08-25-2020 09:09 AM
08-25-2020 09:09 AM
I have gone back and forth with Microsoft Support about the need for GCC High. Below is the last interaction I had with them regarding the need for it. They had someone call me to explain it and I explained my understanding with no response, so I assume it's correct.
As I understand it and as the CMMC currently stands, knowing it is not fully finalized, we will only need GCC licenses and a sub-tenant if we are awarded a contract that has ML-4 or ML-5 requirements. However, we need to configure our primary tenant to the required ML and be certified at the level prior to bidding to show we have the capability to properly store, manage, and protect the data. If we are awarded we then apply for the GCC tenant and will be required to pay a Microsoft Business Partner setup the GCC sub-tenant and configure the tenant to ML-4 or ML-5, even though we have demonstrated we know how to configure it, because that is a DoD requirement. Please let me know if there are any errors in the process I have just outlined. I understand these requirements may change as the finalized CMMC version is published.
Can anyone verify this? My company is working toward ML-3, and I'm still confused as to whether we should be in a GCC High tenant. I saw those licenses available for purchase on the CMMC Marketplace site, making it appear like any DIB company could go that route.
08-25-2020 09:40 AMSolution
@DKernus02 A requirement for GCC High may be inferred at CMMC Level 3+ where data protection of CUI is required. Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) to protect CUI. I explain why in my article Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty.
Ultimately, cybersecurity frameworks like CMMC are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve compliance for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc.
While commercial environments will be compliant, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI aligned with CMMC Level 3+. It will be a risk decision for your organization to decide on what high watermark for compliance matches your risk tolerance.
For more information, please refer to Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty
08-25-2020 09:45 AM
@RichardWakeman Thank you for the clarification.
It appears, based on some other responses you've provided to similar postings I've been reading in this AMA, Microsoft will be providing some information in September 2020 about updated quals/reqs to move to the GCC High tenant if a DIB company desires to do so.
Is that correct?