Microsoft GCC High Migration for Enhanced Data Security

If you Handle CUI

If you are a federal contractor or sub-contractor, you are highly likely to deal with Controlled Unclassified Information (CUI). This is government-created and owned information that requires safeguarding or dissemination controls according to the applicable regulations, laws, and policies. Though not classified, CUI should be handled according to the relevant controls. Microsoft GCC High is the only cloud that helps you achieve the requirements of processing, transmitting, and storing CUI. Primarily, CUI comprises Covered Defense Information and Covered Technical Information.

If your organization holds CUI that must be safeguarded in compliance with DFARS 252.204 7012 using NIST 800-171 cybersecurity standards, you need to migrate to Microsoft GCC high. CUI includes;

• Controlled Technical Information that applies to the Military, Government, or aerospace
• Proprietary information regarding critical, protected energy as specified in the Atomic Energy Act (AEA)
• Proprietary information regarding any of CUI registry categories, export controls, geodetic intelligence, and geospatial imagery
• Specified Controlled Unclassified Information requires US Sovereignty like NASA, Nuclear Information (FERC/NERC), and CUI marked NOFORN.

Therefore, if your organization deals with either of the above CUI categories, you should migrate to Microsoft GCC High to be compliant.

For ITAR and EAR Compliance

The other reason to migrate to Microsoft GCC High is if your organization needs ITAR compliance. Any University, Research Laboratory or company in the United States that deals with manufacturing, research, exporting, servicing defense items, or furnishing defense services must be ITAR compliant. Put, if you deal with the production, design, research, manufacturing, or export of any of the items listed in the United States Munitions List (USML), you must ensure you are compliant with this regulation.

Secure data storage, processing, and transmission are essential in achieving ITAR compliance. Microsoft GCC High is the only Microsoft Cloud environment able to monitor, label, and secure data effectively to minimize risks for contractors and agencies. It is designed to meet ITAR standards. Any export of items listed in the USML or information related to them is prohibited under ITAR. Microsoft GCC High is the only cloud environment that guarantees that any information is only accessed by US citizens, meaning that you must migrate to GCC high if your operations require you to be ITAR compliant. Remember, any ITAR violation, intentional or otherwise, could cost you many fines or make your contract void.

Microsoft GCC high is also a critical component of achieving EAR compliance. EAR covers data export and imports and commercial components of a product. This regulation applies to dual-use items available for government use and commercial use like High-performance computers and GPS systems. If your organization deals with items listed on the CCL (Commercial Control List), you should migrate to Microsoft GCC High. Some of the items covered under EAR include:

• Aerospace and Propulsion
• Avionics and Navigation
• Electronics and Computers
• Chemicals, Toxins, Microorganisms, and Materials
• Information Security
• Telecommunications
• Lasers and sensors
• Nuclear and Miscellaneous

To Be Compliant With CMMC 2.0

The long-awaited Cybersecurity Maturity Model Certification version 2.0 is now out. It builds on the existing DFARS and NIST Frameworks, bringing urgency to adopt Microsoft GCC High. CMMC 2.0 prescribes 3 cybersecurity maturity levels that measure cybersecurity processes and controls to ensure you are in line with relevant policies. Most importantly, CMMC 2.0 certification will determine if you can continue working with the DoD.

Although you do not need Microsoft GCC High for CMMC 2.0 Certification, it is one of the two cloud environments where Microsoft can contractually agree to meet your requirement for DFARS 7012. The underlying compliance requirements supported by CMMC 2.0 like NIST 800-171 require Microsoft GCC high. CMMC 2.0 hasn’t changed those requirements, and although we expect that DFARS 7021 will undergo amendments to adjust to the provisions of CMMC 2.0, DFARS 7012 is here to stay.

This means that if you are contractually subject to DFARS 7012, you should migrate to Microsoft GCC High. That is, if you cover information with sovereignty, US citizenship requirement (personally Identifiable Information), and export control. Therefore, although it isn’t needed for CMMC 2.0 certification, you should migrate to Microsoft GCC High for compliance with DFARS and NIST 800-171.

If You Handle DOD Contracts

Most, if not all, DoD contracts are subject to DFARS 252.204-7012, a regulation that has become increasingly important for defense suppliers and contractors. The regulation describes how Covered Defense Information should be safeguarded by implementing the guidance in NIST SP 800-171. DFARS 252.204-7012 further requires and outlines the contractors’ specific procedures in case of a cyber incident. Although Microsoft GCC high is the only version of Microsoft compliant with DFARS 7012 reporting requirements, it isn’t included as a requirement for CMMC DoD compliance. This means that Microsoft GCC high isn’t necessary to get a CMMC DoD certificate or DoD contract.

However, if the DoD contract has a DFARS 7012 clause, or you want to become a CMMC 2.0 level 3 compliant, you will need Microsoft GCC High. It is the only Microsoft 365 cloud environment whose reporting meets DFARS 7012 requirements.