The short answer: No
The long answer: You likely need to choose GCC High for your overall compliance strategy.
Though DFARS 7012 can sometimes take a backseat to CMMC in the public discourse, it's important to take a full compliance vantage point and first consider your organization's DFARS compliance strategy. Also, Microsoft shined additional light on DFARS compliance in their cloud offerings when they recently announced several changes to the accreditation boundaries surrounding Microsoft 365 GCC and Azure Commercial. Previously, GCC High was the only version of the Office 365 or Microsoft 365 platform that met the reporting requirements of DFARS 7012 found in paragraphs C-G. Now, Microsoft 365 GCC will in fact, meet these reporting requirements.
Below is the excerpted paragraphs (e) and (f) from DFARS 7012 that must be met by Department of Defense contract-holding organizations:
(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
You can access the entire document here.
Paragraphs (e) and (f) cause a significant issue for SaaS providers as it ties to how they manage their environments. While most providers store logs for 90 days, system images move around fluidly across hardware and the SaaS provider may not be able to produce a “system image” of a server that reaches back 90 days. Thus, if the government requests this information as part of a forensic analysis, the contractor must in turn request this information from their SaaS provider. If the SaaS provider cannot produce the system image for forensic analysis, then the contractor would be out of compliance with the DFARS clause.
The table below notes which versions of Microsoft 365 and Office 365 can meet the associated requirements within CMMC, DFARS 7012, and ITAR.
GCC High is not required to meet CMMC at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC Levels 3-5 should deploy to Microsoft 365 GCC High. The Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC's requirements with native security products/capabilities. CMMC Level 3, for example, can be met in Commercial and GCC per the standards written to date. However, there are long term with concerns and considerations to assess, and these are highlighted in the following guide.
Some of the differences between GCC High and GCC mentioned:
- B2B functionality with other Microsoft 365 platforms (i.e. GCC collaboration with M365 DoD is not available)
- Defense Information Systems Agency (DISA) Impact Level
- Support personnel (US Persons or Not)
GCC High is the only Microsoft offering - besides the DoD dedicated Microsoft 365 - that insures all data resides in U.S. data centers and is supported by background checked U.S. persons. Those attributes make GCC High suitable for ITAR and EAR data. Additionally, Office 365 or Microsoft 365 GCC High is a suitable cloud platform to house CUI corporately and on behalf of the Government, which requires DISA IL 4 or greater. GCC High is rated at DISA IL 5 and is FedRAMP High equivalent.
A Business Risk Decision
Some of the aforementioned regulatory requirements are not directly tied to CMMC, but they are tied to the requirements most DoD contractors in the Defense Industrial Base (DIB) face. Essentially, you can aim for CMMC and ignore previous reporting requirements in DFARS 7012 in hopes that your business will never experience an incident. However, the implications are not good and can invoke a violation of the False Claims Act (FCA). Of the hundreds of suppliers we partner with for compliance, a percentage make this decision but plan ahead to make the switch.
It is difficult to say what is wrong, right, or advisable for every business, because there are added costs associated with GCC High; some businesses have little to no interaction with CUI, and the DoD may be a much smaller component of their overall portfolio. Rather than making an immediate decision, your organization may need to expand its scope and plan in a 2 to possibly 5 year timeframe. Some helpful questions to consider for the time being:
Do you see your DoD contracts portfolio expanding or including ITAR data? Will you continue to support the DoD?
- Will you make the switch to GCC High in 1-2 years and possibly require a second migration, security implementation, and assessment? Are you budgeting for that?
- What is your probability of experiencing an incident or event?
Below is a recent presentation detailing some of the major differences between the platform offerings and how to discern what is best for your organization.