Cybersecurity
Why do I need to move to Microsoft 365 GCC or GCC HIGH for CMMC compliance? And what are the differences between GCC vs. GCC HIGH?
If you are asking this question, you are most likely required to meet CMMC Maturity Level 2 requirements as your organization handles Controlled Unclassified Information (CUI). In order to answer this question, it is necessary to understand where the CUI in your organization resides and what is contained within your CMMC assessment scope.
A CUI Asset is anything that stores, processes, or transmits CUI. Similar to a file server that stores, processes, and transmits CUI, Microsoft 365 can also be used to store, process, and transmit CUI. This means that in the same way a file server used for these purposes is considered a CUI Asset, we can also consider Microsoft 365 and the applications within it that store, process, or transmit CUI as CUI Assets as well. In the same way that a file server used for CUI needs to meet all applicable requirements of CMMC Level 2 (or any other CUI Asset for that matter), Microsoft 365 used for CUI must meet the same requirements. The problem is, the standard commercial offering of Microsoft 365 does not in any way, shape, or form, meet the requirements for storing, processing, or transmitting CUI. There are a variety of reasons for this, but most of it comes from the lack of data sovereignty (data being stored outside of the United States) and being accessible by Microsoft employees who are not authorized access to this sensitive information. The fact of the matter is, the entire point of CMMC is to demonstrate control of CUI that is in the possession of your organization, and the moment that CUI is stored in commercial Microsoft 365 in any capacity, such as in SharePoint, OneDrive, Teams, Outlook, or even the Microsoft Office suite, you are no longer in control of that CUI and Microsoft does not claim to take responsibility of this data either. In order for CUI to be kept in a Microsoft 365 environment, it must reside in a very specific environment that is only available for government agencies or the private organizations that do business with the government.
This is where Microsoft GCC and Microsoft GCC high come into play. However, customer’s looking to safeguard their CUI in either or these offerings are often confused as to which offering will suit their needs and their contractual requirements. The truth is, only one of these offerings are appropriate for storing CUI and that is Microsoft GCC High. According to Microsoft’s service descriptions for Microsoft GCC, the environment provides compliance for cloud services to include FedRAMP High, DFARS, and requirements for criminal justice and federal tax information systems (CJI and FTI data types) leaving out any mention of controlled unclassified information (CUI) or requirements set forth by the Department of Defense [1]. Additionally, Microsoft outwardly states the following:
“Service availability and price differ, and GCC remains the hero offering for all customers that don’t hold FedRAMP High or DoD Controlled Unclassified Information (CUI).” [2]
You may be curious why the quote above states Microsoft GCC is for customers who don’t need to store data in an environment that is FedRAMP High despite mentioning that it provides compliance for cloud services to include FedRAMP High. My best guess for this discrepancy is that Microsoft GCC may follow the requirements set forth for FedRAMP High, but the environment has not gone through the required certification process to be properly vetted and listed on the FedRAMP Marketplace. To substantiate this claim, only the following offerings by Microsoft can be found on the FedRAMP Marketplace:
Notice that only Microsoft Office 365 GCC High is listed with a High baseline and GCC is not.
Microsoft GCC High is stated to be compliant with Department of Defense Security Requirements Guidelines, DFARS, and International Traffic in Arms Regulations (ITAR) [1]. Since CMMC is only applicable to the Department of Defense at the time this article was created, it makes the most sense to use Microsoft GCC High as it is stated to be compliant with DoD security requirements whereas Microsoft GCC is not. Additionally, considering that Microsoft states that GCC is the offering to use if your organization does not handle CUI, your safest bet is to go with Microsoft GCC High if it is needed by your organization. But how do you know if your organization needs Microsoft GCC High? It’s simple. If your organization uses Microsoft 365 in any capacity to store, process, or transmit CUI then you need to migrate to Microsoft GCC High in order to continue to do so in a compliant manner.
There are considerations to keep in mind when migrating to GCC High, such as GCC High being more expensive and some features are limited. For a full comparison of the different Microsoft Government offerings check out this article by Microsoft. There are times when using Microsoft GCC can be useful, however if your organization uses Microsoft 365 for handling and safeguarding CUI it is not an appropriate option.
If you wish to keep costs low and avoid upgrading to a Microsoft GCC High tenant then you need to cut out Microsoft 365 from scope entirely. This means keeping CUI out of the Microsoft 365 by forbidding your employees from using the platform for the storage, processing, and transmission of CUI.
References:
[2] https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/microsoft-365-government-how-to-buy#microsoft-365-government-eligibility-and-validation