Many DoD contractors are inquiring about whether their standard commercial version of Microsoft Office 365 will be sufficient enough to meet CMMC requirements. 

The short answer is, “it depends.” Here’s why:

• For DoD contractors who seek to be CMMC Level 1 compliant, Microsoft 365 commercial (The standard version most offices are familiar with) will be sufficient given that they’ve implemented 17 basic cyber hygiene practices from NIST 800-171. This is in accordance with 48 CFR 52.204-21.
• For DoD contractors who seek to be CMMC Level 2 compliant, they will need to upgrade to Microsoft 365 Government Community Cloud (GCC). They will also have to make sure they have implemented all 110 controls from NIST 800-171. There are other options available, however, for those contractors that want to continue to use Microsoft Office products that they are familiar with, GCC is the best option. For contractors requiring ITAR compliance, GCC High must be used. Read about the differences between GCC and GCC High and why we advise Level 2 contractors to use GCC High here.

CMMC Level 2 requires Controlled Unclassified Information (CUI) to be stored and transmitted on data centers located within the continental United States. ITAR requires additional controls in which CUI can only be accessed by authorized U.S. citizens. Because GCC High utilizes Microsoft’s US Sovereign Cloud, it is compliant with CMMC Level 2 and ITAR. 

Below is a table showing the differences between the Microsoft platforms:

If you are considering using Microsoft GCC and migrating your business’s current data and office software over to GCC or GCC High, consider our Microsoft GCC High Migration Services. For all contractors, even those who only seek to attain CMMC Level 1, see our CMMC Preparation Services which can help make sure you are prepared for CMMC, as well as meet current DFARS law. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171 and CMMC.   

As DoD contractors look for solutions to update their IT infrastructure to be in compliance with current DFARS law and prepare for CMMC, many are wondering whether they need Microsoft’s Government Community Cloud (GCC) offerings to meet this challenge. 

The short answer is no, private sector DoD contractors are not required to use Microsoft GCC or GCC High for DFARS, CMMC, or ITAR. There are other solutions on the market that meet many of the requirements of NIST 800-171. However, in many cases it’s the best option. 

Here are the reasons why a DoD contractor might find GCC/GCC High to be their best option:

• They already use Microsoft 365: Due to the fact that a large percentage of businesses in the United States use Microsoft 365’s suite of office products, it makes sense for them to use GCC and GCC High because it is the same tools their teams are familiar with, yet on a compliant infrastructure that fulfills many of the requirements of NIST 800-171. 
• It’s mostly an all-in-one solution: Because it is an all-in-one office solution that fulfills many of the requirements of NIST 800-171, it alleviates the need for companies to “hodgepodge” many different office solutions together to meet compliance, which could increase overall costs depending on needs.
• Their customer (DoD or a Prime) is using GCC/GCC High: Many contractors find that their customer is already using GCC/GCC High and it would be easier to communicate sensitive information with them if they are on the same platform.
• GCC/GCC High satisfies most of NIST 800-171: Moving to GCC will fully or partially comply with approximately 75% of the NIST 800-171 controls
• GCC High is ITAR compliant: Moving to GCC High will fully or partially comply with approximately 75% of the NIST 800-171 controls PLUS all of their ITAR requirements

Our Advice for DoD Contractors

There is no one-size-fits-all approach to DFARS and CMMC compliance. Every company has its own unique situation and therefore we advise working with a consultant like SysArc, to help DoD contractors find the best path forward. 

Due to our expertise of helping hundreds of DIB suppliers with DFARS/CMMC compliance, our team can work with you to understand your unique situation and help you decide on the most cost effective solution while fulfilling the most compliance requirements possible.  

Next steps…

If you are considering implementing Microsoft’s Government Community Cloud (GCC) offerings, and migrating your company’s current data, consider our Microsoft GCC Migration Services. We’ve helped hundreds of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their systems to comply with current DFARS 7012 law and prepare for upcoming CMMC audits. We would love to help you too. Give us a call or request a consultation.

What’s the Difference Between Microsoft 365 GCC and GCC High?

Microsoft GCC and GCC High are both more robust and secure versions of the Microsoft 365 commercial platform that is typical in most modern office environments. While GCC and GCC High meet many of the requirements for DFARS 7012 and CMMC, it’s still important to know the differences and what they mean for DoD contractors who are needing to meet compliance regulations. 

The Main Difference: US Sovereign Cloud

The main difference between Microsoft GCC and GCC High is the location of the cloud where data (CUI) is stored. Microsoft GCC High utilizes Microsoft’s US Sovereign Cloud which is located in the United States and can only be accessed by Microsoft personnel who are U.S. citizens with special clearances. On the other hand, GCC utilizes the same cloud as Microsoft Commercial and can be accessed by Microsoft’s worldwide personnel. 

Other Differences

Other differences include:

• GCC is only compliant up to DoD CC SRG Level IL2 and is not compliant with ITAR
• GCC High is compliant up to DOD CC SRG Level IL4 and ITAR
• DoD is compliant up to DoD CC SRG Level IL5 and ITAR

Below is a table showing the differences between the Microsoft platforms:

Source: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326

About CC SRG Levels

CC SRG stands for Cloud Computing (CC) Security Requirements Guide (SRG). There are currently four Impact Levels (IL) in use for authorization of cloud service offerings (CSO) with the DoD. Each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO. 

Our Advice for DoD Contractors

For DoD contractors that are considering Microsoft’s cloud service offerings for their organization’s DFARS and CMMC compliance needs, we recommend that they choose GCC High if they have or will have ITAR requirements, otherwise they can go with the less expensive GCC solution. Another consideration for larger organizations that may have a subset of personnel handling CUI, they might consider building an “enclave” in GCC/GCC High rather than paying the higher license fees and migration costs for the entire company.  In this scenario, you would need to set up the enclave under a separate domain name.  

Due to our expertise helping hundreds of DIB suppliers with DFARS/CMMC compliance, our team can work with you to understand your unique situation and help you decide on the most cost effective solution while fulfilling the most compliance requirements possible.  

Next steps…

If you are considering implementing Microsoft’s Government Community Cloud (GCC) offerings, and migrating your company’s current data, consider our Microsoft GCC Migration Services. We’ve helped hundreds of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their systems to comply with current DFARS 7012 law and prepare for upcoming CMMC audits. We would love to help you too. Give us a call or request a consultation.

Due to the cybersecurity compliance requirements sweeping the U.S. defense industry, companies holding contracts with the DoD are looking for a variety of solutions to meet those requirements. One of those solutions is the Microsoft Government Community Cloud, or GCC for short.

What is Microsoft GCC & GCC High?

Simply put, Microsoft GCC and GCC High, are more secure versions of Microsoft Office 365 Commercial which is common in most office environments. More specifically, it is Microsoft’s cloud software suite of office tools that meet Department of Defense (DoD) cybersecurity requirements for contractors holding or processing controlled unclassified information (CUI), or those organizations subject to International Traffic in Arms Regulations (ITAR). 

What is the difference between GCC and GCC High? GCC High, is an even more secure version of GCC and is hosted on Microsoft U.S. Sovereign Cloud. Details on this Cloud are available below. Learn more about the differences here. 

Does GCC and GCC High Help with DFARS 7012 and CMMC Compliance?

Due to GCC’s adherence to the security controls for holding and processing CUI, DoD contractors can use the platform to inherit many, but not all, of the NIST 800-53 / 171 controls required of DFARS 7012 and help them meet CMMC 2.0 Levels 2-3. For contractors that only need to meet CMMC 2.0 Level 1 for the protection of Federal Contract Information (FCI), they can accomplish this with Microsoft 365 Commercial.  

In summary:

• DoD contractors can use Microsoft 365 Commercial for CMMC Level 1 compliance
• DoD contractors will need Microsoft 365 GCC for DFARS 7012 and CMMC Level 2-3 compliance
• DoD contractors will need Microsoft 365 GCC High for ITAR compliance

Below is a table from Microsoft which shows what cybersecurity compliance regulations each Microsoft 365 offering complies with:

Source: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326

Feature Differences Between Commercial Microsoft Office 365 vs. Microsoft GCC/GCC High

Due to the increased certification and accreditation, there are some feature differences between the typical commercial Office 365 environment and GCC High. These differences are listed below:

1. Exchange Online: Support for integrating on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported in GCC High
2. File Sharing: While all options of SharePoint and OneDrive are available, users in GCC High will only be able to share with other organizations in GCC High. Also, non-GCC High email addresses attached to user profiles are not supported. 
3. Skype: Due to the required use of Public Switched Telephone Network (PSTN) for telephony, PSTN calling and conferencing services are not available in GCC High.
4. Microsoft Teams: Phone System and Audio Conferencing for GCC High and DoD environments are being delivered via Direct Routing.
5. Identification: Multi-factor authentication using a federated identity model enables the use of PIV and CAC cards.
6. Yammer: Yammer for enterprise is not available in the GCC High and DoD environments.

Background Screening of Microsoft Staff for GCC High’s U.S. Sovereign Cloud

GCC High’s environment features high levels of security. Microsoft Office 365 staff do not have their typical access to GCC High environments. Staff members can get temporary access, however will need to pass the following background checks:

• U.S. Citizenship: Verification of U.S. citizenship
• Employment History Check: Verification of seven year employment history
• Education Verification: Verification of highest degree attained
• Social Security Number (SSN) Search: Verification that the provided SSN is valid
• Criminal History Check: A seven year criminal record check for felony and misdemeanor offenses at the federal, state, county, and local level. 
• Office of Foreign Assets Control List (OFAC): Validation against the Department of Treasury list of groups whom U.S. persons are not allowed to engage in trade or financial transactions. 
• Bureau of Industry and Security List (BIS): Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
• Office of Defense Trade Controls Debarred Persons List (DDTC): Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
• Fingerprinting check: Fingerprint background check against FBI databases
• Department of Defense IT-2: Staff requesting elevated permissions to customer data or privileged administrative access to Department of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation.

Next steps…

If you are considering using Microsoft GCC and migrating your business’s current data and office software over to GCC or GCC High, consider our Microsoft GCC High Migration Services. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their system to comply with current DFARS 7012 law and prepare for upcoming audits from the CMMC-AB. We’d love to help you too. Give us a call or request a consultation.

We’re proud to announce that SysArc is now an approved AOS-G Partner for Microsoft Government Cloud, or GCC. The partnership allows SysArc to offer GCC and GCC High licensing to its private Department of Defense (DoD) customers as these organizations must purchase GCC licenses through an approved vendor. 

“Since the very beginning of DFARS in 2017, our team has been dedicated to helping our customers meet compliance requirements so they can continue to offer their products and services to the DoD without issue,” says Tim Brennen, CEO of SysArc. “This approved partnership through Microsoft gives us the ability to provide more options as we help them navigate the complexities of CMMC and DFARS,” he adds.  

What Is The Microsoft AOS-G Program?

The Microsoft Agreement for Online Services – Government (AOS-G) program was created so that commercial private organizations under 500 seats, such as DoD contractors subject to DFARS and CMMC, can purchase Microsoft Government Community Cloud (GCC) licenses.  

Are You a DoD Contractor Considering GCC for CMMC Compliance?

If you’re a DoD contractor considering migrating your organization’s data to Microsoft GCC or GCC High to meet CMMC compliance Level 2-3, feel free to give SysArc a call or request a consultation. We’d look to walk you through our processes for GCC Migration and CMMC preparation services. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC.