Cleared Systems images

Federal contractors, especially those in Defense Industrial Base (DIB), must put measures for sensitive information protection to comply with the existing regulations and directives. To that end, Microsoft offers GCC High and Microsoft 365 DoD cloud platforms to help contractors processing or holding CUI and ITAR meet the evolving and unique requirements of the United States DoD.

However, the recent release of CMMC 2.0 has sparked a discussion on the need for migrating to Microsoft GCC High. If you are a contractor or subcontractor in the DIB and are unsure whether you should migrate, you are in the right place. This article will address when migration to Microsoft GCC high is necessary and when it isn't. Migrating to this sovereign cloud is a time-consuming, tiresome and expensive project, and you need to migrate when absolutely necessary.

When Should You Migrate To Microsoft GCC High?

If you Handle Controlled Unclassified Information

If you are a federal contractor or sub-contractor, you are highly likely to deal with Controlled Unclassified Information (CUI). This is government-created and owned information that requires safeguarding or dissemination controls according to the applicable regulations, laws, and policies. Though not classified, CUI should be handled according to the relevant controls. Microsoft GCC High is the only cloud that helps you achieve the requirements of processing, transmitting, and storing CUI. Primarily, CUI comprises Covered Defense Information and Covered Technical Information.

If your organization holds CUI that must be safeguarded in compliance with DFARS 252.204 7012 using NIST 800-171 cybersecurity standards, you need to migrate to Microsoft GCC high. CUI includes;

  • Controlled Technical Information that applies to the Military, Government, or aerospace
  • Proprietary information regarding critical, protected energy as specified in the Atomic Energy Act (AEA)
  • Proprietary information regarding any of CUI registry categories, export controls, geodetic intelligence, and geospatial imagery
  • Specified Controlled Unclassified Information requires US Sovereignty like NASA, Nuclear Information (FERC/NERC), and CUI marked NOFORN.

Therefore, if your organization deals with either of the above CUI categories, you should migrate to Microsoft GCC High to be compliant.

For ITAR and EAR Compliance

The other reason to migrate to Microsoft GCC High is if your organization needs ITAR compliance. Any University, Research Laboratory or company in the United States that deals with manufacturing, research, exporting, servicing defense items, or furnishing defense services must be ITAR compliant. Put, if you deal with the production, design, research, manufacturing, or export of any of the items listed in the United States Munitions List (USML), you must ensure you are compliant with this regulation.

Secure data storage, processing, and transmission are essential in achieving ITAR compliance. Microsoft GCC High is the only Microsoft Cloud environment able to monitor, label, and secure data effectively to minimize risks for contractors and agencies. It is designed to meet ITAR standards. Any export of items listed in the USML or information related to them is prohibited under ITAR. Microsoft GCC High is the only cloud environment that guarantees that any information is only accessed by US citizens, meaning that you must migrate to GCC high if your operations require you to be ITAR compliant. Remember, any ITAR violation, intentional or otherwise, could cost you many fines or make your contract void.

Microsoft GCC high is also a critical component of achieving EAR compliance. EAR covers data export and imports and commercial components of a product. This regulation applies to dual-use items available for government use and commercial use like High-performance computers and GPS systems. If your organization deals with items listed on the CCL (Commercial Control List), you should migrate to Microsoft GCC High. Some of the items covered under EAR include:

  • Aerospace and Propulsion
  • Avionics and Navigation
  • Electronics and Computers
  • Chemicals, Toxins, Microorganisms, and Materials
  • Information Security
  • Telecommunications
  • Lasers and sensors
  • Nuclear and Miscellaneous

To Be Compliant With CMMC 2.0

The long-awaited Cybersecurity Maturity Model Certification version 2.0 is now out. It builds on the existing DFARS and NIST Frameworks, bringing urgency to adopt Microsoft GCC High. CMMC 2.0 prescribes 3 cybersecurity maturity levels that measure cybersecurity processes and controls to ensure you are in line with relevant policies. Most importantly, CMMC 2.0 certification will determine if you can continue working with the DoD.

Although you do not need Microsoft GCC High for CMMC 2.0 Certification, it is one of the two cloud environments where Microsoft can contractually agree to meet your requirement for DFARS 7012. The underlying compliance requirements supported by CMMC 2.0 like NIST 800-171 require Microsoft GCC high. CMMC 2.0 hasn't changed those requirements, and although we expect that DFARS 7021 will undergo amendments to adjust to the provisions of CMMC 2.0, DFARS 7012 is here to stay.

This means that if you are contractually subject to DFARS 7012, you should migrate to Microsoft GCC High. That is, if you cover information with sovereignty, US citizenship requirement (personally Identifiable Information), and export control. Therefore, although it isn't needed for CMMC 2.0 certification, you should migrate to Microsoft GCC High for compliance with DFARS and NIST 800-171.

If You Handle DOD Contracts

Most, if not all, DoD contracts are subject to DFARS 252.204-7012, a regulation that has become increasingly important for defense suppliers and contractors. The regulation describes how Covered Defense Information should be safeguarded by implementing the guidance in NIST SP 800-171. DFARS 252.204-7012 further requires and outlines the contractors' specific procedures in case of a cyber incident. Although Microsoft GCC high is the only version of Microsoft compliant with DFARS 7012 reporting requirements, it isn't included as a requirement for CMMC DoD compliance. This means that Microsoft GCC high isn't necessary to get a CMMC DoD certificate or DoD contract.

However, if the DoD contract has a DFARS 7012 clause, or you want to become a CMMC 2.0 level 3 compliant, you will need Microsoft GCC High. It is the only Microsoft 365 cloud environment whose reporting meets DFARS 7012 requirements.

When Should You Not Migrate to Microsoft GCC High?

If You Don't Handle CUI

As seen above, CUI is handled with extra care and caution, making it necessary to migrate to the secure Microsoft GCC High. However, you don't need to migrate if your organization doesn't handle any Controlled Unclassified Information. You can use other commercial Microsoft options like GCC and Microsoft 365 commercial cloud. Regardless, ensure that your data is secure.

If You Do Not Have A DoD Contract

If you aren't a DoD contractor or supplier, migrating to GCC high isn't necessary. However, you should check whether you need to be Export Administration Regulations (EAR) compliant. You may not be a DoD contractor or supplier but deal with items listed in the CCL where you need to migrate.

When You Don't Handle/Store High Regulatory Information

High Regulatory information needs extra care. Those handling it must migrate to Microsoft GCC High for proper reporting and safeguarding in compliance to DFARS 7012 and as per the NIST 900-171 guidelines. However, your organization doesn't need to migrate to Microsoft GCC high if you don't handle or store such information.

Microsoft GCC High is a sovereign and the only cloud platform that meets the DFARS 7012 reporting requirements. In fact, it is one of the two cloud environments that Microsoft contractually agrees to meet your DFARS 7012 requirements. Therefore, if you hold any form of CUI and need to be ITAR and EAR compliant, you should migrate to Microsoft GCC High. It also helps you become CMMC 2.0 compliant, though indirectly. For Microsoft GCC High Consulting, visit our website to schedule an appointment.

Carl B. Johnson
Latest posts by Carl B. Johnson (see all)
by:

Leave a Reply

Your email address will not be published.