Defense Industrial Base (DIB) has become a target of increasingly complex and frequent cyberattacks. To protect the FCI (Federal Contract Information) and CUI (Controlled Unclassified Information), in November 2021, OUSD A&S announced CMMC 2.0. It aims to dynamically improve the DIB cybersecurity to meet the evolving cyber threats, instill a collaborative culture of cyber resilience and cybersecurity, and ensure accountability while reducing barriers to compliance.
As CMMC 2.0 moves through assessments and reviews, there has been a lot of focus on the Microsoft Government security clouds, specifically Microsoft GCC High. Is Microsoft GCC high a requirement for compliance with CMMC 2.0? What are the CMMC 2.0 changes that affect Microsoft GCC high? Read on to know whether your Microsoft GCC High is necessary to be CMMC 2.0 compliant and much more.
Is Microsoft GCC High required for CMMC 2.0?
To be clear, Microsoft GCC High isn't needed for CMMC 2.0. Microsoft GCC High wasn't required for CMMC 1.0. It was needed to meet the requirements of specific business scenarios and Controlled Unclassified Information (CUI). This is because of DFARS 252.204-7012, the regulation requiring you to meet CMMC 2.0. It establishes the requirements for the management of Controlled Unclassified Information and the need for information preservation in case of a cybersecurity incident. Depending on the data stored within your organization, you might need additional controls, and migrating to a Sovereign cloud environment might be necessary. So, when do you need Microsoft GCC high within your organization?
When Is Microsoft GCC High Required?
Microsoft GCC High is necessary if you create, manage or store the following categories of information:
- Export Controlled CUI
- EAR (Export Administration Regulations)
- ITAR (International Traffic In Arms Regulations)
- Specified CUI that needs US Sovereignty including; Controlled Unclassified Information marked NOFORN, CDI (Controlled Defense Information), CTI (Controlled Technical Information), and Nuclear Information (NERC/ FERC)
You can find the exhaustive list here. However, the above information types will always require special handling using Microsoft GCC high. In addition, CMMC 2.0 levels 2 and 3 are intended to defend CUI, meaning that you will need to reside in a sovereign cloud environment like Microsoft GCC High.
Microsoft Government Community Cloud for CMMC 2.0
There are only two cloud platforms where Microsoft contractually agrees to meet the DFARS 7012 requirements; Microsoft GCC High and Microsoft GCC. Microsoft GCC high is required if you hold either of the above types of information. To decide the cloud instance necessary to meet CMMC, understanding how CMMC 2.0 came about, and its underlying compliance requirements is essential.
The Federal Acquisition Regulation 52.204-21 covers FCI, and it includes 15 requirements for safeguarding information. In CMMC 1.0, FAR was codified as a subset of NIST 800-171. DFARs 252.204-7012 came into effect in December 2017 and mandated adherence to NIST 800-171 for Federal Contractors covering CDI and CUI.
Organizations had 12 months to meet the requirements of NIST 800-171 and document it with a POAM and a system security plan (SSP). Cyber Incident Reporting was also introduced in DFARS 7012. It requires the organizations to protect and preserve all the packet and monitoring data for ninety days. You can find all Microsoft's public compliance reports and evidence, including their DFARS attestation of compliance and FedRAMP SSPs, in the Microsoft Service Trust Portal.
The number of intellectual property theft and cyber-attacks continued to hit the DIB, making it clear that self-evaluation of cybersecurity against NIST 800-171 wasn't enough. As a result, the third-party assessment was included for the entire DIB. CMMC 2.0 was introduced to reduce cost, enable small businesses to participate in the Defense supply chain, and simplify compliance. However, CMMC 2.0 had zero impact on ITAR, DFARS, and the other frameworks that require Microsoft GCC High.
How can Microsoft GCC High Benefit You?
Microsoft GCC high offers a framework for any organization to secure its data by facilitating a submissive platform that supports core collaboration and communications aids. If implemented successfully, Microsoft GCC high can meet many of the requirements within CMMC 2.0. It is a vital and mature tool in compliance with various regulations. With Microsoft GCC High, your organization can:
- Label data and manage the movement of CUI and CDI moves using the Azure Information Protection.
- Restrict system access with a strict set of admittance requirements
- Connect the audit logs into Azure Sentinel with no additional charges
- Strengthen file management systems, collaboration towards a compliant, single platform and core communications
- Actively look for and intercept threats
CMMC 2.0 means nothing for Microsoft GCC High. Instead, it's the underlying requirements supported by CMMC that require Microsoft GCC High.
What should you do pre-migration?
If you hold any CUI, you might be required to migrate to a sovereign cloud like Microsoft GCC high to meet NIST 800-171 and DFARs 7012 regulations. But what should you do before migrating? Gap assessment is vital when preparing for a CMMC 2.0 assessment. However, most compliance security providers suggest gap assessment of the existing environment forgetting that Microsoft GCC High is an entirely different license and physically separate environment. This ends up costing you money and effort.
However, scoping should be done before migration. You must have a great understanding of where the CUI is in your environment, who is authorized to access it, its mode of transmission, labeling, and protection. You should also know how to remove the CUI to meet the requirements for media sanitization. Scoping is valuable when planning to shift to a new cloud platform, help with determining the new licensing requirements, simplify implementation and reduce the scopes of future assessments.
When migrating to a new cloud environment, you should go through the improvement, hardening, migration, and implementation processes. However, no cloud platform meets every control needed out of the box. Therefore, if you move to the cloud, you should complete basic hardening before migrating into a new cloud platform with unified logging and multifactor authentication requirements.
What Should You Do with CMMC 2.0?
Continue with your compliance journey by focusing on the requirements of NIST 800-171 and DFARs 7012 and pay less attention to CMMC 2.0 controls and unique security policies. Although Microsoft GCC High isn't required for CMMC 2.0 compliance, handling, transmitting, and storing CUI is necessary.
There are a lot of concerns regarding Microsoft GCC High and CMMC 2.0. However, Microsoft GCC High isn't required for your CMMC 2.0. Instead, it is needed to fulfill the regulations for CUI handling. Therefore, whether you need to be CMMC compliant or not, you need to migrate to Microsoft GCC High if you hold Controlled Unclassified Information. For further information about Microsoft GCC High and CMMC 2.0, visit our website today.