Back

GCC High Vs GCC for Protecting CUI with CMMC

February 23rd was a significant day for Microsoft and the Defense Industrial Base (DIB). In a series of posts on the public sector blog, it was announced that Microsoft would now support DFARS 202.204-7012 in Azure Commercial and GCC...

3 min read
Published on Feb 24, 2021
gcc-high-vs-gcc-for-protecting-cui-with-cmmc

February 23rd was a huge day for Microsoft and the Defense Industrial Base (DIB). In a series of posts on the public sector blog, it was announced that Microsoft would now support DFARS 202.204-7012 in Azure Commercial and GCC. This is remarkable as it eases the barrier to entry for defense contractors who need to handle controlled unclassified information (CUI) in the cloud. Previously, GCC High was the only environment that met the requirements in paragraphs c-g of DFARS 7012, requiring that environment for ANY organization that needed to meet those requirements in their defense contracts. These new announcements are sure to confuse contractors looking at what cloud environment is needed to meet their requirements under DFARS, NIST 800-171, and CMMC. When making this decision it is important to look closely at your contractual needs and the types of CUI you need to manage to determine if you can use GCC for protecting CUI. 

Protecting FCI In Microsoft 365

Federal Contract Information (FCI) remans controlled by the Federal Acquisition Regulation (FAR) and CMMC levels 1 and 2. FCI can be protected across all of the cloud solutions, including commercial. 

Protecting CUI in Microsoft 365

Unspecified CUI

Controlled Unclassified Information comes in over 130 types in 20 categories and depending on the types of CUI an organization handles, you may nor not may require data sovereignty. It is important to not only look at your existing contracts, but to consider where you plan for your business to grow in the future. Incorrectly assuming that you will not need data sovereignty can cost you future opportunities if contracts to specify requirements. GCC DOES NOT offer data sovereignty and cannot meet the requirements of CUI types that require it. 

Specified CUI and ITAR

CUI categories like export control, defense, and nuclear will obviously require GCC High, alongside ITAR, and any CUI with NOFORN or REL TO USA limited dissemination controls. GCC High and Azure Gov are the only cloud solutions available with the sovereignty requirements to meet the contractual obligations for defending these types of CUI. 

Do I need GCC High or GCC for Protecting CUI?

GCC – Acceptable for:

  • Unspecified CUI without dissemination controls
  • Specified CUI with no reasonable expectation of data sovereignty or export control requirements

GCC High – Required for:

  • International Traffic in Arms Regulations (ITAR) information
  • Specified CUI with dissemination controls including
    • NOFORN
    • REL TO USA
  • Specified CUI types including
    • Controlled Technical Information
    • DOD Critical Infrastructure Security Information
    • Naval Nuclear Propulsion Information
    • Unclassified Controlled Nuclear Information (UCNI)
    • Export Controlled
    • Export Controlled Research
  • Specified CUI with export control or related dissemination regulations included in the safeguarding and/or dissemination authority or  (See our Guide to CUI for links to the national archives documentation.)

Still not sure if you need GCC or GCC High to meet CMMC?

Agile IT is a CMMC-AB Registered Provider Organization, and a Microsoft AOS-G partner capable of licensing, managing, migrating and securing all of the Microsoft cloud environments including Commercial, GCC, GCC High, Azure and Azure Government. If you would like our help determining what environment your CUI requires, let us know below.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read
Outlook Organization Tips

Outlook Organization Tips to Take Back Your Outlook Mailbox

Struggling with a cluttered Outlook mailbox? Discover quick and efficient organization tips to streamline your email management.

Dec 17, 2024
6 min read
Managing your Organization's Data-Backup on the Cloud

Managing your Organization's Data-Backup on the Cloud

Learn how to efficiently manage your organization's data backup on the cloud. Discover strategies for optimizing backup processes, reducing storage costs, and ensuring data availability and disaster recovery.

Dec 10, 2024
4 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Defend. Secure. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Defend. Secure. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation