Last Updated on March 16, 2023
The following blog is guest post from Agile IT, a CMMC Registered Practitioner Organization (RPO) and provider of CMMC Compliant Microsoft GCC High licensing, implementation, and migrations services.
Article By: Sean Spicer
As CMMC (now CMMC 2.0) rolls out, moving through drafts, pilots, reviews, and the slow process of assessing the assessors, much focus has been placed on Microsoft’s Government Community Clouds; GCC and GCC High. Depending on which level of CMMC you must meet and additional controls such as export controls, it may become necessary to migrate to a different one of these sovereign cloud environments to meet your DFARS or CMMC requirements.
Understanding the Microsoft Sovereign Environments
Before deciding which enclave is the right one for you, you must first understand a bit about Azure Commercial and Azure Government. Azure Commercial is a global architecture, and while it can meet global requirements on data residency, it is unable to meet requirements for data sovereignty. Azure Government is built to meet high water marks for data sovereignty and also ensure background-checked staff with US Citizenship requirements.
This is important because the underlying infrastructure, including Azure Active Directory that Microsoft 365 is built on, lives in Azure. For Commercial Microsoft 365 and GCC, that infrastructure lives in Azure Commercial where there may be support personnel working around the globe to keep things working. For GCC High and DOD Microsoft environments, that infrastructure lives in Azure Government in physically segregated datacenters.
Which Environment do You Need for CMMC 2.0?
CMMC level one is easy. It is meant for defense contractors who only handle Federal Contract Information (FCI). At these levels, you can meet requirements in any Microsoft cloud environment.
CMMC Level 2 and 3 (which were Level 3 and Level 5 under CMMC 1.0), are intended to defend controlled unclassified information (CUI), and as such, you will need to reside in either GCC or GCC High. Nothing in CMMC 2.0 has changed those requirements – you never needed GCC High to meet CMMC 1.0; you needed it to meet the requirements of your specific CUI and business scenarios. That is because of the regulation that requires you to meet CMMC; DFARS 252.204-7012, which establishes requirements for managing CUI and includes needs for preserving information in the event of a cybersecurity incident. Microsoft is unable to meet those requirements in its commercial environments but will meet them in BOTH GCC and GCC High.
What About Pre-Migration Gap Assessments and Scoping?
Gap assessments are critical as you prepare for a CMMC Assessment, but many compliance and security providers are doing it wrong and suggesting gap assessments of your existing environment priorto migrating to GCC or GCC High. This is a waste of money and effort in almost every scenario. GCC and GCC High are not just different license types, they are completely physically separate environments that require a migration to implement. Once there, you will be starting from scratch and will need to re-implement controls in your new environment.
Even if you have an on-premises environment and are planning a hybrid deployment, a pre-emptive gap assessment will be a futile effort as much of your infrastructure will change and additional capabilities will be added.
However, it is imperative that scoping is considered prior to migration planning. You should have a good understanding of where CUI resides in your current environment, who has access to it, how it is transmitted, labeled, and protected, and how to properly remove it to meet media sanitization requirements. This is incredibly valuable while planning to move to a new cloud environment, as it can also help determine new licensing requirements, reduce the scope of later assessments, and simplify implementation.
Prior to a Gap Assessment in GCC or GCC High
Ideally, when moving into a new cloud environment, no matter which one you need, you should go through a process of implementing, hardening, migrating, and improving. By themselves, no cloud environment comes out of the box meeting every control needed, and the CISA has issued advisories for companies moving the cloud to complete basic hardening prior to migrating into a new environment, with requirements like enabling Multifactor Authentication and unified logging.
You should attempt to meet as many compliance controls as possible prior to migrating your users and data into GCC or GCC High, but you must also consider change management challenges when doing so. Users will already be moving into a new environment with different functionality and features, and reducing productivity impacts during and after the move should be a top priority. One example of this is training users on Data Loss Prevention tools and unified labeling. Both are great tools and vastly simplify both the user experience and organizational control over the flow of CUI, however, users must understand how it works.
Update Your SSP and POAM
While CMMC will not allow POAMs during assessments, it does not reduce their importance in creating your path to a secure environment. One of the biggest benefits to a cloud environment for CMMC is the shared responsibility model. Microsoft has identified and catalog 786 actions needed to meet CMMC level 3 in Microsoft 365. However, because Microsoft 365 is, at its core, a SaaS platform many of these actions have been completed by Microsoft in architecting their solution, leaving only 388 for the customer to complete.
Closing the Gap
Knowing that Microsoft has put in much of the work in building a secure and compliance architecture for their solutions, now you need to understand what actions have been taken and which ones remain for your organization to complete. Fortunately, Microsoft has provided a number of very useful tools for this purpose.
- Microsoft Compliance Manager has pre-built compliance templates for frameworks ranging from NIST CSF to CMMC Level 3. While the NIST 800-171 and CMMC templates are premium templates in commercial, costing $2500/month, they are included with a GCC High tenant with Microsoft 365 E5 or Microsoft Compliance E5 add-on licensing. Compliance manager provides an easy to use catalog of controls and actions needed to secure your environment, and while it lacks some features of more dedicated Governance, Risk, and Compliance (GRC) tools, the work Microsoft has done to document their own environment makes it an important tool for generating your own SSP.
- The Microsoft Service Trust Portal is where you can find all of Microsoft’s public compliance evidence and reports, including their FedRAMP SSPs, and DFARS Attestation of Compliance, which you should have on hand and be familiar with prior to your assessment, but I bet you would be hard-pressed to find an assessor who is unfamiliar with Microsoft.
- Audit reports and Certificates for Azure and Azure Government include all of the documentation available to government customers in the FedRAMP marketplace and can be accessed from the Azure Audit Reports blade or the Azure Government Audit Reports blade.
Choosing a GCC High Implementor and Compliance Consulting Partner
When selecting a provider for GCC High it is important to inquire into their methodology, the controls they enable and configure, and what the deliverable end state will be for your GCC High environment. Be wary of companies that provide “stand-alone” licensing without advising on what specific licensing is required to enable all of the functionality needed to meet your DRAFRS and CMMC requirement. If using a Microsoft partner to implement and or migrate into GCC, high your quote or statement of work should clearly state how they deliver documentation and how they will meet your requirements. Remember, your contracts are at stake, and with recent statements from the Department of Justice regarding the use of the False Claims Act to add teeth to existing cybersecurity regulations, the risk could be existential.
Your Compliance Consulting Partner should be familiar with Microsoft 365, Azure Government, and the Government Community Clouds, or be backed by a Microsoft AOS-G Partner with the right set of competencies and team members to assure that no gaps are left open, and your pre-assessment activities are efficient and solution complete.
For some additional info on CMMC 2.0 and GCC High, check out these related blog posts:
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.