March 16, 2023

Last Updated on March 16, 2023

Should My DIB Org Be on a Microsoft 365 “Government Cloud”?
The US government is increasingly focused on protecting Controlled Unclassified Information (CUI) when it resides with non-federal organizations. Businesses in the US Defense Industrial Base (DIB) that handle CUI must meet especially strict security criteria as specified in the DFARS clauses in their contracts mandating compliance with the NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC) standards.


A key compliance concern for many SMBs in the DIB is cloud hosting of applications that will store, transmit, and/or process CUI, such as Microsoft 365. If your DIB org is contractually obligated to protect CUI, does that mean you need to migrate some or all of your commercial Microsoft 365 environment to a “government cloud”?


In a word, yes. The next question is, which one? This post explains the alternatives.

3 different Microsoft 365 hosting platforms
At the moment, Microsoft has three Microsoft 365 hosting platforms:

  • The commercial version that hundreds of thousands of SMBs worldwide rely on
  • The Government Community Cloud (GCC), which is widely used by US government organizations and other that need to meet a FedRAMP Moderate security level
  • GCC High, which is reserved for defense suppliers and US federal agencies that need to meet a FedRAMP High security level


Which platform do we need?

Which platform you need depends on what CUI you handle. If your DoD contract says you handle CUI and/or contains a Defense Federal Acquisition Regulation Supplement (DFARS) 7012, 7019, 7020, and/or 7021 clause, then you need to move to GCC for compliance with NIST 800-171 or for CMMC certification.


If you have requirements in your contract to protect the most sensitive types of CUI, such as International Traffic in Arms Regulations (ITAR) data or other export controlled data, then you need to be on GCC High. Microsoft also officially recommends that orgs looking to achieve a CMMC V2 Level 3 (analogous to CMMC V1 Level 4-5) certification (which remains undefined as of this writing) should move to GCC High.


A key difference with GCC High is that its servers reside in a separate environment from GCC, which is entirely within the continental US. Microsoft carefully reviews which orgs can move to GCC High. Likewise, all GCC High support staff are US persons working within the US and who have passed the necessary background checks.


Ask your contract officer

If you have questions about the security level required to fulfill your DoD contract, it’s highly recommended to connect with your government program office or contract officer, or your prime contractor. There are about 125 categories of CUI, of which defense information is a small subset.


In the end, it’s all about your contract and the program it relates to. When in doubt about what CUI you are receiving and/or generating, how to label or mark it, and especially the security controls mandated to protect it, your contract and the people behind it can help you decide.


If there’s still unclarity, consider connecting with a service provider that can help you identify CUI and decide what controls you need to safeguard it.


What’s next?

For more guidance on this topic, listen to Episode 113 of The Virtual CISO Podcast with guest Conrad Agramont from Agile IT.

CMMC Assessment Checklist - Pivot Point Security

Download CMMC Assessment Checklist - Pivot Point Security.