Microsoft Office 365 GCC is a cloud environment designed to meet the requirements of United States Government entities and contractors. With tighter restrictions and stricter security controls than the traditional commercial offerings, GCC  accounts are only available to validated organizations in the US public sector and commercial private entities subject to regulations. 

This article will explain what Microsoft GCC is, including different levels available like GCC High, covering controls, safeguards, and compliance, as well as options for secure file transfer in these highly regulated environments. 

What is Microsoft 365 Government Community Cloud?

According to Microsoft, "Microsoft 365 Government is a set of productivity, security, and mobility cloud software capabilities tailored for US government agencies and contractors sponsored to hold controlled, unclassified information." The goal is to keep services and features as similar to commercial M365 as possible while adhering to the stricter regulations and compliance requirements of the United States government. 

There are three main levels of Office 365 government: Government Community Cloud (GCC), Government Community Cloud High (GCC High), and Government Community Cloud for the Department of Defense (GCC DoD), with each level having stricter compliance requirements and restrictions than the last. 

Office 365 Government is the least restrictive level and is a separated cloud infrastructure that has been designed specifically for the US government. It is designed to meet the requirements of United States Federal, State, Local, and Tribal governments, as well as contractors processing data for these entities.

GCC High is a more restrictive version of GCC--you can think of the "high" as "highly compliant"--and has to meet NIST SP 800-53 security and privacy controls. GCC High is only available to validated organizations that meet certain eligibility requirements. It is not suitable for certain DoD information. Also, Microsoft puts restrictions on file sharing, and Users in GCC High are unable to share files with non-GCC High organizations. 

Specifically for the Department of Defense, GCC DoD is only available to purchase for entities within the US Department of Defense. The security controls and enhancements at this level must meet DoD SRG L5 requirements. As it is highly regulated and access-controlled, there are limited methods available for transferring data into and out of these environments. 

Microsoft GCC and Google GCC - what's the difference? 

While Microsoft and Google both use the acronym GCC, they refer to two completely unrelated things.

For Microsoft, "GCC" stands for Government Community Cloud, the cloud infrastructure mentioned above that is separate from Microsoft's commercial infrastructure and is suitable for US government organizations and contractors. 

In Google, GCC can refer to a few different things. One is Google Cloud Community, a forum for users using Google Cloud Platform to share insights and offer tips and assistance to other users. Less commonly, GCC can refer to Google Cloud console, a cloud management console for managing applications and infrastructure on Google Cloud. 

Google has its own offering for different levels of government, including state and local governments, civilian entities, and defense. These offerings and the differences between them can be found at Google for Government.  

What to look for with Secure File Transfers for  Microsoft GCC

Because GCC  has strict requirements, many typical file transfer solutions aren't suitable for these environments. However, there is often the need to work with data (both send and receive) in a secure manner, and one solution is to use a managed file transfer platform.

Some characteristics to consider in a file transfer solution is that it supports secure file transfer protocols, gives you full control of your data, and has comprehensive logging and auditing capabilities.

Platform support

The simplest way to know if a file transfer solution is suitable for GCC environments is if it has a way to connect to them. Since, as mentioned above, GCC is separate from the commercial Microsoft 365 environment, the platform will need a way to connect to GCC, so check that there is support or documentation for connecting to these environments. 

Secure file transfer protocols

Encryption is a must for GCC file transfers, so only certain protocols can be used. Due to its lack of encryption, the FTP protocol is not suitable for GCC.

Instead, a protocol that is secure by design like SFTP is required due to having end-to-end encryption. SFTP is the recommended method for securely transferring files involving GCC, as it emphasizes security by requiring an encrypted SSH connection.

Similar to SFTP, the FTPS protocol adds encryption to the typically unencrypted FTP protocol, which makes it a secure alternative to SFTP. This can be suitable when connecting to systems that don't natively support SFTP and when organizations still need an encrypted method for transferring files involving these systems. 

Another protocol that can meet the requirements for EDI file transfers is the AS2 protocol. Like SFTP, AS2 has end-to-end encryption with the addition of automatic Message Delivery Notifications that confirm a file was successfully received. 

Full control of your data

When looking at solutions in the market, it is important to ensure that your data is secure at all stages of the data lifecycle. One way of ensuring this is to have full control of your data at rest, as well as being able to trust the software that is actually transferring the data and acting as the gateway.

Many managed file transfer platforms use a temporary storage layer as part of their infrastructure. While these storage layers are often secure, they still add an additional potential vulnerability point for gaining access to files, so should be avoided when possible for GCC transfers. 

An alternative to this is directly transferring files between connected storage platforms. With this method, folders on the MFT platform are virtual, requiring authentication to point to a specific directory on a cloud storage platform. Files are then transferred directly between these locations without having to be stored even temporarily by the platform itself, giving increased security and control. 

Comprehensive logging and auditing

Because GCC file transfers need to adhere to strict compliance regulations, it's essential that logging and auditing capabilities are thorough and comprehensive. Many modern organizations use a dedicated Security Information and Event Management (SIEM) system to collect, aggregate, and analyze data from different sources in real time. 

Cloud-based SIEM solutions can significantly reduce the burden of on-prem infrastructure by offloading event monitoring and collection to a dedicated cloud infrastructure. Implementing a SIEM solution can offer greater scalability at a lower cost while also having powerful analytics and configurable reports. 

An MFT platform that can integrate with a SIEM solution allows for file transfer events to be sent to the platform for a unified, single location to access all logging and events. This can be especially beneficial for government entities as a secure, controlled solution that integrates with the likes of O365 GCC, which can both extend and simplify logging, auditing, and alerts. 

Using Couchdrop for GCC file transfers

Couchdrop is a SOC2-compliant managed file transfer platform with a native connector for GCC SharePoint. The cloud infrastructure is designed to meet the strictest requirements, including file transfers involving GCC SharePoint.

One benefit of using Couchdrop is that all data at rest is controlled and owned by your organization within your already established storage platform (Azure Blob, Google Workspace, SharePoint GCC, etc). Couchdrop does not store, sync, or hold any of your data. As the data is processed, it is streamed in real-time to your storage endpoint completely using memory, meaning nothing remains once the transfer has completed. 

Other functionality that is required for GCC is the integration with federated services to have a single point of truth and centralized control for user accounts to simplify the onboarding, auditing, and off-boarding of new clients and partners. Additionally, with Couchdrop MFT, you can route all logging and events to a SIEM such as Datadog, Splunk, or Microsoft Sentinel for a single pane of visibility and continuous monitoring of your data workflows.

Given the need for security in GCC, many organizations need documentation and additional information about infrastructure and security. For Couchdrop, you can access security-related information in our Security Center. You can also reach out to our team at sales@couchdrop.io to discuss your specific use case and see if Couchdrop is suitable for your requirements.