If you run and/or own an Office 365 tenant, you are guaranteed 99.9% uptime, you get a Service Health Dashboard, and you can see a Planned Maintenance Schedule. This kind of remote administration ‘control’ provides the core support benefits; monitoring and and service licensing arrangements.
Whilst these features are crucial to ensuring a resilient platform that gives visibility of status, it is important to recognise that there is another support plan which addresses data compliance for Office 365 (Enterprise Version). This support plan offers enhanced versions of Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft Lync Online dedicated support, that is designed to meet the security, privacy, and regulatory compliance requirements. The following compliancy standards are met in this support plan:
- U.S. federal government agencies requiring certification under the Federal Information Security Management Act (FISMA) of 2002.
- Commercial entities subject to International Traffic in Arms Regulations (ITAR).
This document describes the advanced security and privacy features that are available in the ITAR-support plans from Office 365. It also calls out any significant feature differences between Office 365 ITAR-support plan solutions and Office 365 dedicated plan solutions.
What is ITAR
Microsoft Office 365 ITAR-support plans are a variation of the Microsoft Office 365 dedicated plans. The primary difference is that ITAR-support plan solutions are designed to meet the security, privacy, and regulatory FISMA/FedRAMPcompliance requirements for U.S. federal government agencies and support the regulatory needs of companies operating under ITAR.
These enhanced services are offered to customers under the Office 365 ITAR-support subscription plans (“ITAR-support plans”).
The ITAR dedicated support plan attempts to address frustrations of having to deal with generic (raise a support call into a ‘global queue’) helpdesk tickets regarding compliance and security. Another benefit of this support plan is the ability for those providing Office 365 to help the customer build SLAs and at the same time provides more confidence in the use of online systems. Since ITAR is specific, the support resources applied will be closer to the relevant issues and will define solutions specific to those relevant issues.
Summary of ITAR
Encryption at Rest and Encryption in Transit
Encryption at Rest and Encryption in Transit is covered, describing that documents would be encrypted using AD RMS. Effectively, this means that users would access AD RMS documents using AD authentication. Note that Encryption at Rest only applies to Exchange and SharePoint Online. As for Encryption in Transit, there is a description concerning dedicated and Internet Connectivity.
Environment and Customer Isolation
Environment Isolation, which is the isolation of the Office 365 Environment. Per Customer Isolation - describes where data is held and how as an ITAR plan customer hardware is provisioned and segregated. Note that this segregation covers only Exchange, SharePoint and Lync online.
Trusted Internet Connection. Very useful for thise customers who need support for TIC requirements, Office365 ITAR support plans provide a dedicated connection, rather than an direct internet connection to data centres. This service is provided to SharePoint, Exchange and Lync only.
Two Factor Authentication
Smart cards using PIV (Personal Identity Verification) can be used to ensure secure authentication of clients. However, there are a number of client responsibilities described, including PIV implementation, client side authentication, including PKI and card management. This ITAR supported provision covers Exchange and SharePoint only.
Compliance and Support considerations
Described is the ITAR level plan information concerning compliance with FISMA (Federal Information Security Management Act) covering service hosting, and Microsofts' plans to to comply with FEDRAMP (Federal Risk and Authorization Management Program). Also, discussed are the security and screening features concerning dedicated hardware, infrastructure location, security access and screening.
Personnel and Background Checks
ITAR ensures that those responsible for supporting Office365 systems on behalf of customers undergo stringent personnel and background checks as follows:
- Employment History Check
- Education Verification
- Social Security Number (SSN) Search
- Criminal History Check
- Office of Foreign Assets Control List (OFAC)
- Bureau of Industry and Security List (BIS)
- Office of Defense Trade Controls Debarred Persons List (DDTC)
- Fingerprinting Check
The article details what kind of checks are carried out and that they are recurring checks. This is applied to Exchange, SharePoint and Lync.
Whilst reading up on ITAR, I found a number of other documents which are extremely useful and I would strongly suggest you check them out:
Recognises the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Controls the export and import of defense-related articles and services on the United States Munitions List (USML).
For security in Cloud computing, the US Government has compliance audits such as Federal Information Security Management Act of 2002 (FISMA) which cloud providers can go through to meet security standards.
FEDRAMP is a program which develops relationships between Federal agencies and cloud service providers. The program is designed to be compliant with FISMA.
Documents that support and further describe FISMA and ITAR-Support Solutions Service Description and the Network Service Description for Office 365 ITAR Support Plans
Resources covering Office 365 dedicated service descriptions, deployment guidance and dedicated administration.