Due to the cybersecurity compliance requirements sweeping the U.S. defense industry, companies holding contracts with the DoD are looking for a variety of solutions to meet those requirements. One of those solutions is the Microsoft Government Community Cloud, or GCC for short.
What is Microsoft GCC & GCC High?
Simply put, Microsoft GCC and GCC High, are more secure versions of Microsoft Office 365 Commercial which is common in most office environments. More specifically, it is Microsoft’s cloud software suite of office tools that meet Department of Defense (DoD) cybersecurity requirements for contractors holding or processing controlled unclassified information (CUI), or those organizations subject to International Traffic in Arms Regulations (ITAR).
What is the difference between GCC and GCC High? GCC High, is an even more secure version of GCC and is hosted on Microsoft U.S. Sovereign Cloud. Details on this Cloud are available below.
Does GCC and GCC High Help with DFARS 7012 and CMMC Compliance?
Due to GCC’s adherence to the security controls for holding and processing CUI, DoD contractors can use the platform to inherit many, but not all, of the NIST 800-53 / 171 controls required of DFARS 7012 and help them meet CMMC 2.0 Levels 2-3. For contractors that only need to meet CMMC 2.0 Level 1 for the protection of Federal Contract Information (FCI), they can accomplish this with Microsoft 365 Commercial.
- DoD contractors can use Microsoft 365 Commercial for CMMC Level 1 compliance
- DoD contractors will need Microsoft 365 GCC for DFARS 7012 and CMMC Level 2-3 compliance
- DoD contractors will need Microsoft 365 GCC High for ITAR compliance
Below is a table from Microsoft which shows what cybersecurity compliance regulations each Microsoft 365 offering complies with:
Feature Differences Between Commercial Microsoft Office 365 vs. Microsoft GCC/GCC High
Due to the increased certification and accreditation, there are some feature differences between the typical commercial Office 365 environment and GCC High. These differences are listed below:
- Exchange Online: Support for integrating on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported in GCC High
- File Sharing: While all options of SharePoint and OneDrive are available, users in GCC High will only be able to share with other organizations in GCC High. Also, non-GCC High email addresses attached to user profiles are not supported.
- Skype: Due to the required use of Public Switched Telephone Network (PSTN) for telephony, PSTN calling and conferencing services are not available in GCC High.
- Microsoft Teams: Phone System and Audio Conferencing for GCC High and DoD environments are being delivered via Direct Routing.
- Identification: Multi-factor authentication using a federated identity model enables the use of PIV and CAC cards.
- Yammer: Yammer for enterprise is not available in the GCC High and DoD environments.
Background Screening of Microsoft Staff for GCC High’s U.S. Sovereign Cloud
GCC High’s environment features high levels of security. Microsoft Office 365 staff do not have their typical access to GCC High environments. Staff members can get temporary access, however will need to pass the following background checks:
- U.S. Citizenship: Verification of U.S. citizenship
- Employment History Check: Verification of seven year employment history
- Education Verification: Verification of highest degree attained
- Social Security Number (SSN) Search: Verification that the provided SSN is valid
- Criminal History Check: A seven year criminal record check for felony and misdemeanor offenses at the federal, state, county, and local level.
- Office of Foreign Assets Control List (OFAC): Validation against the Department of Treasury list of groups whom U.S. persons are not allowed to engage in trade or financial transactions.
- Bureau of Industry and Security List (BIS): Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
- Office of Defense Trade Controls Debarred Persons List (DDTC): Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
- Fingerprinting check: Fingerprint background check against FBI databases
- Department of Defense IT-2: Staff requesting elevated permissions to customer data or privileged administrative access to Department of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation.
If you are considering using Microsoft GCC and migrating your business’s current data and office software over to GCC or GCC High, consider our Microsoft GCC High Migration Services. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their system to comply with current DFARS 7012 law and prepare for upcoming audits from the CMMC-AB. We’d love to help you too. Give us a call or request a consultation.