Recent DiscussionsMost RecentNewest TopicsMost LikesSolutionsTagged:TagRe: Specific clauses in CMMC Level 3 that require GCC High CaLo1 The GCC High SSP and CRM is only available today under an NDA. Please connect with me on email to align with the requirements to gain access. Re: Add CMMC to Compliance Manager?Hi John_Igbokwe, yes the assessment templates are available today. Are the E5 licenses you are using trial licenses by chance?Re: Specific clauses in CMMC Level 3 that require GCC High Howdy Sean Spicer! We do have an intended roadmap to release the Compliance Manager in Microsoft 365 Government (GCC High). It will also include templates for CMMC Level 1-5. The timeline does not have a committed date, as the CMMC program itself has delayed, especially for Level 3+. We are cautiously optimistic to release the templates by the end of the year. As for the requirement for GCC High. Here is my standard pitch and happy to talk to you about it in more depth. Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government and Microsoft 365 Government (GCC High) have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. The two most commonly discussed requirements that drive our customers into Microsoft 365 Government (GCC High) are: DFARS 7012 CUI containing a higher watermark for compliance (e.g. ITAR) In other words, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies requiring CMMC Level 3+ are best aligned with Azure Government and Microsoft 365 GCC High for DFARS 7012 and for data handling of CUI. For more information, please refer to Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty. Re: CMMC Compliance without GCC High Hi pvalad530 Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government and Microsoft 365 Government (GCC High) have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. The two most commonly discussed requirements that drive our customers into Microsoft 365 Government (GCC High) are: DFARS 7012 CUI containing a higher watermark for compliance (e.g. ITAR) In other words, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies requiring CMMC Level 3+ are best aligned with Azure Government and Microsoft 365 GCC High for DFARS 7012 and for data handling of CUI. For more information, please refer to Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty. Re: CMMC Acceleration Program KenStewart We will be releasing the CMMC Acceleration program in waves. The first wave has delayed by several months, as the CMMC roll-out of Level 3 guidance and audits have as well. Solutions for fundamental topics such as how reciprocity will be established, and how a tenant of the Microsoft cloud will be able to inherit coverage for practices is still a work in progress. We are collaborating with the CMMC AB and partners to establish the initial program of reciprocity. Look for that to release in a private preview in the October timeframe. It is close to availability, based on a broad set of assumptions made in analysis by Microsoft and Partners. We are highly anticipating the assessment guidance from the CMMC to release in coming weeks as well, that will hopefully give us a clearer set of assumptions to work with. In parallel, we are working on updates to Azure Blueprints for NIST SP 800-171 to include CMMC Level 3 policy initiatives. This will incorporate into the Azure Security Center for integration with your Azure subscription(s). You may access the existing blueprint today at https://aka.ms/nist800171r2-blueprint We are also working on Compliance Manager templates for CMMC Levels 1-5. This will complement the existing NIST SP 800-171 template available today with coverage of the Microsoft 365 product suite. We also have a roadmap and intent to make the Compliance Manager available in Microsoft 365 Government (GCC High) by the end of the year. You may learn about the existing template in Commercial at https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview?view=o365-worldwide On the reference architecture front, we are working on an update to our Zero-Trust Architecture for Microsoft Azure. We plan to align this architecture with the requirements of CMMC Levels 3-5 for availability as soon as we stabilize the requirements and program of reciprocity for CMMC. The current version is available today, and is introduced at https://azure.microsoft.com/en-us/blog/automating-cybersecurity-guardrails-with-new-zero-trust-blueprint-and-azure-integrations/ We will have more information to come as the program evolves. As for pausing your project, I recommend working with one of our CMMC partners as they are working closely with us to build the CMMC Acceleration Program. I am also happy to answer any questions if you reach out to me on Email. Re: Protection of CUI via email Anon414 and Anupam_K_Gupta, the big question is if the email may have technical content or attachments that may constitute export controlled data, such as ITAR data. GCC High is where you will get contractual support for ITAR. I touch on this in Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants. Re: CMMC "Voluntary" compliance Jeremy Wood There are 2 primary topics that come to mind. First, is coverage for CUI that contains ITAR and requires DFARS 7012. I lay out the argument here: https://aka.ms/CUISovereignty If you keep GCC, you will need compensating controls in place to protect CUI. The other topic, is the pairing with Azure for IaaS & PaaS services, such as Windows Virtual Desktop and Sentinel. The natural pairing for GCC is Azure Commercial. To get coverage for Gov compliance requirements, you will want to use Azure Government (in another tenant). That has a whole host of challenges straddling tenants. Alternatively, GCC High is naturally paired with Azure Government in a single tenant. Re: CMMC - does it require MFA at network login? bkaufman There is a strong argument that MFA is applied at the device in order to protect data on the device as well as the local area network. This is especially true for legacy authentication with applications that may not natively support MFA. We have been working with many working groups to gain clarity on the fit for Windows Hello for Business satisfying the device-based MFA, and transitive to remote networks as well. Re: Requirements/Need for GCC High DKernus02 Correct. Should be really soon now for the eligibility requirements update. Re: ITAR Compliance Anon414 I discuss the inferred requirement for GCC High in my articles Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty Re: Requirements/Need for GCC High DKernus02 A requirement for GCC High may be inferred at CMMC Level 3+ where data protection of CUI is required. Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) to protect CUI. I explain why in my article Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty. Ultimately, cybersecurity frameworks like CMMC are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve compliance for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc. While commercial environments will be compliant, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI aligned with CMMC Level 3+. It will be a risk decision for your organization to decide on what high watermark for compliance matches your risk tolerance. For more information, please refer to Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty Re: GCC or GCC High required for CMMC L3? HaranStark The question is if your organization decides to straddle commercial or to wholesale migrate to GCC High? I often find that companies that straddle, end up having to "swivel seat" as I call it. This means that you have 2 separate end-points, 2 separate environments isolated from each other, and of course 2 M365 licenses per person to swivel seat. It's a hard requirement for many organizations, but can be more expensive than just wholesale migrating to GCC High and achieving the higher watermark for compliance. Re: GCC or GCC High required for CMMC L3? MichaelKing This is a question I see many in the DIB struggle with. I even wrote a blog on it. https://aka.ms/AA6frar "The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In" Ultimately, cybersecurity frameworks like CMMC are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve compliance for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc. While commercial environments will be compliant, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI aligned with CMMC Level 3+. It will be a risk decision for your organization to decide on what high watermark for compliance matches your risk tolerance. Re: GCC high Landry_secure The requirements for Category 3 eligibility has been a barrier to entry. Fortunately, there is a new process targeted to go live next month (September 2020) that should improve the experience in alignment with Government requirements for the supply chain. We will be able to share more details once it goes live. Re: Add CMMC to Compliance Manager?The Compliance Manager team does have a roadmap to update the NIST SP 800-171 template, and to include CMMC Levels 1-5 templates. There is not a hard schedule for release just yet, as CMMC Level 3+ is still pending guidance from the CMMC AB. It will realistically roll out in waves beginning with CMMC Levels 1-2 initially. That same applies for Azure Blueprints in the Azure Security Center.Re: Welcome to the Microsoft CMMC AMA! Hi, this is Richard Wakeman joining the Microsoft team for this CMMC AMA. Thank you for participating! I am the Senior Director for Aerospace & Defense in our Azure Global engineering organization. Our team owns engineering for the sovereign clouds, to include Azure Government, Azure Government Secret, and Top Secret in the near future. I do much of the blogging for CMMC and Compliance here at Microsoft.
Recent Blog ArticlesNewest TopicsMost LikesTagged:TagMicrosoft Product Placemat for CMMC - October 2024 Update This Microsoft Tech Community Public Sector Blog post is an update of the Microsoft Product Placemat for CMMC assisting the Defense Industrial Base (DIB) for compliance with the Cybersecur...Understanding Compliance Between Commercial, Government, DoD & Secret Offerings - July 2025 Update Understanding compliance between Commercial, Government, DoD & Secret Offerings: There remains much confusion as to what service supports what standards best. If you have CMMC, DFARS, ITAR, FedR...Support for FedRAMP in Microsoft 365 Government (GCC High) GCC High has completed multiple FedRAMP High impact level audits, meets security and compliance requirements outlined by the U.S. Federal Government and DoD, and is actively servicing Agen...Support for DFARS in Microsoft 365 Government (GCC High) Microsoft 365 Government (GCC High) meet the applicable requirements of the DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Specifically, the requirements with...Microsoft Collaboration Framework for the US Defense Industrial Base This article focuses on the candidate reference architectures for identity to accommodate Multi-Tenant Organizations (MTO), and specifically those that have a deployment in the US Sovereign Cloud wit...Microsoft Reference Identity Architectures for the US Defense Industrial Base The white paper “Microsoft Reference Identity Architectures for the US Defense Industrial Base” is the result of deep collaboration among the National Defense ISAC "MSCloud" Working Group. It provid...Microsoft CMMC Acceleration Update – March 2022 This is an update of the Microsoft CMMC Acceleration Program for the Defense Industrial Base (DIB) regarding compliance with the Cybersecurity Maturity Model Certification (CMMC) from the ...Understanding Compliance Between Commercial, Government and DoD Offerings - September 2023 Update Understanding compliance between Commercial, Government and DoD offerings: There remains much confusion as to what service supports what standards best. If you have DFARS, ITAR, FedRAMP, CJIS,...Microsoft CMMC Acceleration Program Update – September 2021 This is an update of the Microsoft CMMC Acceleration Program for the Defense Industrial Base (DIB) regarding compliance with the Cybersecurity Maturity Model Certification (CMMC) from the U.S....History of Microsoft Cloud Offerings leading to the US Sovereign Cloud - July 2025 Update Microsoft has evolved our cloud service offerings to include the US Sovereign Cloud with Azure Government, Microsoft 365 Government (GCC High) and DoD. This article puts the history in persp...
MicrosoftMicrosoftMicrosoftMicrosoft
