Forum Discussion

Sean Spicer's avatar
Sean Spicer
Copper Contributor
Aug 24, 2020
Solved

Specific clauses in CMMC Level 3 that require GCC High

Sarah_Gilbert    Are there any specific clauses in CMMC Level 3 that require GCC High? Is compliance manager on the roadmap? (a CMMC template in Commercial, or availability of the tool in GCC Hi...
  • RichardWakeman's avatar
    RichardWakeman
    Sep 21, 2020

    Howdy Sean Spicer!  We do have an intended roadmap to release the Compliance Manager in Microsoft 365 Government (GCC High).  It will also include templates for CMMC Level 1-5.  The timeline does not have a committed date, as the CMMC program itself has delayed, especially for Level 3+.  We are cautiously optimistic to release the templates by the end of the year.

     

    As for the requirement for GCC High.  Here is my standard pitch and happy to talk to you about it in more depth.   Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government and Microsoft 365 Government (GCC High) have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC.

     

    The two most commonly discussed requirements that drive our customers into Microsoft 365 Government (GCC High) are:

    1. DFARS 7012
    2. CUI containing a higher watermark for compliance (e.g. ITAR)

    In other words, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies requiring CMMC Level 3+ are best aligned with Azure Government and Microsoft 365 GCC High for DFARS 7012 and for data handling of CUI. For more information, please refer to
    Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

    and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty.

RichardWakeman's avatar
RichardWakeman
Icon for Microsoft rankMicrosoft
Sep 21, 2020

Howdy Sean Spicer!  We do have an intended roadmap to release the Compliance Manager in Microsoft 365 Government (GCC High).  It will also include templates for CMMC Level 1-5.  The timeline does not have a committed date, as the CMMC program itself has delayed, especially for Level 3+.  We are cautiously optimistic to release the templates by the end of the year.

 

As for the requirement for GCC High.  Here is my standard pitch and happy to talk to you about it in more depth.   Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government and Microsoft 365 Government (GCC High) have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC.

 

The two most commonly discussed requirements that drive our customers into Microsoft 365 Government (GCC High) are:

  1. DFARS 7012
  2. CUI containing a higher watermark for compliance (e.g. ITAR)

In other words, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies requiring CMMC Level 3+ are best aligned with Azure Government and Microsoft 365 GCC High for DFARS 7012 and for data handling of CUI. For more information, please refer to
Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty.

CaLo1's avatar
CaLo1
Copper Contributor
Oct 07, 2020

RichardWakeman Can you tell me where to find the customer responsibility matrix for GCC High? I have one for Moderate O365 MT, but cannot find one for GCC High. I am trying to get CMMC certified and need to make sure we implement the controls correctly.  Thanks.

  • RichardWakeman's avatar
    RichardWakeman
    Icon for Microsoft rankMicrosoft
    Oct 08, 2020

    CaLo1 The GCC High SSP and CRM is only available today under an NDA.  Please connect with me on email to align with the requirements to gain access.

Resources