• Home
  • IT Risk Management & Compliance
    • CMMC Assessment & Preparation
    • NIST SP 800-171 / DFARS Compliance
    • FISMA Compliance
    • GDPR Compliance
  • Managed Cyber Security
  • Managed IT Services
  • Who We Are
    • Careers
  • Resources
    • CMMC 2.0 Updates Guide
    • CMMC News
    • CMMC Guide for DoD Contractors
    • NIST 800-171 Guide
    • DFARS Interim Rule Guide
    • DFARS Compliance Guide
    • FISMA Compliance Guide
  • Blog
  • Help Desk
  • Free Consultation
  • Contact Us

Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

  • Services
    • IT Risk Management & Compliance
      • CMMC Assessment & Preparation
      • NIST SP 800-171 / DFARS Compliance Solution
      • NIST 800-53 Compliance Solution
      • FISMA Compliance Solution
      • GDPR Compliance Solution
    • Microsoft GCC/GCC High Migration Services
    • Managed Cyber Security
    • Managed IT Services
    • Managed IT Services for Government Contractors
    • SOC Services
  • Who We Are
    • Careers
  • Resources
    • Latest CMMC News
    • CMMC Guide for DoD Contractors
    • NIST 800-171 Guide
    • DFARS Interim Rule Guide
    • DFARS Compliance Guide
    • FISMA Compliance Guide
  • Case Studies
    • FN America
    • Honeycomb Company of America, Inc.
  • Blog
  • Help Desk
  • Free Consultation

Managed IT Services

Award-Winning IT Services. Making You and Your Business Technology Our Number One Priority.

SysArc Helps Multinational Companies Build Microsoft GCC High Enclaves for Their U.S. Subsidiaries to Comply with CMMC

April 16, 2024 by SysArc

Large multinational companies with US-based subsidiaries who provide products and/or services for the U.S. Department of Defense (DoD) are required to comply with the DoD’s cybersecurity regulation known as the Cybersecurity Maturity Model Certification, or CMMC. Because the regulation’s security controls require limited access of Controlled Unclassified Information (CUI) to U.S. citizens only, some multinational companies may face challenges with designing their IT systems in a way that can promote their current technological and operational efficiencies while at the same time enable them to comply with cybersecurity regulations (CMMC, ITAR, etc.).

SysArc helps multinational companies overcome this challenge by building secure network Enclaves using GCC and GCC High, Microsoft’s secure government cloud offerings, for their U.S. subsidiaries. This article will explain what an Enclave is and how it can help multinational clients achieve CMMC compliance in the most cost-effective manner.

What is a Secure Enclave?

A secure Enclave refers to a separate network (domain) that is a subset of a larger network of users and workloads that is segregated from the broader network infrastructure. The primary objective of establishing a secure Enclave is to confine internal access to specific datasets like CUI rather than protecting all data in the larger Corporate network. In other words, limiting the scope of what needs to be protected and therefore limiting the associated costs and complexities of securing everything under the sun.

What are the Benefits of a GCC High Enclave?

A GCC or GCC High Enclave provides many important benefits including the following:

  • Reduced Financial Cost: Because the Enclave only needs to serve a segment of the overall network infrastructure, the financial cost associated with building and maintaining the resources within the segment are, in most cases, much lower than if those resources were deployed across the entire network. In short, because the resources required for the Enclave are smaller in scale, the costs are lower.
  • Easier Path to Compliance – An Enclave can be configured with many of the required security controls in mind, so once deployed you could be 75-80% compliant on day one.
  • Reduced Risk: Since the Enclave inherently reduces the amount of data, workloads and end-points to a smaller segment of the company, the cyber attack surface is reduced and the scope of proving compliance is much smaller.

Are You Considering An Enclave for Your Company?

If you’re considering using an Enclave to help your company save on the cost associated with meeting CMMC requirements, consider SysArc’s cybersecurity compliance team. Over nearly a decade, our team has helped thousands of companies in the U.S. Defense Industrial Base navigate the complexities of DFARS 7012, NIST 800-171, ITAR and CMMC. As a CMMC RPO, our expertise in GCC High Migrations and CMMC compliance preparation, allows us to deliver effective solutions faster and at a lower cost than other providers in the space. To get started, request a consultation here.

Filed Under: CMMC, Microsoft Government Community Cloud

Why Standard Microsoft Office 365 Won’t Cut It For CMMC Compliance Level 2

April 5, 2023 by SysArc

Many DoD contractors are inquiring about whether their standard commercial version of Microsoft Office 365 will be sufficient enough to meet CMMC requirements. 

The short answer is, “it depends.” Here’s why:

  • For DoD contractors who seek to be CMMC Level 1 compliant, Microsoft 365 commercial (The standard version most offices are familiar with) will be sufficient given that they’ve implemented 17 basic cyber hygiene practices from NIST 800-171. This is in accordance with 48 CFR 52.204-21.
  • For DoD contractors who seek to be CMMC Level 2 compliant, they will need to upgrade to Microsoft 365 Government Community Cloud (GCC). They will also have to make sure they have implemented all 110 controls from NIST 800-171. There are other options available, however, for those contractors that want to continue to use Microsoft Office products that they are familiar with, GCC is the best option. For contractors requiring ITAR compliance, GCC High must be used. Read about the differences between GCC and GCC High and why we advise Level 2 contractors to use GCC High here.

CMMC Level 2 requires Controlled Unclassified Information (CUI) to be stored and transmitted on data centers located within the continental United States. ITAR requires additional controls in which CUI can only be accessed by authorized U.S. citizens. Because GCC High utilizes Microsoft’s US Sovereign Cloud, it is compliant with CMMC Level 2 and ITAR. 

Below is a table showing the differences between the Microsoft platforms:

Microsoft GCC and GCC Compliance Table which shows the compliance regulations that each Microsoft cloud service complies with.

If you are considering using Microsoft GCC and migrating your business’s current data and office software over to GCC or GCC High, consider our Microsoft GCC High Migration Services. For all contractors, even those who only seek to attain CMMC Level 1, see our CMMC Preparation Services which can help make sure you are prepared for CMMC, as well as meet current DFARS law. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171 and CMMC.   

Filed Under: Microsoft Government Community Cloud

Do DoD Contractors Need Microsoft GCC/GCC High for DFARS, CMMC or ITAR?

February 6, 2023 by SysArc

Microsoft Office 365 Government CloudAs DoD contractors look for solutions to update their IT infrastructure to be in compliance with current DFARS law and prepare for CMMC, many are wondering whether they need Microsoft’s Government Community Cloud (GCC) offerings to meet this challenge. 

The short answer is no, private sector DoD contractors are not required to use Microsoft GCC or GCC High for DFARS, CMMC, or ITAR. There are other solutions on the market that meet many of the requirements of NIST 800-171. However, in many cases it’s the best option. 

Here are the reasons why a DoD contractor might find GCC/GCC High to be their best option:

  • They already use Microsoft 365: Due to the fact that a large percentage of businesses in the United States use Microsoft 365’s suite of office products, it makes sense for them to use GCC and GCC High because it is the same tools their teams are familiar with, yet on a compliant infrastructure that fulfills many of the requirements of NIST 800-171. 
  • It’s mostly an all-in-one solution: Because it is an all-in-one office solution that fulfills many of the requirements of NIST 800-171, it alleviates the need for companies to “hodgepodge” many different office solutions together to meet compliance, which could increase overall costs depending on needs.
  • Their customer (DoD or a Prime) is using GCC/GCC High: Many contractors find that their customer is already using GCC/GCC High and it would be easier to communicate sensitive information with them if they are on the same platform.
  • GCC/GCC High satisfies most of NIST 800-171: Moving to GCC will fully or partially comply with approximately 75% of the NIST 800-171 controls
  • GCC High is ITAR compliant: Moving to GCC High will fully or partially comply with approximately 75% of the NIST 800-171 controls PLUS all of their ITAR requirements

Our Advice for DoD Contractors

There is no one-size-fits-all approach to DFARS and CMMC compliance. Every company has its own unique situation and therefore we advise working with a consultant like SysArc, to help DoD contractors find the best path forward. 

Due to our expertise of helping hundreds of DIB suppliers with DFARS/CMMC compliance, our team can work with you to understand your unique situation and help you decide on the most cost effective solution while fulfilling the most compliance requirements possible.  

Next steps…

If you are considering implementing Microsoft’s Government Community Cloud (GCC) offerings, and migrating your company’s current data, consider our Microsoft GCC Migration Services. We’ve helped hundreds of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their systems to comply with current DFARS 7012 law and prepare for upcoming CMMC audits. We would love to help you too. Give us a call or request a consultation.

Filed Under: Microsoft Government Community Cloud

What’s the Difference Between Microsoft 365 GCC and GCC High?

February 2, 2023 by SysArc

What’s the Difference Between Microsoft 365 GCC and GCC High?

Microsoft GCC and GCC High are both more robust and secure versions of the Microsoft 365 commercial platform that is typical in most modern office environments. While GCC and GCC High meet many of the requirements for DFARS 7012 and CMMC, it’s still important to know the differences and what they mean for DoD contractors who are needing to meet compliance regulations. 

The Main Difference: US Sovereign Cloud

The main difference between Microsoft GCC and GCC High is the location of the cloud where data (CUI) is stored. Microsoft GCC High utilizes Microsoft’s US Sovereign Cloud which is located in the United States and can only be accessed by Microsoft personnel who are U.S. citizens with special clearances. On the other hand, GCC utilizes the same cloud as Microsoft Commercial and can be accessed by Microsoft’s worldwide personnel. 

Other Differences

Other differences include:

  • GCC is only compliant up to DoD CC SRG Level IL2 and is not compliant with ITAR
  • GCC High is compliant up to DOD CC SRG Level IL4 and ITAR
  • DoD is compliant up to DoD CC SRG Level IL5 and ITAR

Below is a table showing the differences between the Microsoft platforms:

Microsoft GCC and GCC Compliance Table which shows the compliance regulations that each Microsoft cloud service complies with.

Source: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326

About CC SRG Levels

CC SRG stands for Cloud Computing (CC) Security Requirements Guide (SRG). There are currently four Impact Levels (IL) in use for authorization of cloud service offerings (CSO) with the DoD. Each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO. 

Our Advice for DoD Contractors

For DoD contractors that are considering Microsoft’s cloud service offerings for their organization’s DFARS and CMMC compliance needs, we recommend that they choose GCC High if they have or will have ITAR requirements, otherwise they can go with the less expensive GCC solution. Another consideration for larger organizations that may have a subset of personnel handling CUI, they might consider building an “enclave” in GCC/GCC High rather than paying the higher license fees and migration costs for the entire company.  In this scenario, you would need to set up the enclave under a separate domain name.  

Due to our expertise helping hundreds of DIB suppliers with DFARS/CMMC compliance, our team can work with you to understand your unique situation and help you decide on the most cost effective solution while fulfilling the most compliance requirements possible.  

Next steps…

If you are considering implementing Microsoft’s Government Community Cloud (GCC) offerings, and migrating your company’s current data, consider our Microsoft GCC Migration Services. We’ve helped hundreds of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their systems to comply with current DFARS 7012 law and prepare for upcoming CMMC audits. We would love to help you too. Give us a call or request a consultation.

Filed Under: Microsoft Government Community Cloud

What is Microsoft GCC & GCC High? A Guide for DoD Contractors

January 23, 2023 by SysArc

Microsoft Office 365 Government Cloud logoDue to the cybersecurity compliance requirements sweeping the U.S. defense industry, companies holding contracts with the DoD are looking for a variety of solutions to meet those requirements. One of those solutions is the Microsoft Government Community Cloud, or GCC for short.

What is Microsoft GCC & GCC High?

Simply put, Microsoft GCC and GCC High, are more secure versions of Microsoft Office 365 Commercial which is common in most office environments. More specifically, it is Microsoft’s cloud software suite of office tools that meet Department of Defense (DoD) cybersecurity requirements for contractors holding or processing controlled unclassified information (CUI), or those organizations subject to International Traffic in Arms Regulations (ITAR). 

What is the difference between GCC and GCC High? GCC High, is an even more secure version of GCC and is hosted on Microsoft U.S. Sovereign Cloud. Details on this Cloud are available below. Learn more about the differences here. 

Does GCC and GCC High Help with DFARS 7012 and CMMC Compliance?

Due to GCC’s adherence to the security controls for holding and processing CUI, DoD contractors can use the platform to inherit many, but not all, of the NIST 800-53 / 171 controls required of DFARS 7012 and help them meet CMMC 2.0 Levels 2-3. For contractors that only need to meet CMMC 2.0 Level 1 for the protection of Federal Contract Information (FCI), they can accomplish this with Microsoft 365 Commercial.  

In summary:

  • DoD contractors can use Microsoft 365 Commercial for CMMC Level 1 compliance
  • DoD contractors will need Microsoft 365 GCC for DFARS 7012 and CMMC Level 2-3 compliance
  • DoD contractors will need Microsoft 365 GCC High for ITAR compliance

Below is a table from Microsoft which shows what cybersecurity compliance regulations each Microsoft 365 offering complies with:

Microsoft GCC and GCC Compliance Table which shows the compliance regulations that each Microsoft cloud service complies with.

Source: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326

Feature Differences Between Commercial Microsoft Office 365 vs. Microsoft GCC/GCC High

Due to the increased certification and accreditation, there are some feature differences between the typical commercial Office 365 environment and GCC High. These differences are listed below:

  1. Exchange Online: Support for integrating on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported in GCC High
  2. File Sharing: While all options of SharePoint and OneDrive are available, users in GCC High will only be able to share with other organizations in GCC High. Also, non-GCC High email addresses attached to user profiles are not supported. 
  3. Skype: Due to the required use of Public Switched Telephone Network (PSTN) for telephony, PSTN calling and conferencing services are not available in GCC High.
  4. Microsoft Teams: Phone System and Audio Conferencing for GCC High and DoD environments are being delivered via Direct Routing.
  5. Identification: Multi-factor authentication using a federated identity model enables the use of PIV and CAC cards.
  6. Yammer: Yammer for enterprise is not available in the GCC High and DoD environments.

Background Screening of Microsoft Staff for GCC High’s U.S. Sovereign Cloud

GCC High’s environment features high levels of security. Microsoft Office 365 staff do not have their typical access to GCC High environments. Staff members can get temporary access, however will need to pass the following background checks:

  • U.S. Citizenship: Verification of U.S. citizenship
  • Employment History Check: Verification of seven year employment history
  • Education Verification: Verification of highest degree attained
  • Social Security Number (SSN) Search: Verification that the provided SSN is valid
  • Criminal History Check: A seven year criminal record check for felony and misdemeanor offenses at the federal, state, county, and local level. 
  • Office of Foreign Assets Control List (OFAC): Validation against the Department of Treasury list of groups whom U.S. persons are not allowed to engage in trade or financial transactions. 
  • Bureau of Industry and Security List (BIS): Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
  • Office of Defense Trade Controls Debarred Persons List (DDTC): Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
  • Fingerprinting check: Fingerprint background check against FBI databases
  • Department of Defense IT-2: Staff requesting elevated permissions to customer data or privileged administrative access to Department of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation.

Next steps…

If you are considering using Microsoft GCC and migrating your business’s current data and office software over to GCC or GCC High, consider our Microsoft GCC High Migration Services. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their system to comply with current DFARS 7012 law and prepare for upcoming audits from the CMMC-AB. We’d love to help you too. Give us a call or request a consultation.

Filed Under: Microsoft Government Community Cloud

SysArc Provides Microsoft GCC/GCC High Licensing Through AOS-G Partner Program

January 1, 2023 by SysArc

Microsoft Office 365 Government CloudWe’re proud to announce that SysArc is now an approved AOS-G Partner for Microsoft Government Cloud, or GCC. The partnership allows SysArc to offer GCC and GCC High licensing to its private Department of Defense (DoD) customers as these organizations must purchase GCC licenses through an approved vendor. 

“Since the very beginning of DFARS in 2017, our team has been dedicated to helping our customers meet compliance requirements so they can continue to offer their products and services to the DoD without issue,” says Tim Brennen, CEO of SysArc. “This approved partnership through Microsoft gives us the ability to provide more options as we help them navigate the complexities of CMMC and DFARS,” he adds.  

What Is The Microsoft AOS-G Program?

The Microsoft Agreement for Online Services – Government (AOS-G) program was created so that commercial private organizations under 500 seats, such as DoD contractors subject to DFARS and CMMC, can purchase Microsoft Government Community Cloud (GCC) licenses.  

Are You a DoD Contractor Considering GCC for CMMC Compliance?

If you’re a DoD contractor considering migrating your organization’s data to Microsoft GCC or GCC High to meet CMMC compliance Level 2-3, feel free to give SysArc a call or request a consultation. We’d look to walk you through our processes for GCC Migration and CMMC preparation services. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC.

Filed Under: Microsoft Government Community Cloud

CMMC/DFARS Compliance Solution for Primes & Subcontractors

We’ve helped over 500 DoD Prime & Subcontractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC.

Large Prime Contractor Solutions:

  • - Supply Chain Risk Assessments
  • - Business Unit Readiness Assessment
  • - Cyber Compliance Remediation Services

SMB Supplier Solutions:

  • - CMMC Readiness Assessments
  • - Remediation Services
  • - Cyber Compliance as a Service

To speak with our team about your company’s needs or the needs of your suppliers, give us a call or request a consultation online now:

(866) 583-6946
or fill out the form below:

  • This field is for validation purposes and should be left unchanged.

Services

  • Managed Cyber Security
  • IT Risk Management & Compliance
  • Cybersecurity Maturity Model Certification (CMMC) Assessment & Preparation
  • NIST SP 800-171 / DFARS Compliance Solutions for DoD Contractors
  • Managed IT Support
  • Managed Cloud
  • Backup & Disaster Recovery
  • VoIP

12300 Twinbrook Pkwy
Suite 500
Rockville, MD 20852

Sales: 800-481-1984

Customer Support: 800-699-0925 ext. 1

Quick Contact

Contact Us

CMMC RPO Badge

Navigation

  • Home
  • Services
  • Who We Are
  • Help Desk
  • Blog
  • Case Studies
  • Free Consultation
  • Careers
  • Contact Us

Follow Us

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Featured Posts

Latest Posts

Client Case Study: CMMC Compliance for Honeycomb Company of America, Inc.

Driving Efficiency: How SysArc is Helping Companies Achieve CMMC Compliance

How SysArc Helped FN America Pass the Joint Surveillance Voluntary Assessment Program (JSVAP) with a Score of 110 

SysArc Helps Multinational Companies Build Microsoft GCC High Enclaves for Their U.S. Subsidiaries to Comply with CMMC

XDR: SysArc’s Answer to Modern Cyber Attacks

EDR vs. XDR: Understanding the Key Differences

SysArc © 2025. All Rights Reserved. Powered by Lemonade Stand. | Privacy Policy

Are Your Resources Constrained Prepping for NIST 800-171 and CMMC?

SysArc can reduce the burden on your compliance team by outsourcing some of the steps to our team of experts.


Large and Mid-Size DoD Primes are working with SysArc experts on:

  • • Readiness Assessments
  • • SSP Creation
  • • POAM Remediation
  • • Program Oversight & Management
  • • Policies and Procedures Development
  • • GCC High Migrations
  • • Post M&A Integrations
  • • Network Hardening
  • • MFA Implementation and more

 

As a CMMC RPO with years of experience in DoD supply chain risk management, SysArc is able to solve some of the more challenging compliance problems.

Get Started Now:

Call: (866) 583-6946 Schedule a CMMC/DFARS Consultation

If You Are Considering Migrating to GCC/GCC High We Can Help – Request A Consultation

We are an Authorized GCC reseller and have successfully completed multiple complex migrations for DoD contractors. Our team of experts is ready to discuss your unique requirements and walk you through the process from start to finish.
 
Call: (866) 583-6946 Schedule a Consultation