Event banner
Event details
What would be the recommendation for an organization that does both CMMC required business and non-CMMC (commercial) business? Would this require one GCC-High tenant for CMMC and a second commercial tenant for the rest of the organization? Thanks!
- justinO
Microsoft
Hi Matthew - This is really a business decision. There are a number of factors that you need to consider as you plan for CMMC compliance. The two important factors are what types of CUI do you have (and where) and who will need to gain access to that data. We see a variety of configurations across the defense industrial base and the option you mentioned is one variation. In addition, CMMC might not be the only requirement that you have to comply with.- Thanks Justin. Follow-up question, can you elaborate on the difference between GCC and GCC-High when it comes to CUI/CMMC compliance?
- RichardWakemanHi Matthew, I do break it down in my blog. https://aka.ms/MSGovCompliance. You can also catch some of my recorded webinars on the CMMC Acceleration Program. In short, GCC High and Azure Government are purpose-built to protect all categories of CUI, including NOFORN and Export-Controlled data such as ITAR. GCC is a region of Commercial that only supports CUI Basic, not CUI Specified. See blog for more context. I also like to share https://aka.ms/CUISovereignty
- It really depends on the size of your organization. With a medium to large organization, it would be possible to create an enclave for the CUI data. But for a small organization it might just be easier to secure everything at that level regardless of whether everyone needs access to CUI.
