Joint Chiefs of Staff
- The Joint Staff
- The Defense Agencies
- Department of Defense Field Activities
- The Department of the Army
- The Department of the Navy (including the United States Marine Corps)
- The Department of the Air Force
- The United States Coast Guard
- The unified combatant commands
- Other offices, agencies, activities, and commands under the control or supervision of any approved entity named above
Are the DoD regions more secure?
Microsoft operates all of its Azure datacenters and supporting infrastructure to comply with local and international standards for security and compliance – leading all commercial cloud platforms in compliance investment and achievements. These new DoD regions will provide specific assurances and commitments to meet the requirements defined in the DoD SRG for Cloud Computing.
Why are there multiple DoD regions?
By having multiple DoD regions, Microsoft provides customers with the opportunity to architect their solutions for disaster recovery scenarios across regions to ensure business continuity and satisfy requirements for system accreditation. In addition, customers may optimize performance by deploying solutions in the geography within closest proximity to their physical location.
Are these DoD regions connected to the NIPRNet?
The DoD mandates that commercial cloud services used for CUI must be connected to customers through a Cloud Access Point (CAP). Therefore, the Azure DoD regions are connected to the NIPRNet through redundant connections to multiple geographically distributed CAPs. A DoD CAP is a system of network boundary protection and monitoring devices that offer protection to DoD information system network and services.
When will the Azure Government DoD Regions be available?
We are working with DoD customers who are interested in previewing the DoD regions to provide them with access. We expect the DoD regions to be accredited at Impact Level 5 by the government by the end of calendar year 2016 and to make our DoD regions generally available to all DoD customers with financially-backed service level agreements in January of 2017.
How does a DoD customer acquire Azure Government DoD services?
Azure Government DoD services may be purchased by qualified entities through the same reseller channels as Azure Government. In keeping with Microsoft’s commitment to make cloud services acquisition planning and cost estimation simple, pricing for Azure Government DoD regions will be included in the Azure Pricing calculator at the time of general availability. Azure Government DoD services can quickly scale up or down to match demand, so you only pay for what you use.
No contractual modifications will be required for Enterprise Agreement customers already using Azure Government.
How does a DoD organization get validated for the Azure Government DoD regions?
In order to gain access to the Azure DoD regions, customers must complete a pre-qualification process for verifying their organization and intended use of the Azure DoD environment. After successful completion of the pre-qualification process, Microsoft will provide the organizational applicant with further instructions for creating a subscription, accessing the environment and providing role-based access control to other members of the organization.
Can independent software vendors and solution providers building on Azure deploy solutions in the Azure Government DoD regions?
Solution providers with cloud service offerings built on Azure may operate DoD-only single tenant and multi-tenant solutions in the Azure Government DoD regions. These providers must first demonstrate eligibility by providing documented evidence of a contract with an approved DoD entity or have a sponsor letter from an approved DoD entity. Providers offering services in the Azure Government DoD regions must include computer network defense, incident reporting and screened personnel for operating solutions handling Impact Level 5 information in their offering. Additional guidance for solution providers may be found in the DoD Cloud Computing Security Requirements Guide.
Will Office 365 or Microsoft Dynamics 365 be a part of this offering?
Microsoft is providing Office 365 services for the DoD at Impact Level 5 in conjunction with this offering. Dynamics 365 is planning to offer Impact Level 5 services from the Azure DoD regions at a future date.
How do I request to join the DoD Region Preview?
In order to gain access to the Azure DoD regions, customers must complete a pre-qualification process for verifying their organization and intended use of the Azure DoD environment. After successful completion of the pre-qualification process, Microsoft will provide the organizational applicant with further instructions for creating a subscription, accessing the environment and providing role-based access control to other members of the organization. If you represent a DoD entity interested in previewing our DoD regions, please contact your Microsoft sales team or contact us at AzureGovtDoDPreview@microsoft.com to begin this validation process.
How do I connect to the DoD Region Preview once I have a subscription?
The DoD regions for Azure Government are available through the Azure Government management portal at https://portal.azure.us. DoD customers approved for use will see the regions listed as available options when deploying available services. For general guidance on managing your Azure Government subscriptions please consult our documentation.
What Data is categorized as Impact Level 5?
Level 5 accommodates controlled unclassified information (CUI) that requires a higher level of protection than that afforded by Level 4 as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs). This level accommodates NSS and CUI information categorizations based on CNSSI-1253 up to moderate confidentiality and moderate integrity (M-M-x).
How will usage be billed during the Preview period?
What services are available during the DoD Region Preview?
The following services are planned to be available during the DoD Region Preview. Additional services are being added to the roadmap for the DoD regions following general availability:
Who do I contact for technical assistance during the Preview?
An onboarding session may be requested as part of the Preview program. Once you have been validated as an eligible DoD entity, this session may be requested through https://aka.ms/AzureGovSupport by specifying Problem Type: ‘Onboarding’ and Category: ‘Schedule a partner or customer onboarding call’. For additional technical support throughout the Preview period, please contact DoDRegionSupport@microsoft.com.