Azure DoD Regions Accredited at Impact Level 5 and Now Generally Available

Derek Strausbaugh, Principal Program Manager

DeptDefense[1]

Earlier today Tom Keane, General Manager, Azure announced that Azure Government is the first and only hyperscale commercial cloud service to be awarded an Information Impact Level 5 DoD Provisional Authorization by the Defense Information Systems Agency. In addition, Azure Government regions dedicated to US Department of Defense customer workloads are now generally available.

In anticipation of high demand for the DoD regions, we’ve spent time compiling answers to the most frequently asked questions we’ve heard during our recently completed Preview program to help interested customers and partners understand what this unique capability from Microsoft means to the Department of Defense and its mission partners.

What are the Azure Government DoD Regions? 

The US DoD East and US DoD Central regions are physically separated regions of Microsoft Azure architected to meet US Department of Defense (DoD) security requirements for cloud computing, specifically for data designated as DoD Impact Level 5 per the DoD Cloud Computing Security Requirements Guide (SRG).   

What is the difference between Azure Government and the Azure Government DoD Regions? 

Azure Government is a US government community cloud providing services for Federal, State and Local government customers, tribal, entities subject to ITAR, and solution providers performing work on their behalf. All Azure Government regions are architected and operated to meet the security requirements for DoD Impact Level 5 data and FedRAMP High standards.

The Azure Government DoD regions are architected to support the physical separation requirements for Impact Level 5 data by providing dedicated compute and storage infrastructure for the use of DoD customers only.  

What is the difference between Impact Level 4 and Impact Level 5 data?  

Impact Level 4 data is controlled unclassified information (CUI) that may include data subject to export control, privacy information protected health information and other data requiring explicit CUI designation (e.g. For Official Use Only, Law Enforcement Sensitive, Sensitive Security Information).

Impact Level 5 data includes controlled, unclassified information (CUI) that requires a higher level of protection as deemed necessary by the information owner, public law or government regulation.  Impact Level 5 data is inclusive of unclassified National Security Systems.  More information on the SRG impact levels, their distinguishing requirements and characteristics is available in section 3 of the DoD Cloud Computing Security Requirements Guide.  

What Data is categorized as Impact Level 5? 

Level 5 accommodates controlled unclassified information (CUI) that requires a higher level of protection than that afforded by Level 4 as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs).  This level accommodates NSS and CUI information categorizations based on CNSSI-1253 up to moderate confidentiality and moderate integrity (M-M-x).

What is Microsoft doing differently to support Impact Level 5 data? 

Impact Level 5 data by definition can only be processed in a dedicated infrastructure that ensures physical separation of DoD customers from non-Federal government tenants.  In delivering the US DoD East and US DoD Central regions, Microsoft is providing an exclusive service for DoD customers that meets an even higher bar than DoD’s stated requirements and exceeds the level of protection and capability offered by any other hyperscale commercial cloud solution.

Do these regions support classified data requirements? 

These Azure Government DoD regions support only unclassified data up to and including Impact Level 5.  Impact Level 6 data is defined as classified information up to Secret.

What organizations in the DoD can use the Azure Government DoD Regions? 

The US DoD East and US DoD Central regions are built to support the US Department of Defense customer base.  This includes:

  • The Office of the Secretary of Defense
  • The Joint Chiefs of Staff
  • The Joint Staff
  • The Defense Agencies
  • Department of Defense Field Activities
  • The Department of the Army
  • The Department of the Navy (including the United States Marine Corps)
  • The Department of the Air Force
  • The United States Coast Guard
  • The unified combatant commands
  • Other offices, agencies, activities, and commands under the control or supervision of any approved entity named above

Are the DoD regions more secure? 

Microsoft operates all of its Azure datacenters and supporting infrastructure to comply with local and international standards for security and compliance – leading all commercial cloud platforms in compliance investment and achievements.  These new DoD regions will provide specific assurances and commitments to meet the requirements defined in the DoD SRG for Cloud Computing.

Why are there multiple DoD regions? 

By having multiple DoD regions, Microsoft provides customers with the opportunity to architect their solutions for disaster recovery scenarios across regions to ensure business continuity and satisfy requirements for system accreditation.  In addition, customers may optimize performance by deploying solutions in the geography within closest proximity to their physical location.

Are these DoD regions connected to the NIPRNet? 

The DoD mandates that commercial cloud services used for CUI must be connected to customers through a Cloud Access Point (CAP).  Therefore, the Azure DoD regions are connected to the NIPRNet through redundant connections to multiple geographically distributed CAPs.  A DoD CAP is a system of network boundary protection and monitoring devices that offer protection to DoD information system network and services.

What Does General Availability Mean? 

General Availability means that the DoD regions in Azure Government may be used to support production workloads and that financially backed SLAs for all services deployed in the regions and also generally available will be supported.

How does a DoD customer acquire Azure Government DoD services? 

Azure Government DoD services may be purchased by qualified entities through the same reseller channels as Azure Government.  In keeping with Microsoft’s commitment to make cloud services acquisition planning and cost estimation simple, pricing for Azure Government DoD regions will be included in the Azure Pricing calculator at the time of general availability.  Azure Government DoD services can quickly scale up or down to match demand, so you only pay for what you use.

No contractual modifications will be required for Enterprise Agreement customers already using Azure Government.  

How are the DoD regions priced? 

The DoD regions utilize region based pricing.  This means that service costs for validated DoD customers will be based on the Azure Government region in which you run your workloads.  For more specific pricing information, please consultant your Microsoft Account Executive.  Pricing for the DoD regions will be provided through the Azure.com calculator at a future date.

How does a DoD organization get validated for the Azure Government DoD regions? 

In order to gain access to the Azure DoD regions, customers must complete a pre-qualification process for verifying their organization and intended use of the Azure DoD environment.  After successful completion of the pre-qualification process, Microsoft will provide the organizational applicant with further instructions for creating a subscription, accessing the environment and providing role-based access control to other members of the organization.

Can independent software vendors and solution providers building on Azure deploy solutions in the Azure Government DoD regions? 

Solution providers with cloud service offerings built on Azure may operate DoD-only single tenant and multi-tenant solutions in the Azure Government DoD regions.  These providers must first demonstrate eligibility by providing documented evidence of a contract with an approved DoD entity or have a sponsor letter from an approved DoD entity.  Providers offering services in the Azure Government DoD regions must include computer network defense, incident reporting and screened personnel for operating solutions handling Impact Level 5 information in their offering.  Additional guidance for solution providers may be found in the DoD Cloud Computing Security Requirements Guide.

Will Office 365 or Microsoft Dynamics 365 be a part of this offering? 

Microsoft is providing Office 365 services for the DoD at Impact Level 5 in conjunction with this offering.  Dynamics 365 is planning to offer Impact Level 5 services from the Azure DoD regions at a future date.

How do I connect to the DoD Regions once I have a subscription? 

The DoD regions for Azure Government are available through the Azure Government management portal at https://portal.azure.us.  DoD customers approved for use will see the regions listed as available options when deploying available services.  For general guidance on managing your Azure Government subscriptions please consult our documentation.

What services are part of your Impact Level 5 accreditation scope? 

Azure is an evergreen service where new services and capabilities are being added every week, the number of services in scope is regularly expanding.  For the most up-to-date information, please visit our Microsoft Trust Center.

We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.

0 comments

Discussion is closed.

Feedback usabilla icon