Blog Post

Public Sector Blog
1 MIN READ

Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

RichardWakeman's avatar
RichardWakeman
Icon for Microsoft rankMicrosoft
Oct 18, 2019
There is an update to this article found at:   https://aka.ms/MSGovCompliance        
Updated Sep 23, 2024
Version 18.0
compliance
defense
federal
office365
public sector
klawrawkz's avatar
klawrawkz
Copper Contributor
Jun 16, 2020

In my organization I find that there's a lot of confusion and concern surrounding CUI, CMMC (L3-L5 requirements), and the rationale for choosing "GCC High" over "Commercial" 365 licensing.

 

Here's a comment I received from a colleague just the other day:

 

Is it Micosoft's directing to industry that in order to obtain CMMC level 3 certification in a Microsoft Cloud environment, it will require both Azure Government and M365 GCC High implementation?  ... if you read the DOD Instruction 5200.48, NOFORN is a distribution marking which may be added to CUI, C, S, TS, TS/SCI.  CUI is not NOFORN by definition plus not all ITAR Defense Information is CUI - a significant portion of ITAR Defense Information is held commercial as Corporate Proprietary Information.  I hold ITAR informatrion by virtue of my service in the army, nuclear weapon construction and Joint C4I System engineering by ITAR Definition the know-how in my head is ITAR Controlled.
The pursuit of the CMMC L3-5 in the current atmosphere is like traveling the Yellow Brick Road to get an audience with the Great Wizard, OZ to ask for a miracle.  I'm the 'Scarecrow' in the 'Wizard of Oz,' as I need more brains than I've got if I'm going to pose answers to chicken and egg scenarios like the above from my colleague. 
 
Like the Tin Man who's lacking heart, I'm more concerned about ensuring that the work we do to prepare for CMMC L3 is going to pay off, as we are implementing the various controls to the best of our abilities, and know-how. It's discouraging to imagine that all our good work can go down the drain and need to be reworked in a new O365 tenant and a new Azure tenant based on "GCC High" and in "Gov cloud."
 
To round it out, I'm the 'Cowardly Lion' in need of courage such that I am able to provide guidance that sets forth a mandated line in the sand. As a cowardly lion bolstered by confidence in my sources, I will create vetted road map that leads us safely down the yellow brick information super-highway keeping us safe from the wicked witch of chicken and egg debates. 
 
Oh Great Oz, (Ozes?), what are the sources of guidance that give us small DIB contractors brains, heart, and courage enough to create a standards-based approach to CUI, O365 licensing, and Azure landing zone type (gov cloud) such that we can achieve CMMC L3 compliance? Oh, while avoiding the chicken-and-egg witches out there.
 
Thanks in advance for granting me an audience.