Do You Need GCC High for CMMC 2.0 Compliance?

Do You Need GCC High for CMMC 2.0?

NO! That’s right, you do not need GCC High for CMMC 2.0, not even for level 3. However, you might need GCC High for other reasons. We will go deeper into which cloud is right for your CMMC compliance, but lets make things super clear.

Why Do You Need GCC High?

You will need GCC High if you manage, create, or hold any of the following types of information

• Export Controlled CUI
• International Traffic in Arms Regulations (ITAR)
• Export Administration Regulations (EAR)
• Specified CUI that requires US Sovereignty
  • Controlled Defense Information
  • Nuclear Information (FERC/NERC)
  • NASA
  • CUI marked NOFORN
• Criminal Justice Information Systems (Federal)

This is not an exhaustive list of information types that require GCC High. Rather, these are the information types that will always require GCC High.

What CMMC 2.0 Changes Impact GCC High?

Not many. Lets quickly run down the big changes introduced by CMMC 2.0

• Elimination of CMMC 1.0 Levels 2 and 4
• FCI requires CMMC 2.0 Level 1, which can be completed with a self-assessment
• CMMC 1.0 level 3 is becoming CMMC2.0 level 2, but has split requirements for organizations managing CUI
  • Contactors with CUI considered critical national security information will require a 3rd party assessment every 3 years
  • Annual self assessment will be permitted for select programs
• CMMC Levels 4 and 5 (covered by NIST 800-172) is becoming CMMC Level 3, which is under continued development at this time.
• Plans of Actions And Milestones (POAM) will be permitted with clearly established timelines
• Waivers will be possible (for the entire CMMC Program) for mission critical needs on a case by case basis.
• Read our run down of CMMC 1.0 vs CMMC 2.0 here.

Understanding Microsoft 365 for CMMC 2.0

TLDR; GCC and GCC High are the only environments where Microsoft will contractually agree to meet their customers’ requirements for DFARS 7012. If you are subject to DFARS clause 7012, you need GCC. If you have covered information with sovereignty, export control, or US citizenship requirements, you will need GCC High.

When deciding on the cloud instance you need to meet CMMC, it is important to understand how we got to CMMC 2.0, and the underlying requirements for compliance.

Federal Contract Information (FCI) is covered by Federal Acquisition Regulation 52.204-21 which included 15 information safe-guarding requirements. This was codified as a subset of NIST 800-171 in CMMC 1.0 Level 1, with 17 controls. (There was actually no new requirement, the additional 2 controls were a split of the existing controls to clarify compliance.

In December 2017, DFARS Clause 252.204-7012 went into effect, mandating adherence to NIST 800-171 for contractors managing CUI and Covered Defense Information. At the time there was a 12 month period for organizations to meet NIST 800-171 and to document this with an system security plan (SSP) and a POAM. DFARs 7012 also introduced a cyber incident reporting requirement in paragraphs c-g that included a requirement to preserve and protect all relevant monitoring and packet data for 90 days.

Between 2017 and November 2020, continued cyber-incidents and intellectual property theft from the defense industrial base made it clear that the self-assessment of cybersecurity against NIST 800-171 was not sufficient, and CMMC 1.0 was codified in DFARS 7021. CMMC added the requirement for 3rd party assessments for the entire defense industrial base.

The complexity and added cost of CMMC compliance led to an internal review of CMMC by the DOD. In November 2021, CMMC 2.0 was introduced to simplify compliance, reduce cost and reduce the threat of shutting small businesses out of the defense supply chain. This had zero effect on DFARS, ITAR and other frameworks that require GCC and GCC high.

What does CMMC 2.0 Mean for GCC High?

Absolutely nothing. It is the underlying compliance requirements that CMMC supports that require either GCC or GCC high. Nothing in CMMC 2.0 has changed those requirements, and while it is expected that DFARS 7021 will be amended to adjust the CMMC requirements and timeline, DRAFS 7012 is not going anywhere. You never needed GCC High to meet CMMC 1.0, you needed it to meet the requirements of your specific CUI and business scenarios.  

What Should I Do About CMMC 2.0 Now?

Continue on your compliance journey. Focus on the core requirements of NIST 800-171, and pay less attention to the CMMC unique security policies and controls from CMMC 1.0. You still need to meet NIST 800-171, and the recent DOJ initiative to use the False Claims Act to prosecute cybersecurity fraud by government contractors puts organizations that have neglected their obligations under DFARS 7012 squarely in their crosshairs.  

Get Ahead of The Competition

Agile IT is a CMMC Registered Provider organization, one of the first Microsoft Azure government and GCC High Partners  and has implemented NIST 800-171 controls for hundreds of organizations. To find out how you can reduce the risks posed by cyber criminals, compliance auditors and how to make the right choices for cost-effective CMMC alignment, request a free consultation today.