Do You Need GCC High to Be CMMC DoD Compliant?

Do You Need GCC High to Be CMMC DoD Compliant?

Contractors and subcontractors working for the US Department of Defense (DoD) are required to comply with security regulations such as the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC). This is to ensure that they have the proper security protocols in place to safeguard controlled unclassified information (CUI). But what threats do they need to protect against?

Phishing Is the Biggest Threat

Contractors and subcontractors working in an unsecured email environment leave themselves open to the most common way hackers steal data — phishing. According to a Cyber Defense Magazine blog article, about 43% of cyberattacks target small- and mid-sized businesses, including DoD contractors. Ninety-one percent of those attacks were done using a phishing email.

As such, DoD contractors and subcontractors are looking to the cloud to increase their cybersecurity measures against phishing attacks. This is where Microsoft Government Community Cloud (GCC) High comes in. 

What Is Microsoft GCC High?

GCC High is a cloud platform that meets the strict cybersecurity requirements of NIST 800-171, International Traffic in Arms Regulations (ITAR), and the Federal Risk and Authorization Management Program (FedRAMP). GCC High is a copy of Microsoft DoD, but the former is able to operate in its own sovereign environment.

GCC High comes with all the features found in the commercial version, except for compliance manager and calling plans. In addition, several tools including Cloud App Security, Microsoft Defender ATP, and Intune are all missing certain functions because they do not meet compliance requirements.

Who Is Eligible for GCC High?

Only DoD and Defense Industrial Base (DBI) contractors and federal agencies can use GCC High. Companies hoping to avail of GCC High services need to undergo Microsoft’s validation process.

How Can You Be Validated for GCC High?

If your company has a Microsoft 365 Commercial account and you want to take it up a notch and use GCC High, you need to go through the following procedures:

  1. Requesting Validation

You need to contact Microsoft and ask for validation as a Category 3 entity.

  1. Providing Relevant Documents

You should present a sponsor letter or a signed contract as proof of eligibility.

  1. Requesting for a GCC High License

To do this, you need to work with an Agreement for Online Services for Government (AOS-G) partner. An AOS-G partner is a managed IT services provider from whom you can purchase a Microsoft 365 license directly.

Do You Need GCC High to Be CMMC DoD Compliant?

GCC High is not included in the list of CMMC DoD compliance requirements. Even though it's the only version of Microsoft 365 that complies with the reporting requirements stated in DFARS 7012, you do not need GCC High to get a CMMC DoD certificate specifically for CMMC levels 1 and 2. However, if your organization is looking to become certified at level 3 or higher, there is a clause in the contract for DFARS 7012. Microsoft GCC High is the only reporting platform within Microsoft 365 and Office 365 that meets the requirements for DFARS 7012. Therefore, if your company is looking to become level 3 certified, and you use Office 365 or Microsoft 365, you will need GCC high to be compliant.

GCC High not required for CMMC levels 1 and 2

What Do You Need to Be CMMC DoD Compliant?

If you want your company to be CMMC DoD certified, you need to be familiar with the CMMC model. This model features a tiered system with five levels that determine a contractor's maturity based on the complexity of their cybersecurity policies and processes. DoD contractors and subcontractors looking to attain compliance need to meet a set of requirements based on the CMMC level assigned to them by the DoD. Here's what each CMMC maturity level looks like.

Level 1: Basic Cyber Hygiene

All contractors and subcontractors working for the DoD should be at least Level 1 certified. This level requires the implementation of NIST SP 800-171 controls and the observation of basic cyber hygiene such as changing passwords regularly and using the latest antivirus software to keep federal contract information (FCI) secure.

Level 2: Intermediate Cyber Hygiene

Level 2 requires contractors to implement an additional 46 NIST SP 800-171 controls on top of the 17 Level 1 controls. Contractors must also document their cybersecurity policies and protocols used to protect CUI.

Level 3: Good Cyber Hygiene

Level 3 is where contractors are allowed to generate and handle CUI. The final 47 NIST SP 800-171 controls need to be implemented to be certified at this level. In addition, the implementation of cybersecurity policies for protecting CUI is necessary to achieve a Level 3 certificate.

Level 4: Proactive

At Level 4, contractors should have a proactive cybersecurity policy that is constantly reviewed and upgraded to handle advanced persistent threats.

Level 5: Progressive

The final and highest level of the CMMC model is Level 5. At this level, contractors should implement state-of-the-art cybersecurity measures to detect and stop sophisticated threats.

After meeting the appropriate CMMC level requirement, your company needs to pass a CMMC audit. The audit can only be performed by a certified third-party assessor organization (C3PAO) recognized by the CMMC accreditation body.

To ensure you have a high chance of passing your CMMC audit, partner with a trusted managed IT services provider that can conduct a gap assessment like Charles IT. A gap assessment is a vital step to achieving CMMC DoD compliance because it will help you identify the processes and controls your company needs to improve on. 

Once we've identified gaps and weak spots in your cybersecurity infrastructure, we'll provide you with a remediation plan to address the issues and ensure you pass your CMMC audit. Start your gap assessment now!

New call-to-action