SOLVED

CMMC "Voluntary" compliance

%3CLINGO-SUB%20id%3D%22lingo-sub-1611052%22%20slang%3D%22en-US%22%3ECMMC%20%22Voluntary%22%20compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611052%22%20slang%3D%22en-US%22%3E%3CP%3EAll%20agencies%20are%20required%20to%20comply%20with%20CMMC%2C%20not%20just%20DoD%2C%20so%20I%20am%20trying%20to%20figure%20out%20how%20that%20works%20if%20we%20are%20in%20the%20base%20GCC%20cloud%20versus%20High%20or%20DoD.%20What%20tools%20do%20we%20have%20to%20help%20ensure%20compliance%20in%20GCC%20G3%20and%2For%20G5%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1611872%22%20slang%3D%22en-US%22%3ERe%3A%20CMMC%20%22Voluntary%22%20compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611872%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213228%22%20target%3D%22_blank%22%3E%40Jeremy%20Wood%3C%2FA%3E%26nbsp%3BThere%20are%202%20primary%20topics%20that%20come%20to%20mind.%26nbsp%3B%20First%2C%20is%20coverage%20for%20CUI%20that%20contains%20ITAR%20and%20requires%20DFARS%207012.%26nbsp%3B%20I%20lay%20out%20the%20argument%20here%3A%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FCUISovereignty%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FCUISovereignty%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20keep%20GCC%2C%20you%20will%20need%20compensating%20controls%20in%20place%20to%20protect%20CUI.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20other%20topic%2C%20is%20the%20pairing%20with%20Azure%20for%20IaaS%20%26amp%3B%20PaaS%20services%2C%20such%20as%20Windows%20Virtual%20Desktop%20and%20Sentinel.%26nbsp%3B%20The%20natural%20pairing%20for%20GCC%20is%20Azure%20Commercial.%26nbsp%3B%20To%20get%20coverage%20for%20Gov%20compliance%20requirements%2C%20you%20will%20want%20to%20use%20Azure%20Government%20(in%20another%20tenant).%26nbsp%3B%20That%20has%20a%20whole%20host%20of%20challenges%20straddling%20tenants.%26nbsp%3B%20Alternatively%2C%20GCC%20High%20is%20naturally%20paired%20with%20Azure%20Government%20in%20a%20single%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

All agencies are required to comply with CMMC, not just DoD, so I am trying to figure out how that works if we are in the base GCC cloud versus High or DoD. What tools do we have to help ensure compliance in GCC G3 and/or G5?

1 Reply
Highlighted
Best Response confirmed by Sarah.Gilbert (Community Manager)
Solution

@Jeremy Wood There are 2 primary topics that come to mind.  First, is coverage for CUI that contains ITAR and requires DFARS 7012.  I lay out the argument here:  https://aka.ms/CUISovereignty

 

If you keep GCC, you will need compensating controls in place to protect CUI.  

 

The other topic, is the pairing with Azure for IaaS & PaaS services, such as Windows Virtual Desktop and Sentinel.  The natural pairing for GCC is Azure Commercial.  To get coverage for Gov compliance requirements, you will want to use Azure Government (in another tenant).  That has a whole host of challenges straddling tenants.  Alternatively, GCC High is naturally paired with Azure Government in a single tenant.