You do NOT need GCC High to Meet CMMC
That’s correct, you do not need GCC High to meet CMMC. There are no requirements in the Cyber Security Maturity Model Certification (CMMC) that require GCC High. HOWEVER, if you handle Controlled Unclassified Information (CUI), you will need GCC High.
To understand why, you need to understand the history of how we got to CMMC.
Federal Acquisitions Regulation (FAR)
FAR was introduced in 1979, and was an attempt to create an easier, more streamlined way for the government to acquire goods and services. Its goals were to assure competition, create common contracting methods, and set out mandatory clauses that must exist in every federal contract.
Ironically, the Government Accountability Office, in 2006 published a 38 page “highlights” whitepaper than came to the conclusion that the FAR was so complex that it actually limited competition for federal contracts.
What is most important to us is that there are differences in the ways that various federal agencies must buy things, and so almost every cabinet level department, like the Department of Agriculture, and many agencies like the FDA, have their own supplements to the FAR. The one we are most concerned about? The Defense Federal Acquisition Regulation (DFARS).
The Defense Federal Acquisition Regulation Supplement(DFARS)
In 2010, The DOD published their supplement to the FAR. Like FAR, DFARS is not just about cybersecurity, rather it talks about things like Labor protection, mandatory clauses in contracts, penalties, and competition. It is VERY important to note that DFARS does not replace FAR, it supplements it.
DFARS Clause 252.204-7012
On December 21st 2017, DFARS Cybersecurity clause 252.204-7012 went into effect, requiring compliance with NIST 800-171. Additionally, it laid out some specific rules around responding to a cybersecurity incident. These requirements include preserving systems and images of all information systems for 90 days. Again, DFARS 7012 did not replace FAR or DFARS, it supplemented it.
Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.
(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.
(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.
(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.
Why DFARS 7012 requires CMMC
There is no possible way to meet paragraph (e) in Microsoft 365 Commercial. In addition to all of the additional compliance features in GCC High, it is the only Microsoft cloud environment where you can meet DFARS. GCC Moderate does meet DFARS, but there is no contractual flow down, which means that in the event of an incident Microsoft can provide the required response, but they do not provide that same level of service to customers in that environment. You can learn more about this in out blog on Microsoft’s Compliance Capabilities Across GCC, GCC High and Commercial
DFARS Clause 252.204-7021
On November 30, 2020 the DOD amended DFARS with clause 7021, which set out a timeline for CMMC to be rolled out. For the first time, cybersecurity would require a 3rd party assessment. However, it also added the immediate requirement that contractors perform a self-assessment against the 110 controls in NIST 800-171 and submit it to the DOD Supplier Performance Risk System prior to renewing or being awarded any new contracts. A reminder here, DFARS 7021 did not remove or revoke any part of FAR or DFARS, it expanded it.
The Cybersecurity Maturity Model Certification (CMMC)
CMMC is a maturity model, with a series of five levels that build upon each other. Levels 1 and 2 are meant to protect Federal Contract Information (FCI) (As regulated by FAR), while Levels 3, 4, and 5 are meant to defend Controlled Unclassified information (CUI). CMMC does not include the reporting requirements of DFARS 252.204-7012 in it’s practices, yet it is still contractually required. This is important, because it allows CMMC to be applied to other agencies and industries. The federal government added CMMC requirements for the STARS III contract (which is not DOD specific) and most recently the Department of Homeland Security announced that they would be adopting CMMC for it’s contractors. Given that the scope of DFARS 7012 is limited to CUI, you can easily meet CMMC levels 1 and 2 (which are focused on FCI) in Microsoft 365 commercial.
Why You Need GCC High If You Handle CUI
While you do not need GCC High to meet CMMC at any level, the regulations that require CMMC compliance to protect CUI remain in place and DO require GCC High. Watch our video on how GCC High meets government compliance requirements for more information.
Do You Need GCC High for CMMC Compliance?
Agile IT is a CMMC-AB Registered Provider Organization, and is a Microsoft AOS-G partner capable of licensing, implementing, and managing GCC High. We have moved over 2,000,000 accounts to the cloud, hold over 15 Microsoft Gold Competencies and have been named a Microsoft Partner of the Year four times. Our government cloud advisory services can help your organization meet CMMC, NIST 800-171, DFARS compliance requirements and also commercial requirements like CCPA, PCI, and FINRA. To find out how we can help, schedule a meeting or request a quote today.