Do You Need GCC High to Be CMMC 2.0 DoD Compliant?


Do You Need GCC High to Be CMMC 2.0 DoD Compliant?

Contractors and subcontractors working for the US Department of Defense (DoD) are required to comply with security regulations such as the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC). This is to ensure that they have the proper security protocols in place to safeguard controlled unclassified information (CUI). But what threats do they need to protect against?

Phishing Is the Biggest Threat

Contractors and subcontractors working in an unsecured email environment leave themselves open to the most common way hackers steal data — phishing. According to a Cyber Defense Magazine blog article, about 43% of cyberattacks target small- and mid-sized businesses, including DoD contractors. Ninety-one percent of those attacks were done using a phishing email.

As such, DoD contractors and subcontractors are looking to the cloud to increase their cybersecurity measures against phishing attacks. This is where Microsoft Government Community Cloud (GCC) High comes in. 

What Is Microsoft GCC High?

GCC High is a cloud platform that meets the strict cybersecurity requirements of NIST 800-171International Traffic in Arms Regulations (ITAR), and the Federal Risk and Authorization Management Program (FedRAMP). GCC High is a copy of Microsoft DoD, but the former is able to operate in its own sovereign environment.

GCC High comes with all the features found in the commercial version, except for compliance manager and calling plans. In addition, several tools including Cloud App Security, Microsoft Defender ATP, and if your company has a Microsoft 365 Commercial account and you want to take it up a notch and use GCC High, you need to go through several procedures to become a validated user.

To do this, you need to work with an Agreement for Online Services for Government (AOS-G) partner. An AOS-G partner is a managed IT services provider from whom you can purchase a Microsoft 365 license directly.

Who Is Eligible for GCC High?

Only DoD and Defense Industrial Base (DBI) contractors and federal agencies can use GCC High. Companies hoping to avail of GCC High services need to undergo Microsoft’s validation process.

How Can You Be Validated for GCC High?

If your company has a Microsoft 365 Commercial account and you want to take it up a notch and use GCC High, you need to go through the following procedures:

  1. Requesting Validation

You need to contact Microsoft and ask for validation as a Category 3 entity.

  1. Providing Relevant Documents

You should present a sponsor letter or a signed contract as proof of eligibility.

  1. Requesting for a GCC High License

To do this, you need to work with an Agreement for Online Services for Government (AOS-G) partner. An AOS-G partner is a managed IT services provider from whom you can purchase a Microsoft 365 license directly.

Do You Need GCC High to Be CMMC DoD Compliant?

This depends on the level of certification you are seeking.

GCC High is not included in the list of CMMC DoD compliance requirements for CMMC 2.0 Level 1 contracts. Even though it’s the only version of Microsoft 365 that complies with the reporting requirements stated in DFARS 7012, you do not need GCC High to get a CMMC 2.0 DoD certificate specifically for CMMC level 1. 

However, if your organization is looking to become certified at level 2 or higher, there is a clause in the contract for DFARS 7012. Microsoft GCC High is the only reporting platform within Microsoft 365 and Office 365 that meets the requirements for DFARS 7012. Therefore, if your company is looking to become level 2 certified, and you use Office 365 or Microsoft 365, you will need GCC high to be compliant.

What Do You Need to Be CMMC 2.0 DoD Compliant?

If you want your company to be CMMC DoD certified, you need to be familiar with the CMMC 2.0 model. This model features a tiered system with three levels that determine a contractor's maturity based on the complexity of their cybersecurity policies and processes. DoD contractors and subcontractors looking to attain compliance need to meet a set of requirements based on the CMMC 2.0 level assigned to them by the DoD. Here's what each CMMC 2.0 maturity level looks like.

CMMC 2.0 Level 1: Foundational Cyber Maturity

Guided by the Federal Acquisition Regulation (FAR), this is the minimum level of cyber hygiene required to hold Federal Contract Information (FCI), beyond the DoD. A level 1 certification indicates that cybersecurity best practices concerning the identified controls are “performed” and included in the business’s processes.

This is the easiest of the three levels to achieve, and contractors may self-certify.

 CMMC 2.0 Level 2: Advanced Cyber Maturity

Any company working with CUI should aim for this level. It is comparable to the former CMMC Level 3. These requirements are in complete alignment with NIST SP 800-171 practices. All practices and maturity processes that were unique to CMMC 1.0 have been eliminated, which means that the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped. Now, Level 2 directly correlates with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.

 CMMC 2.0 Level 3: Expert Cyber Maturity

Contractors at this level are required to focus on reducing the risk from Advanced Persistent Threats (APTs). This level is exclusively for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. These should be met before undergoing a triennial government-led assessment. The DoD, however, is in the process of developing the requirements for this level, which is still undergoing change.

As a DoD contractor, you should identify your organization’s cyber security level based on the classification of the data you store, transmit, and process. Your IT team must be familiar with NIST SP 800-171 and the appropriate target levels so that they can determine the right CMMC 2.0 controls to adopt for your organization.

After meeting the appropriate CMMC 2.0 level requirement, your company needs to pass a CMMC 2.0 audit. The audit can only be performed by a certified third-party assessor organization (C3PAO) recognized by the CMMC accreditation body.

To ensure you have a high chance of passing your CMMC 2.0 audit, partner with a trusted managed IT services provider that can conduct a gap assessment like Charles IT. A gap assessment is a vital step to achieving CMMC 2.0 DoD compliance because it will help you identify the processes and controls your company needs to improve on. 

Once we've identified gaps and weak spots in your cybersecurity infrastructure, we'll provide you with a remediation plan to address the issues and ensure you pass your CMMC 2.0 audit. Start your gap assessment now!

Editor's Note: This blog was originally published on September 2, 2020. It was edited for accuracy on August 1, 2023. 

Download Our CMMC Compliance Checklist: This checklist will help you determine the right CMMC controls, policies, and procedures to adopt for your organization to achieve CMMC 2.0 Certification.

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”