Microsoft’s announcement this week that the GCC version of Microsoft 365 can now support DFARS 252.204-7012 compliance is an important step in the evolution of the service and good news for many defense contractors. This news creates an additional option for some companies as they chart the best path to meet both DFARS and CMMC compliance. However, this does not change the guidance for defense contractors pursuing higher levels of certification.
Microsoft has deployed multiple versions of the Microsoft 365 service to support the increased levels of security necessary for a wide variety of entities. The Government Community Cloud (GCC) was designed for federal, state and local governments as well as federally recognized tribal entities such as Native American tribes and Alaska Regional Native corporations. To meet the additional, specific needs of the DoD, Microsoft further developed Microsoft 365 GCC High and DoD. This blog highlights the history of the versions of Microsoft 365 and public cloud in general.
One of the reasons that GCC High was originally required to support DFARS 7012 was that Microsoft could not guarantee that GCC could meet DFARS 7012 clauses (c) through (g). This was mostly due to data log collection and retention. Additionally, GCC “lives” in the commercial version of Azure which until recently also did not meet DFARS 7012 requirements. Further, because Azure Commercial has a global infrastructure, GCC is not applicable for export controlled (i.e. ITAR) data. Now, Microsoft has made the necessary investments to ensure that clauses (c) through (g) can be met in GCC and in Azure, along with the ability to demonstrate compliance with FedRAMP High.
While this change is a big step forward and will be beneficial to many federal contractors, it should not result in wholesale change for the Defense Industrial Base (DIB) as it evaluates which service to use. To summarize this impact:
Almost all companies that contract with the DoD, either directly or indirectly are subject to DFARS 252.204-7012. However, many of these companies will only need CMMC Level 1 or choose to pursue Level 2. This change provides an option for Level 1 and 2 companies to meet their DFARS 252.204-7012 obligations on a compliant platform without fully committing to GCC High.
Additionally, with the new DFARS 252.204-7020 clause, companies that are “upstream” in the supply chain need to validate their subcontractor’s cybersecurity. Now, a prime contractor can confidently attest that a lower-level subcontractor has adequate security to meet CMMC Level 1 or 2 and DFARS 252-204-7012 without requiring that subcontractor to go to GCC High.
While both DFARS 252.204-7012 and CMMC both aim to protect CUI, not all CUI is the same. CUI data encompasses a large amount of information and several subcategories. Included in this listing is export-controlled data, (for example, ITAR). In addition to the standard controls for CUI, export-controlled data also requires data sovereignty.
From a provider’s perspective, there is no way to know whether the CUI data in a client environment is ITAR or some other form of CUI. In an earlier blog, Microsoft’s Richard Wakeman explained that in order to attest to protecting CUI data, it must assume all types of CUI data including export-controlled data. GCC High is the only version of Microsoft 365 available to contractors where Microsoft can attest to meeting this requirement.
This is not just a Microsoft thing; we talk to customers everyday who literally have no idea whether they hold export controlled data. Moreover, we’ve talked to more than a few that absolutely perform the type of work that would be create export-controlled data, and yet insist they don’t hold that type of data.
The debate around which version of the Microsoft 365 service should be used to support the DIB has raged for several years now. Feature parity issues and higher costs, as well as limited purchase options, have limited adoption and caused grumbling throughout the industry. As one might expect, the higher the level of requirement, the higher the cost and the most restrictive the service becomes. We’ve supported GCC High for almost three years now, so we’ve had a front row seat for much of the discussion.
UPDATE! Which cloud to use is often dependent upon your export and non-export controlled CUI. In this recent webinar, C3’s Bill Wootton and McMahon, Welch and Learned Counsel Jody Reed discuss the practical and legal implications of CUI and ITAR data.
Clause 7020 requires companies to validate the cybersecurity posture of subcontractors before awarding the subcontract. How would you feel about your subcontractors commitment to cybersecurity if they were not on GCC High? Are you equipped to differentiate between sharing non-export controlled CUI and export controlled CUI?
The first step? Companies evaluating the move to Microsoft 365 to meet their CMMC and DFARS requirements should start by evaluating the short- and long-term risks and benefits of each version of the cloud. This table illustrates some of the differences:
The commercial version of Microsoft 365 offers the latest features, flexible licensing and a large partner ecosystem to assist with deployments and administration. However, the Commercial version of Microsoft 365 does not meet the requirements of DFARS 7012 clause (c) through (g), nor does it meet the data sovereignty requirements of export-controlled data. Customers that consider Commercial need to seriously evaluate the business limitations and risk associated with this version of Microsoft 365.
Microsoft 365 GCC appears to offer the right balance of a government cloud and additional protections with cost parity to commercial and monthly licensing options. For companies pursuing a Level 1 or Level 2 strategy, this is a viable option, assuming there are no plans to pursue higher level contracts in the next several years.
The risks with this strategy center around the opportunity costs of not pursuing contracts that contain certain Level 3 requirements. By deploying in GCC, a contractors “ceiling” will be work that does not include export-controlled data. For some, that may be fine, but when an opportunity arises that requires handing of export-controlled data, the contractor will need to transition to GCC High and then re-certify at that level. This is no small effort as it includes a data migration, user disruption, re-implementing security controls, updating policies and then passing a C3PAO audit. There is also a timing consideration. When you factor in CMMC’s requirement to “habitually and persistently” demonstrate maturity, this transition can easily take 6-9 months or even longer.
It’s also important to note that the costs associated with a data migration are almost always more expensive in the future. This is due to increased users and data storage, as well as any incremental customizations of Teams/SharePoint. Also, security settings do not “migrate;” they must be re-set. User disruption around migration and other tasks such as re-enrolling devices should also be a consideration. Finally, GCC does not have full parity with Commercial. There are still some features that are not fully available.
We recently worked with a defense contractor with about 250 people evaluating the best version of Microsoft 365. The options were to move from Commercial to GCC High or move to GCC first and then GCC High in the following year. We compared the cost of licensing, migrating once, or twice with a steady-state environment (i.e. no growth). The result was they only saved 10-15% with the two-step strategy. Relative to the disruption caused by two migrations and the business risk associated with not being able to pursue all types of business, the savings were simply not worth it.
Microsoft 365 GCC High is the only version of the service that Microsoft will attest is compliant with CMMC Level 3. It meets data sovereignty requirements associated with export controlled (i.e. ITAR) data with CONUS data residency and US-based support and administration.
Further, GCC High is growing in adoption with most of the largest prime contractors either using, or moving towards, the platform. As these primes evaluate teaming partners relative to DFARS 252.204-7020, they will have more confidence with subcontractors who are also in GCC High. Finally, at least in the short term, as cross-cloud sharing issues persist, deployment in GCC High will enable collaboration between primes and sub contractors, which facilitates continued business relationships.
GCC High is far from perfect. While Microsoft has done a great job over the last couple years closing the feature gap and continues to make steady progress, feature parity issues continue to be a challenge. The hope is that by year-end, many of the largest issues including cross-cloud sharing should be mitigated, if not eliminated.
The cost of GCC High is also a challenge. The simple reality is that a replicate version of the entire Microsoft solution with US-based support and administration brings a higher cost basis and less scale to distribute – and mitigate – those costs. However, the long-term benefits of meeting advanced security requirements and potential competitive advantages associated with higher security should make this a worthwhile investment.
All told, this news creates additional options for some companies working in the DIB, but not for those expecting to require CMMC Level 3 certification. To summarize:
C3 has supported the Office 365 solution for almost 10 years and the GCC High platform for almost three years now. With well over 100 DIB clients, we have the experience to help you understand the benefits and risks of all versions of the Microsoft 365 platform.
We can help you understand feature differences as well as the cost impact of multiple scenarios to ensure you make the right choice for your business. To learn more, contact us at firstname.lastname@example.org.