Event banner
Event details
98 Comments
- The greatest barriers to GCC High: None of the Business SKUs are in there for one so the cost to go to E SKUs plus the GCC High price premium. The other being the cost/time/effort of migration. If you are already in 365 commercial this cloud to cloud migration should be something that can happen internally, without additional cost, without additional time or effort. I remember seeing something about migration of older .com GCC High tenants to newer .us tenants, it was like a something to fairfax migration(I couldn't find the source), so we know some internal magic is possible. Also, DUO does not work with it without federating with DUO proxy rather than the conditional access method we use now. Also, we would like to be able to authenticate with Fido2 keys into our computers as well as 365 etc, in which case we could get rid of DUO. I personally would also like to know from a lawyer what are the consequences of not going to GCC High, especially with DFARS 7012 and export controlled data. Also, I would like to know from a lawyer just what a company risks by not going with GCC High, with or without Export Controlled Data.
- LisaHaywood
Microsoft
There is nowhere in the regulatory guidance that states you must use GCCH. Compliance and how a company solves for this is based on your organization's interpretation of the requirements that are stated in your mission owner contracts. Microsoft has built solutions to help customers meet their CMMC compliance goals though our cloud and product offerings. Many DIBs will often choose GCCH because of the attestations Microsoft commits to i.e. ITAR/EAR, Data Sovereignty, U.S. Persons, amongst others. Ultimately, it is up to a company to decide which cloud makes most sense for them and how much risk they are willing to offload in the shared responsibility model of using an Online Service Provider.- DFARS 204.252-7012 requires cloud services that store, process, or transmit CUI to be Fedramp Moderate equivalent plus meet a set of additional forensic data requirements. If any of your CUI is Export Controlled, the US Citizen requirement and data sovereignty requirement applies. I just don't know how serious people are taking the DFARS clauses in general, but this is the clause that is calling out NIST 800-171 in the first place, which of course CMMC was created from as the DoD was noticing no one was anywhere on NIST 800-171 compliance since they allowed self-attestation and POAMs. I know of no one currently that has a NIST 800-171 or CMMC requirement that didn't originate from the DFARS 7012 clause. Wouldn't that be a hard requirement based on Microsoft's own promises? I hear people all the time saying but you don't have to be in if you decide "how much risk". What are we talking about? It's only a problem if there is an incident? Again, what are these risks? Contract gets shuts down or someone has to wear an orange jumpsuit? Who goes to jail? "There is nowhere in the regulatory guidance that states you must use GCCH" contradicts the language in the DFARS 7012.
- Many of us in HigherEd are grappling with the idea that we only need a small Azure or 365 tenant for compliant use, and that many of our users would only need to be there temporarily, but it would appear that it's not at all easy to move users in and out on an as needed basis. It is not desirable from either a cost basis, or usability standpoint to move everything into FedRAMP offerings. So, what does Microsoft suggest as the right path forward?
- RichardWakemanHowdy Jay. This is a common concern many grapple with. Many FFRDC's & UARC's must swivel seat with the University accounts. We recommend you find a solid line of demarcation for the user population affiliated with the research center and give them accounts in GCC/GCCH. It's essentially lifting the watermark for compliance on the entire research center, swivel seating with the University accounts. Interestingly enough, it's "going all in" for the research center, but in context of the specific user population. That includes having the user devices managed from GCC/GCCH as opposed to Commercial. We recommend you setup a separate pane of glass (e.g. VDI) to access the commercial side Uni account. I rationalize this here: https://aka.ms/AA6frar. Any customers we see try and move users in and out of GCC/GCCH tend to gravitate towards what I describe.
- Unfortunately for many of us that would mean moving in our entire graduate student population, and that's simply not feasible.
- Looking forward to tomorrow's AMA! The CMMC landscape has gone through some major changes and can't wait to see how MSFT is prepping for what's next!
- Justin_OrcuttHi Jay - We are looking forward to having you participate. To learn more about changes and how Microsoft's approach visit Microsoft CMMC Acceleration Update (March 2022): https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-cmmc-acceleration-update-march-2022/ba-p/3258999
