In recent months, a big topic for our government-affiliated clients has been ‘I need CMMC Certification, what cloud should I operate in?’. It’s an important question, and one that can be costly with the wrong decision. While many government contractors already operate in the Microsoft cloud for office applications, let’s discuss how the GCC and GCC High cloud tenants can work in your favor to aid in the process towards CMMC Certification.
First, what is CMMC?
Cybersecurity Maturity Model Certification (CMMC) was established to enhance cyber protection standards for all U.S. Department of Defense (DoD) contractors and sub-contractors. The vision for CMMC was first introduced in September 2020, and the final model was published on October 15, 2024. It is designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) shared with the DoD. This framework replaces and builds on the NIST 800-171 standard and related DFARS clauses and will be steadily phased into all DoD contract bidding. Other U.S. Federal Agencies on the GSA Schedule will likely adopt CMMC as well. It’s anticipated there are over 300,000 contractors who will be subject to maintaining some level of CMMC Certification.
The goals of CMMC are to:
- Safeguard sensitive formation to enable and protect the warfighter
- Dynamically enhance Defense Industrial Base cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards installing a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
Achieving CMMC compliance is a journey
Selecting the right cloud is one step on the journey to compliance with CMMC. The advantage of being in the Microsoft cloud, regardless of whether it’s the Government Community Cloud (GCC) or GCC High, is that you can inherit the controls that Microsoft works hard to build for compliance. This saves organizations a considerable amount of work versus having their own data centers and achieving CMMC compliance all on their own. The time to be moving towards compliance is now. With 300,000+ contractors needing some level of CMMC, there will inevitably be a large backlog of audit work that comes with this massive initiative.
The Official CMMC Model
There are three levels to the published CMMC Model:
Level 1 has 15 standards and requires an annual self-assessment. Almost any Microsoft cloud will provide what you need for CMMC Level 1. Level 3 has 134 practices based on NIST SP 800-172 and requires a triennial government-led assessment. Less than 200 companies nationwide will need Level 3 certification, and this likely will require provisions beyond GCC High. It is the CMMC Level 2, the advanced level, that really requires a lot of planning and decision making.
CMMC Level 2 is based on the NIST SP 800-171 practices. In most instances, Level 2 certification involves a triennial third-party assessment from a C3PAO (CMMC Third Party Assessment Organization), and in some cases, a self-assessment. Level 2 is required for any government contractor who generates or receives CUI (Controlled Unclassified information).
GCC vs. GCC High for CMMC Level 2 Compliance
If your organization is subject to DFARS 7012 requirements, you will need to operate in either the GCC or GCC High cloud for Microsoft 365 office applications. According to Microsoft, GCC High is the recommended cloud option for CMMC Level 2. This does not mean that it is required. GCC can be acceptable for a CMMC Level 2 if you do not have operational requirements for ITAR (The International Traffic in Arms Regulations), EAR (Export Administration Regulations), NOFORN (No Foreign Nationals). If any of those apply, you will need to go into GCC High.
Organizations may think it’s easier to move to GCC now and move to GCC High later, although this will result in quite a disruption for day-to-day business operations. Cloud migrations, the kind that Arctic IT performs daily, require a lot of work and some downtime. Unfortunately, Microsoft doesn’t have a way to just ‘flip a switch’ and move you from Commercial to GCC or GCC High. Each move to a different cloud type requires a complete migration project. These projects require professionals with years of experience to complete successfully.
Additional considerations
Making a choice between tenant types in the Microsoft cloud is not a simple matter. There are different licensing costs associated with different tenant types, which must be considered. Additionally, there is no feature parity between all three tenant types. Typically, the newest features are released first in the Commercial Cloud, then GCC, and finally GCC High. Features are constantly evolving, so organizations need to evaluate whether necessary features are available in their desired tenant type – and if they are missing, how those will be mitigated.
To recap, if you handle basic CUI, GCC will meet your needs for CMMC Certification. If you have requirements in your government contracts for sovereignty, export control, or US citizenship, GCC High will be required.
Arctic IT can be your trusted partner in helping organizations navigate their compliance needs with cloud migration services. Arctic IT has done many migrations with little disruption to day-to-day operations while ensuring all critical data is moved successfully. We are one of a select group of Microsoft Approved AOS-G Partners with the ability to obtain licenses and access to the Microsoft 365 GCC High environment (for organizations under 500 users) and can help you determine which cloud option is best for you.
Contact us today to learn more about how the Microsoft cloud can help you prepare for CMMC with Arctic IT.
By Phillip Jackson, Chief Information Officer at Arctic IT