Microsoft Office 365 GCC High: Features Enabling CMMC Compliance

As mentioned above, CMMC compliance is critical in securing Controlled Unclassified Information (CUI) and using Microsoft GCC is a critical part of that.

What Is CMMC?

CMMC refers to a U.S. DoD program that applies to the Defense Industrial Base contractors. It’s a unifying standard and a certification model ensuring that all the DoD partners, subcontractors and contractors protect the sensitive information per the necessary laws, government policies, and regulations. The current version is CMMC 2.0, released by OUSD A&S in November 2021. It’s designed to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with the Department of Defense. It builds on and replaces NIST 800-171 and is heavily related to various DFARS Clauses.

CMMC 2.0 will be steadily phased into DoD contract Bidding. However, the other United States Federal Agencies on the GSA schedule will likely adopt CMMC 2.0 too. It is anticipated that over 300,000 contractors will have to maintain some CMMC certification. The main goals of Cybersecurity Maturity Model Certification include:

❖ Maintaining public trust via high ethical and professional standards.
❖ Ensure accountability and minimize barriers to compliance with the Department of Defense requirements.
❖ Safeguard sensitive information such as CUI and ITAR while protecting the warfighter.
❖ Contribute towards collaborative cybersecurity and cyber resilience culture.
❖ Dynamically enhancing the DIB cybersecurity to address the constantly evolving threats.

Journey to Achieving CMMC Compliance

Becoming CMMC Compliant is a journey and selecting the right cloud infrastructure is an essential step. However, using Microsoft cloud, whether GCC or GCC High, organizations can inherit any controls that Microsoft has put in place to ensure compliance. Hence, an organization is saved a considerable volume of work, unlike having to achieve CMMC compliance individually and owning their data centers. Are you a contractor in DIB that has to be CMMC compliant? You should begin thinking about CMMC 2.0 now. With over 300,000 DIB contractors required to upgrade to CMMC 2.0 soon, there is a high likelihood of large audit backlogs that will come with this large undertaking.

CMMC 2.0 Model

There’re three levels of Cybersecurity Maturity Model Certification.

Level 1 (Foundational)

There are 17 standards in CMMC 2.0 level 1. However, companies certified under CMMC level 2.0 should have an annual self-assessment.

Level 2 (Advanced)

Any Federal contractor creating or receiving Controlled Unclassified Information (CUI) must be level 2 certified. This level is based on NIST SP 800-171 security practices. Companies certified under CMMC 2.0 level 2 must have a tri-annual assessment from a CMMC Third Party Assessment Organization (C3PAO). Remember, any organization creating, receiving, disseminating, or storing CUI like ITAR should implement a Microsoft GCC High cloud infrastructure.

Level 3 (Expert)

CMMC 2.0 Level 3 has 110+ practices based on the NIST SP 800-172. Like in level 2, tri-annual assessments are required in this level. However, they are government-led. It is estimated that not more than 200 DIB contractors in the U.S. will require a level 3 certification. Additionally, this might likely require other provisions beyond Microsoft Office 365 GCC High.

Since CMMC 2.0 Level 2 requires most planning and decision making, let us consider it in relation to Microsoft Office 365 GCC and GCC High.

Microsoft Office 365 GCC High and GCC for CMMC 2.0 Level 2 Compliance

Is your company subject to the dictates of DFARS 7012? Then you have no choice but to operate in a Microsoft GCC High or GCC cloud environment. In fact, Microsoft GCC High, GCC, and DoD are the only cloud environments where Microsoft contractually agrees to meet the needs of its clients in relation to DFARS 7012, a core requirement of CMMC 2.0 Level 2. Suppose you have any operational requirements for International Traffic in Arms Regulations (ITAR), No Foreign Nationals (NOFORN), and Export Administration Regulations (EAR). In that case, you will need to migrate to Microsoft GCC High.

Organizations might think that moving to Microsoft GCC now and then moving to Microsoft GCC High later is easier. However, this will result in disruptions of day-to-day operations. Cloud migrations like those offered by Cleared Systems require lots of work at some downtimes. Unfortunately, Microsoft doesn’t have a simple way of moving into Microsoft Office 365 GCC High or GCC from a commercial cloud. The organization has to conduct a complete migration project whether it moves from commercial cloud platforms to GCC or from GCC to Microsoft Office 365 GCC High. Such projects are better handled and completed by experienced professionals.

Is Microsoft Office 365 GCC High CMMC 2.0 Compliant Out-Of-The-Box?

Simply No. Microsoft Office 365 GCC High can be considered a broad set of services which, with proper deployment, can offer a DIB contracting company robust support for various compliance requirements such as CMMC 2.0, DFARS 7012, and The Export Control Requirements such as ITAR. It’s a platform that organizations can build on to support various use cases, although it isn’t a compliant system boundary itself. The contractors will have to configure various features and services described above to ensure they meet the specific controls, practices, and requirements. However, it is recommended that the companies use Azure Blueprints as their starting point for implementing a secure baseline configuration.