Forum Discussion

Jeremy Wood's avatar
Jeremy Wood
Iron Contributor
Aug 25, 2020
Solved

CMMC "Voluntary" compliance

All agencies are required to comply with CMMC, not just DoD, so I am trying to figure out how that works if we are in the base GCC cloud versus High or DoD. What tools do we have to help ensure compl...
  • RichardWakeman's avatar
    RichardWakeman
    Aug 25, 2020

    Jeremy Wood There are 2 primary topics that come to mind.  First, is coverage for CUI that contains ITAR and requires DFARS 7012.  I lay out the argument here:  https://aka.ms/CUISovereignty

     

    If you keep GCC, you will need compensating controls in place to protect CUI.  

     

    The other topic, is the pairing with Azure for IaaS & PaaS services, such as Windows Virtual Desktop and Sentinel.  The natural pairing for GCC is Azure Commercial.  To get coverage for Gov compliance requirements, you will want to use Azure Government (in another tenant).  That has a whole host of challenges straddling tenants.  Alternatively, GCC High is naturally paired with Azure Government in a single tenant.

RichardWakeman's avatar
RichardWakeman
Icon for Microsoft rankMicrosoft
Aug 25, 2020

Jeremy Wood There are 2 primary topics that come to mind.  First, is coverage for CUI that contains ITAR and requires DFARS 7012.  I lay out the argument here:  https://aka.ms/CUISovereignty

 

If you keep GCC, you will need compensating controls in place to protect CUI.  

 

The other topic, is the pairing with Azure for IaaS & PaaS services, such as Windows Virtual Desktop and Sentinel.  The natural pairing for GCC is Azure Commercial.  To get coverage for Gov compliance requirements, you will want to use Azure Government (in another tenant).  That has a whole host of challenges straddling tenants.  Alternatively, GCC High is naturally paired with Azure Government in a single tenant.

Resources