GCC High can prove invaluable for organizations looking to achieve CMMC compliance. In this post, we offer an overview of GCC High and explain its advantages when it comes to the Cybersecurity Maturity Model Certification.
A Quick Overview of CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a three-level cybersecurity framework created by the Department of Defense to ensure that contractors take adequate provisions to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The three levels of CMMC go from Foundational to Advanced, with each level requiring increasingly stringent cybersecurity practices. The image below offers a summary of CMMC.
In previous posts, we have explored specific aspects of the Cybersecurity Maturity Model Certification, including a detailed look at CMMC level 2, and an exploration of what continuous monitoring means in CMMC.
What Is GCC High?
GCC stands for “Government Community Cloud High.” To put it simply, GCC High is a cloud platform developed by Microsoft for the exclusive use of the Defense Industrial Base.
You have probably heard about the “cloud” when talking about IT. Cloud platforms (or cloud offerings) owe their name to the fact that they allow users to collaborate through files that reside in a cloud of servers that can be accessed via the internet.
All in all, Microsoft has four cloud offerings, or products:
- Microsoft 365 “Commercial.” This is the cloud platform available to the general public for civilian use
- Microsoft 365 US Government (GCC). For qualified government entities and eligible contractors, including US federal, state, local, tribal, and territorial government entities, and other entities subject to validation of eligibility
- Microsoft 365 Government (GCC High). For eligible federal contractors
- Microsoft 365 Government (DoD). For the exclusive use of the U.S. Department of Defense
Microsoft created GCC High because although Microsoft 365 “Commercial” is extremely useful and reasonably safe (a vast global user base attests to it), it doesn’t meet the more stringent requirements that come with government and military use.
The table above provides a detailed summary of the differences between each of Microsoft’s cloud offerings. We know it: that’s a lot of technical information. But, don’t worry, in the sections below we’ll help you make sense of it.
A Word About Data Residency vs Data Sovereignty
Before we continue exploring GCC High and how it relates to CMMC, it’s necessary to make a distinction between two key concepts: data residency and data sovereignty.
Data residency refers to the geographic area where data is stored. For example, data in a server located in Brea, California, resides in the United States.
By contrast, data sovereignty refers not only to the physical location where the data resides, but also to the laws governing the data. A case in point: when it comes to the International Traffic in Arms Regulation (ITAR) and the Export Administration Regulations (EAR), data residency in the Continental United States (CONUS) is not enough; these regulatory regimes also require that the data is managed by screened U.S. persons.
Defense contractors should always keep in mind the difference between data residence and data sovereignty when assessing their cybersecurity and compliance needs.
What Makes GCC High Different?
As you can see, the table shown above is color-coded to divide the four Microsoft cloud offerings into two pairs: Microsoft 365 “Commercial” and Microsoft 365 US Government (GCC) on the left, and Microsoft 365 Government (GCC High) and Microsoft 365 Government (DoD) on the right.
This means that each pair of platforms share some key features, with one of the most important being that GCC High and Microsoft 365 Government (DoD) reside in Azure Government, a cloud environment that is located solely in the U.S. and is both physically and logically isolated from the Azure commercial data centers.
This configuration, paired with the use of screened U.S. persons, means that GCC High and Microsoft 365 Government (DoD) provide true data sovereignty.
The key features of Microsoft 365 Government (GCC High) and Microsoft 365 Government (DoD) include:
- U.S. Sovereign Directory Service. With GCC High and DoD, directory data transmission and processing, including authentication and authorization occur CONUS. By contrast, these processes may be Outside the Continental United States (OCONUS) in the other Microsoft cloud platforms.
- U.S. Sovereign Network. With GCC High and DoD, data transmission and data processing is CONUS only. In the case of the other cloud offerings, data transmission is global.
- Screened U.S. Persons. Personnel working at the GCC High and DoD data centers are screened U.S. persons who are required to undergo background checks, including education verification, criminal history checks, and checks against lists maintained by the Departments of Commerce, State, and Treasury.
- Support for U.S. Export Controlled Data. Office 365 DoD and GCC High are the only cloud offerings where Microsoft contractually commits to export controls, including coverage for Controlled Unclassified Information (CUI), the main object of CMMC.
Contact our CMMC Registered Practitioners Today
Do I Need GCC High for CMMC 2.0?
No, there’s no official requirement to use GCC High to comply with the controls of the Cybersecurity Maturity Model Certification. However, there are a few compelling reasons to choose GCC High for your CMMC compliance goals.
To begin with, Microsoft exclusively recommends GCC High for protecting CUI according to the requirements of CMMC levels 2 and 3.
And even if you only aim to comply with CMMC level 1, choosing a higher security standard means that you will be in a better position to take advantage of future opportunities that require more stringent levels of compliance. Not to mention that this also provides your organization with a welcome extra layer of protection.
Additionally, If you hold or expect to hold export controlled data under ITAR or EAR, you should choose GCC High. As mentioned earlier, this is the only offering where Microsoft contractually commits to support export-controlled information.
Finally, two practical reasons. One, most people are already familiar with Microsoft products and environments, making any transition essentially seamless. And two, Microsoft is committed to supporting any current and future DoD compliance requirements, ensuring that you are able to keep being awarded contracts.
How Do I Get GCC High?
Not everyone can purchase a GCC High license. Licenses are restricted to two types of entities whose eligibility must be validated by Microsoft:
- Category 2 entities with an active CAGE code or SAM registration
- Category 3 entities, which are required to submit a signed contract that states their obligation to protect a regulated data type
For a detailed explanation of what goes into purchasing a GCC High license, including an overview of common licensing strategies, and a step-by-step description of the online eligibility validation process, head over to our GCC High Buyers Guide.
In closing, keep in mind that complying with CMMC involves way more than purchasing a GCC High license.
CMMC compliance is not a “one time and you’re done” thing. On the contrary: compliance is an ongoing process that requires sustained attention and continuous monitoring.
No matter where you are in your compliance journey, our experienced team of CMMC Registered Practitioners stands ready to answer your questions and offer assistance.
Need Help With GCC High? Contact Us Today
Brea Networks, LLC is a full Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
We have made it our mission to help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Our core goal is to serve our customers and we excel at helping small-to-medium sized businesses (SMBs) achieve their objectives. With a responsive staff and unlimited compliance support, choosing us means enjoying the peace of mind that comes knowing that your compliance efforts are in good hands. Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC /. CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
