Do You Need GCC High For CMMC?

The short answer: No

The long answer: You likely need to choose GCC High for your overall compliance strategy. 

Compliance Considerations

It is becoming a more prevalent question as DFARS 7012 has taken a backseat to CMMC in the public discourse. Additionally, Mr. Regan Edens of the CMMC AB recently spoke in May 2020 of an “urban legend” circulating that “GCC High is a requirement”. His statement is true but requires some unpacking, and Mr. Edens was unable to spend adequate time expounding on his points in the allotted time and within the scope of the presentation.

GCC High is not required to meet CMMC at any Level. However, GCC High is the only version of the Office 365 or Microsoft 365 platform that meets the reporting requirements of DFARS 7012 found in paragraphs C-G. Technically, the Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC's requirements with native security products/capabilities. CMMC Level 3, for example, can be met in Commercial and GCC per the standards written to date.

The table below notes which versions of Microsoft 365 and Office 365 can meet the associated requirements within CMMC, DFARS 7012, and ITAR.

Office 365 GCC High for CMMC?

The most significant differences between GCC High and GCC (and Commercial):

  • Data residency
  • Support personnel
  • FedRAMP status
  • Defense Information Systems Agency (DISA) Impact Level
  • Forensic information for reporting

GCC High is the only Microsoft offering - besides the DoD dedicated Office 365 - that insures all data resides in U.S. data centers and is supported by background checked U.S. persons. Those attributes make GCC High suitable for ITAR and EAR data. Additionally, Office 365 or Microsoft 365 GCC High is a suitable cloud platform to house CUI corporately and on behalf of the Government, which requires DISA IL 4 or greater. GCC High is rated at DISA IL 5 and is FedRAMP High equivalent.

The last bullet above requires additional discussion and reference. Below is the excerpted paragraphs (e) and (f) from DFARS 7012 that must be met by Department of Defense contract-holding organizations.

(e)  Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f)  Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

You can access the entire document here.  

Paragraphs (e) and (f) cause a significant issue for SaaS providers as it ties to how they manage their environments. While most providers store logs for 90 days, system images move around fluidly across hardware and the SaaS provider may not be able to produce a “system image” of a server that reaches back 90 days. Thus, if the government requests this information as part of a forensic analysis, the contractor must in turn request this information from their SaaS provider.  If the SaaS provider cannot produce the system image for forensic analysis, then the contractor would be out of compliance with the DFARS clause. 

A Business Risk Decision

The aforementioned regulatory requirements are not directly tied to CMMC, but they are tied to the requirements most DoD contractors in the Defense Industrial Base (DIB) face. Essentially, you can aim for CMMC and ignore previous reporting requirements in DFARS 7012 in hopes that your business will never experience an incident. However, the implications are not good and can invoke a violation of the False Claims Act (FCA). Of the hundreds of suppliers we partner with for compliance, a percentage make this decision but plan ahead to make the switch.

It is difficult to say what is wrong or right or advisable for every business, because there are added costs associated with GCC High; some businesses have little to no interaction with CUI, and the DoD may be a much smaller component of their overall portfolio. Rather than making an immediate decision, your organization may need to expand its scope and plan in a 2 to possibly 5 year timeframe. Some helpful questions to consider for the time being:

  • Do you see your DoD contracts portfolio expanding? Will you continue to support the DoD?

  • Will you make the switch to GCC High in 1-2 years and presently focus on CMMC preparations only?
  • What is your probability of experiencing an incident or event?

"Which version of Office 365 is suitable for compliance?" has been a question for many over the last several years. In fact, here's a 2018 blog from Scott Edwards detailing similar points.

Microsoft Gov Cloud and CMMC Webinar Updates

In Q3 of 2020, the Summit 7 Team presented a webinar titled: Microsoft Government Cloud and CMMC Updates. You can watch the video here.