CMMC + Microsoft 365 = 😵‍💫? Maggie has thoughts for you

Non-kinetic adversarial actions are increasing at an alarming rate. Hackers across the world try to breach government entities and many succeed—think of the high-profile supply chain attacks like SolarWinds and the OPM breach that put everyone into a frenzy. As our pal Katie Arrington says, “the CMMC is the single most effective deterrent to war we’ve ever seen”.

That’s why your Microsoft licensing matters for CMMC. If you choose the wrong licensing, or don’t implement the capabilities that your licensing offers you run the risk of penetration, losing DoD contracts, missing compliance controls, and even damaging your rep as a DoD contractor.

And y’all: Microsoft licensing is COMPLEX. The documentation from Microsoft can be overwhelming, and 99% of it is focused on their worldwide licensing. There are only 240,000(ish) DIB contractors that need to meet CMMC at Level 2 and even fewer are thinking about GCC High. Finding resources on Microsoft licensing specifically about “hey how does Microsoft help me with CMMC?” can be challenging to find and even more challenging to digest.

Lucky for y’all, I’m a sucker for Microsoft licensing and a sucker for CMMC. Let’s talk about how Microsoft supports your organization in NIST 800-171 compliance when you leverage the proper licensing.

Refresher on our old friend DFARS 202.252-7012 and CUI in general

The DoD has thoughts when it comes to protecting Controlled Unclassified Information (CUI). They went ahead and created a whole supplement to the FAR because they didn’t feel it went far enough (get it?). Specifically, I’m thinking about DFARS 202.252-7012. Remember that? It says (among other things) “The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017”. Y’all that was SO LONG AGO. The full working title of NIST SP 800-171? “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

Not all CUI is created equal, sure – CUI Basic is CUI for which the authorizing law, regulation, or government-wide policy (LRGWP) does not set out specific handling or dissemination controls. CUI Specified is (you guessed it) the subset of CUI for which the authorizing LRGWP does set out specific handling controls. In our DIB world, we spend a whole lot of time with CUI Specified, particularly CUI Specified that falls under the Defense and Export Control Organizational Index Groupings. According to the DoD (and eventually CMMC, when we get that final 48 CFR in place), all of that is going to require CMMC compliance at Level 2.

This was a really long-winded way for me to say “ya need CMMC Level 2, probably, and Microsoft GCC High licensing can help ya get there.”

Refresher number 2: What Is CMMC and Who Needs It?

The Cybersecurity Maturity Model Certification (CMMC) program was finalized last year with the publishing of 32 CFR Part 170. Our years of waiting are over; the kinks have been painstakingly worked out. The former 5-tier system is now a manageable 3-tier system. Government regs used to be slow to change, but mandates have had to address the flow of information among the stakeholders associated with a DoD contract. There’s a lot to digest which is why reading the Federal Register CMMC program is at least a 2-coffee sit-down.

If you don’t have the time (or the stomach for that much caffeine) to read the whole of 32 CFR Part 170, here’s the quick and dirty version: You told the DoD you were in compliance with NIST SP 800-171. Now they want proof. And if you don’t have proof, you can kiss your DoD contracts goodbye. (lol or worse, get hit with a False Claims Act because you misrepresented your cybersecurity and now you owe $$$)

Secure data is bankable and oversight and compliance are non-negotiable. Competition is fierce. Knowing what kind of data you will be handling isn’t just the job of IT, it’s yours.

Here’s a quick breakdown of CMMC certification maturity levels without getting into too much governmental alphabet soup. Note that levels build on the previous levels. That is, you can’t get to level 2 without attaining level 1 and so forth.

• Level 1 is foundational or the most basic level. Its 17 practices (requirements) must be followed, but maturity isn’t assessed as documentation may be lacking and performed as needed without too much prior planning. The Federal Contract Information (FCI) at this level is not intended for public consumption.

• Level 2 is advanced and includes all 110 practices from NIST 800-171 R2. It requires annual attestation of compliance and an assessment every three years. Most contractors can expect their DoD contracts to include a need for certification at Level 2.

• Level 3 is expert and possesses a higher-level of CUI protection and assessment by the DIBCAC every three years, not a C3PAO. We see Level 3 requirements in contracts that have CUI associated with a breakthrough, unique, or advanced technologies, or if there is a risk that if the system is attacked, a widespread outage across the DoD would occur.

Reminder: level is determined by the contract, not the company. You can hold different contracts that have different CMMC requirements. And you MUST be compliant with that level immediately upon contract award.

Breaking Down Microsoft Licensing Options

Level 1 can get by with Microsoft 365 Business Premium – at this level, you’re only handling FCI, can self-attest to Level 1 compliance, and don’t necessarily need to be in a Microsoft Government cloud instance. The current estimate from the DoD is that there are 140,000 contractors that will need to certify at Level 1.

Most orgs will need to get certified at Level 2 – reminder that the DoD is estimating 240,000 contractors here. There are technically two versions of Level 2 certification: self-attestation or certification by a C3PAO. But we can basically write-off self-certification, because any CUI categorized under NARA’s Defense Organizational Index Grouping requires certification by a C3PAO. And we’re defense contractors. SO. Let’s make sure we’re keeping that data secure, and we’re ready to pass a C3PAO assessment, yeah? At this level, we’re usually looking at GCC High and Azure Government, with Microsoft 365 E5 licensing (or if the circumstances call for it, Microsoft 365 F3 with the F5 Security + Compliance add-on). There are times when maybe GCC will suffice – let’s get into that puzzle next.

GCC vs GCC High – What’s the Actual Difference?

The tl;dr of GCC vs GCC High is that GCC sits on the commercial cloud, GCC High sits in the Microsoft Government cloud. Richard Wakeman over at Microsoft made us a handy table:

GCC is a data enclave within the Commercial network. Data residency and processing is in CONUS for the primary Office workloads . There are shared services with Commercial, which means that your data may be processed OCONUS. Entra ID, for example, is supported globally. Authentication into Entra ID is data processing – and that can happen OCONUS. So like, strong no on GCC for Specified CUI data (think Defense, Export Controlled, Nuclear). Since that’s going to be most of us, I think we can move on to GCC High. Email me if you wanna talk DFARS 7012 in GCC, though.

GCC High is on a sovereign network constrained to CONUS. It’s literally built to comply with export controls. Everything is on the Azure Government network – there is a US Sovereign Cloud accreditation boundary encompassing all services attached to Azure Government and GCC High. Our Entra ID example from GCC? GCC High directory services with Entra ID are provided by Azure Government in this example.

A quick note on Microsoft 365 Commercial : there’s no FedRAMP Moderate/High authorization or equivalency here, so it’s just a hard “no” for orgs that process any form of CUI, even Basic CUI.

What We Recommend (and Why)

The Cloud Instance

While it’s understandable to want the lower costs associated with GCC, you need to seriously consider if that’s going to keep you in the contracts you want/need with the DoD. Yes, CMMC Level 1 can be achieved in GCC. For Levels 2-3, it would be hard to get to certification with GCC and would require a lot of workarounds and other tools. As defense contractors, it’s highly likely that you hold export-controlled CUI. Do not hold that in GCC.

GCC High is where it’s at. You can demonstrate compliance with ALL maturity levels of CMMC in GCC High and Azure Government.

The Licenses

I tend to think of two distinct types of workers in orgs: office workers and production workers. Office workers need lots of collaboration tools, probably never want to even look at the web version of Excel, and want to be able to check Teams/Outlook on their phones. These are the folks that sit at a desk most of the day. Production workers are on the floor and spend more time with a CNC machine (or the like) than they do with a laptop.

For our Office workers, Microsoft 365 GCC High E5 takes the cake. When Microsoft rolled out Microsoft 365 E5, they called it the “hero license”. It’s easy to see why: this license is the master suite and has all the bells and whistles a Microsoft license can offer. You get your full Office desktop applications, plus the security and compliance capabilities you need to protect your data and meet CMMC at level 2.

Production workers don’t tend to need a ton of storage for their inbox, or the desktop app for PowerPoint, or any of the big bells and whistles that come in the collaboration suite of Microsoft 365 E5. What they DO need, though, is the same security and compliance functionality that office workers are getting. And so: Microsoft 35 F3 with the F5 Security + Compliance add-on. A light collaboration stack (think web apps only, a 2gb mailbox, 2gb of OneDrive space) that still gives you access to Teams (web), SharePoint (gotta get to that HR intranet site, you know?), and files across the org. Pair that with the information protection, data loss prevention, threat protection, identity and access management (and the list goes on) of what you get in the Microsoft 365 F5 Security + Compliance add-on, and you are SET.

The Final Takeaway

CMMC is gonna be gnarly to attain, and equally gnarly to maintain. It’s worth it to protect our nation and your contracts. Microsoft licensing can help get you there. There are caveats. You need a partner who knows licensing, who knows how to configure the features within that licensing, and who knows how it all maps to NIST SP 800-171 and (maybe more importantly?) NIST SP 800-171A.

Agile IT has got your back. I’ve got your back. LFG.