cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

GCC or GCC High required for CMMC L3?

MichaelKing
Brass Contributor

‎Aug 25 2020 09:08 AM

‎Aug 25 2020 09:08 AM

GCC or GCC High required for CMMC L3?

Do we need to upgrade our CMMC in-scope users from Office 365 commercial to Office 365 GCC or Office 365 GCC High to obtain CMMC Level 3? (https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-us-sovereign-cloud-myth-busters-...)

3,093 Views
4 Likes
3 Replies
Reply
3 Replies
HaranStark

‎Aug 25 2020 09:17 AM

‎Aug 25 2020 09:17 AM

Re: GCC or GCC High required for CMMC L3?

To add to @MichaelKing's question, will organizations be required to purchase separate licenses for the CMMC in-scope users vs. the rest of the users in the organization?

0 Likes
Reply
best response confirmed by Sarah.Gilbert (Community Manager)
RichardWakeman

‎Aug 25 2020 09:32 AM

‎Aug 25 2020 09:32 AM

Solution

Re: GCC or GCC High required for CMMC L3?

@MichaelKing This is a question I see many in the DIB struggle with.  I even wrote a blog on it.  

https://aka.ms/AA6frar "The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In"

 

Ultimately, cybersecurity frameworks like CMMC are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve compliance for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc. 

 

While commercial environments will be compliant, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI aligned with CMMC Level 3+. It will be a risk decision for your organization to decide on what high watermark for compliance matches your risk tolerance. 

2 Likes
Reply
RichardWakeman

‎Aug 25 2020 09:36 AM

‎Aug 25 2020 09:36 AM

Re: GCC or GCC High required for CMMC L3?

@HaranStark The question is if your organization decides to straddle commercial or to wholesale migrate to GCC High?  I often find that companies that straddle, end up having to "swivel seat" as I call it.  This means that you have 2 separate end-points, 2 separate environments isolated from each other, and of course 2 M365 licenses per person to swivel seat. It's a hard requirement for many organizations, but can be more expensive than just wholesale migrating to GCC High and achieving the higher watermark for compliance.

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Sarah.Gilbert (Community Manager)
RichardWakeman

‎Aug 25 2020 09:32 AM

‎Aug 25 2020 09:32 AM

Solution

Re: GCC or GCC High required for CMMC L3?

@MichaelKing This is a question I see many in the DIB struggle with.  I even wrote a blog on it.  

https://aka.ms/AA6frar "The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In"

 

Ultimately, cybersecurity frameworks like CMMC are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve compliance for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc. 

 

While commercial environments will be compliant, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI aligned with CMMC Level 3+. It will be a risk decision for your organization to decide on what high watermark for compliance matches your risk tolerance. 

View solution in original post

2 Likes
Reply