> I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI.
Don't you still have to get program-specific authorization for IL5?
I don't know. I've been a software engineer for 25 years, but this is my first DoD job in 20. We didn't have this when I was a junior developer and I don't have the time to learn about this particular part of the process.
We have plenty of program contracts that require IL5. I think you only need ATO to go to IL6 and above (which would be Secret and would require working in a SIPRNet connected network isolated from our corporate network). For just CUI data, I thought you didn't need special authorization.
What I really need is someone I can trust who can come in and tell me what we should be doing, because whatever our IT Security team is telling me sounds ludicrous. There are a whole host of problems with our IT systems that indicate to me that they don't really know what they are doing.
Edit: note, I'm not talking about certifying our own software for use with CUI. That's a ball of wax that our leadership has told us to defer until next year, since for this particular project we don't have any clients yet. I'm talking about our IT dept won't let us send CUI through existing, should-be-approved services in Azure GCC High right now, even from our laptops inside our CUI-approved corp network.