A significant concern for our government-affiliated clients in recent months has been determining which cloud to operate in for CMMC Certification. It is a significant question, and one that can have financial consequences if not answered correctly. Government contractors who currently use Microsoft cloud for office applications can benefit from utilizing the GCC and GCC High cloud tenants in order to support the process of achieving CMMC Certification.
So, what’s CMMC?
The Cybersecurity Maturity Model Certification (CMMC) was created to improve cyber protection standards for both contractors and sub-contractors of the U.S. Department of Defense (DoD). The CMMC model 2.0, released in November 2021, is the current version of CMMC. Its purpose is to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) shared with the DoD. This framework is an enhancement of the NIST 800-171 standard and related DFARS clauses and will be gradually implemented in all DoD contract bidding. It is likely that other U.S. Federal Agencies on the GSA Schedule will also adopt CMMC. It is estimated that there are over 300,000 contractors who will need to maintain some level of CMMC Certification.
What’s the CMMC goals?
- Protect sensitive information to ensure the safety and security of the military personnel.
- Improve Defense Industrial Base cybersecurity to adapt to changing threats.
- Promote accountability and facilitate compliance with DoD requirements by reducing barriers.
- Work towards establishing a culture of cybersecurity and cyber resilience through collaboration.
- Public trust can be maintained by upholding high professional and ethical standards.
Achieving CMMC compliance is a journey
Choosing the appropriate cloud service is an important part of achieving compliance with CMMC. One advantage of being in the Microsoft cloud, whether it’s the Government Community Cloud (GCC) or GCC High, is that you can benefit from the controls built by Microsoft for compliance. This reduces the workload for organizations compared to managing their own data centers and achieving CMMC compliance independently. It is important to consider this at the present moment. Due to the significant number of contractors, exceeding 300,000, who will require some level of CMMC in the near future, it is expected that there will be a substantial backlog of audit work associated with this extensive initiative.
The Updated CMMC 2.0 Model
CMMC 2.0 Level 1 includes 17 standards and an annual self-assessment is required. Almost any Microsoft cloud will provide what you need for CMMC 2.0 Level 1.
CMMC 2.0 Level 3 includes over 110 practices based on NIST SP 800-172 and requires a triennial government-led assessment. Fewer than 200 companies nationwide will require Level 3 certification, and it is likely that additional provisions beyond GCC High will be necessary. The CMMC 2.0 Level 2, which is the advanced level, requires significant planning and decision making.
CMMC 2.0 Level 2 is derived from the NIST SP 800-171 practices. Level 2 certification typically includes a third-party assessment from a C3PAO (CMMC Third Party Assessment Organization) every three years, with some instances of self-assessment. Level 2 is a necessary requirement for any government contractor who generates or receives CUI (Controlled Unclassified information). A self-assessment process is typically provided for contracts involving ‘less critical’ CUI, according to general belief. The clarity of this will depend on the publication of the final rules by the federal government. It is recommended to assume that CMMC Level 2 will require a third-party assessment for safety purposes.
GCC vs. GCC High for CMMC Level 2 Compliance
If your organization is subject to DFARS 7012 requirements, it is necessary to operate in either the GCC or GCC High cloud for Microsoft 365 office applications. Based on Microsoft’s recommendation, GCC High is the preferred cloud option for CMMC 2.0 Level 2. This is not a mandatory requirement. GCC can be acceptable for a CMMC 2.0 Level 2 if you do not have operational requirements for the items below. If any of those conditions are met, it will be necessary to use GCC High.
- ITAR (The International Traffic in Arms Regulations)
- EAR (Export Administration Regulations)
- NOFORN (No Foreign Nationals).
Organizations may consider the possibility of moving to GCC now and transitioning to GCC High later, but it’s important to note that this can cause significant disruptions to daily business operations. Cloud migrations, like the ones Arctic IT undertakes regularly, necessitate considerable effort and may involve some downtime. Regrettably, there is no straightforward method for Microsoft to transition users from Commercial to GCC or GCC High. Moving to a different cloud type necessitates a comprehensive migration project. These projects necessitate professionals with extensive experience to ensure successful completion.
Selecting between tenant types in the Microsoft cloud can be a complex decision. Various tenant types have different licensing costs that should be taken into consideration. Furthermore, there are differences in features among all three tenant types. The newest features are typically released first in the Commercial Cloud, followed by GCC, and finally GCC High. Organizations must regularly assess the availability of necessary features in their desired tenant type and develop strategies to address any missing features.
To summarize, GCC is suitable for CMMC Certification if you are proficient in basic CUI handling. GCC High is required if your government contracts have requirements for sovereignty, export control, or US citizenship.