It is often an uneasy task to identify all of the updates and changes to CMMC and the Office 365 Government Community Cloud High (GCC High) platform, much less validate them. This blog and video below is intended to keep the community of GCC High and Azure Government users up to date on the latest updates and happenings throughout the industry. This information will not be exhaustive of every update or change, but should address the most noteworthy.
One last note: Certain features or products are in public preview. It is our firm recommendation that you do not roll out or migrate to any new product before it is generally available. If a feature is in preview, the fine print basically states that it is unsupported by MS. Therefore, you are in treacherous waters in the event that something breaks or malfunctions.
If You Prefer, Watch the Video Above /Subscribe to the YouTube Channel for Updates
New Acronyms and Open Applications
The CMMC AB came out with a significant update this Quarter and provided details on six of the ten defined roles in the CMMC ecosystem. The application process is now open for five of these roles on the CMMC AB website. The Organization Seeking Certification (OSC), or Government Contractor, does not receive its assessment from the AB directly.
Numbers to Consider
- The updated AB content states that a CMMC Certification is valid for three years regardless of Level
- OSC's should start the process of certification six months from their expected contractual need
- OSC's will have 90 days to remedy any findings from the initial assessment
- A Level 3 Audit could cost $20K+ based upon pure costs incurred by the Certified Third-Party Assessor Organizations (C3PAO) and Certified Assessors (CA). See the video above for the breakdown at 17:00.
New TimelineThough the global pandemic has impacted some of the collaboration and approval processes among DoD, the Federal Government, the AB, and industry, CMMC continues to be relatively on schedule. Below is an updated look straddling 2020 and the first two Quarters of 2021.
Some other interesting CMMC news released recently is the open job requisition for the CISO position with the Office of the Undersecretary of Defense (OUSD). This position, if identical in duties and responsibilities, aligns to Katie Arrington's current role. Additionally, the US Senate Armed Services Committee is initiating a study into CMMC's implementation across all involved parties. These two points could indicate a level of uncertainty in D.C. around CMMC, but all other signs continue to point towards solidification of the new framework. Case in point, the new GSA STARS III contract vehicle makes a direct reference to CMMC in its solicitation documents.
“While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification”
- Microsoft 365 F3 ('F' stands for frontline)
- Data Loss Prevention as a standalone license
Additionally, some license types experienced a change or revamped structure.
- PowerApps is now broken out into Per User plans and Per App
- Office 365 E3 can be upgraded to an E5 mid-term in your annual license agreement via a 'step up' license
- Microsoft Flow is changed to Power Automate
Microsoft continues to invest heavily in Microsoft 365 GCC High and Azure Government to support the Defense Industrial Base (DIB). There are several updates over the last 60 days.
- File size upload limit raised to 100GB for SharePoint, OneDrive, Teams, etc.
- Teams Private Channels
- Phone System and Audio Conferencing is now configurable
- Enhanced reporting for Teams, OneDrive, Exchange, and SharePoint added for E5 customers
- Windows Virtual Desktop is in Private Preview for Azure Government
More exciting features and capabilities are coming in Q4 2020 and the beginning of 2021.
- AIP and all Microsoft labeling tools rolling into a single product - Unified Labeling - across Windows, Microsoft 365, and Azure
- B2B External Sharing from GCC High tenant to another GCC High tenant
- Advanced Threat Protection (ATP) external email forwarding controls and customized quarantine notifications
- Increased Teams streams during meetings and audio-conferencing
These updates and more are discussed in full within the recording above.