Do You Need It?
The answer: Nope. You read that correctly – Government Community Cloud High aka GCC High is not necessary for CMMC 2.0, not even at level 3.
But wait, there’s more. GCC High might just be the missing piece to unlock a world of possibilities. Get ready to dive into the perfect cloud solution for your CMMC compliance, because we’re about to make it crystal clear!
Unlock the Power of GCC High: Discover the Reasons Behind its Necessity
If you’re in the business of managing, creating, or holding any of the following types of information, then get ready for GCC High. This is not an extensive list of information types that require GCC High. These are the information types that will always require GCC High:
- Export Controlled CUI
- International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
- Specified CUI that requires US Sovereignty
- Controlled Defense Information
- Nuclear Information (FERC/NERC)
- CUI marked NOFORN
- Criminal Justice Information Systems (Federal)
Understanding Microsoft 365 for CMMC 2.0
GCC and GCC High are the recommended environments by Microsoft to meet customers’ requirements for DFARS 7012. If you are subject to DFARS clause 7012, GCC is necessary. If you have information with sovereignty, export control, or US citizenship requirements, GCC High is recommended.
When considering the cloud instance necessary for meeting CMMC requirements, it is essential to have a clear understanding of CMMC 2.0 and the underlying compliance requirements.
Federal Contract Information (FCI) is addressed in the Federal Acquisition Regulation 52.204-21. This includes 15 information safe-guarding requirements, which were codified as a subset of NIST 800-171 in CMMC 1.0 Level 1, with 17 controls. It is important to note that there were no new requirements; the additional 2 controls were simply a clarification of existing controls for compliance purposes.
DFARS Clause 252.204-7012 was implemented in December 2017, requiring contractors managing CUI and Covered Defense Information to adhere to NIST 800-171. Organizations were given a 12-month period to meet NIST 800-171 and document their compliance with a system security plan (SSP) and a POAM. DFARs 7012 also introduced a cyber incident reporting requirement, including the preservation and protection of relevant monitoring and packet data for 90 days.
From 2017 until November 2020, ongoing cyber-incidents and theft of intellectual property from the defense industrial base indicated that self-assessment of cybersecurity based on NIST 800-171 was inadequate. As a result, CMMC 1.0 was officially established in DFARS 7021, which mandated third-party assessments for the entire defense industrial base.
The Department of Defense conducted an internal review of CMMC due to its complexity and added cost. In November 2021, CMMC 2.0 was introduced to simplify compliance, reduce cost, and mitigate the risk of excluding small businesses from the defense supply chain. However, it had no impact on DFARS, ITAR, and other frameworks that mandate GCC and GCC high.
What is the significance of CMMC 2.0 for GCC High?
CMMC 2.0 does not change the compliance requirements that CMMC supports. The use of GCC or GCC high is still necessary. DFARS 7021 is expected to be amended to adjust CMMC requirements and timeline, but DFARS 7012 will still be in place. GCC High was not required for CMMC 1.0, but it was needed for specific CUI and business scenarios.
What actions should be taken regarding CMMC 2.0?
Embark on your journey towards compliance! While diving into the core requirements of NIST 800-171, don’t let the unique security policies and controls from CMMC 1.0 steal the spotlight. Remember, meeting NIST 800-171 is still essential. And remember, the recent DOJ initiative is cracking down on cybersecurity fraud by government contractors. So, if you’ve neglected your obligations under DFARS 7012, you’re right in their crosshairs.
Get Help From Intech Hawaii for your CMMC Needs
You do not have to figure out your compliance needs on your own. This is a daunting task. Intech Hawaii can do these things for you:
- We analyze your network and determine your pre and post NIST 800-171 Self-Assessment Score.
- We evaluate the requirements for your CMMC Compliance.
- We implement a plan of action to prepare you for CMMC.