Forum Discussion
Solved
Specific clauses in CMMC Level 3 that require GCC High
Are there any specific clauses in CMMC Level 3 that require GCC High?
Is compliance manager on the roadmap? (a CMMC template in Commercial, or availability of the tool in GCC High?)
I am sending a surrogate to tomorrow's call, as I am unavailable. Will the call be recorded?
Howdy Sean Spicer! We do have an intended roadmap to release the Compliance Manager in Microsoft 365 Government (GCC High). It will also include templates for CMMC Level 1-5. The timeline does not have a committed date, as the CMMC program itself has delayed, especially for Level 3+. We are cautiously optimistic to release the templates by the end of the year.
As for the requirement for GCC High. Here is my standard pitch and happy to talk to you about it in more depth. Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government and Microsoft 365 Government (GCC High) have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC.
The two most commonly discussed requirements that drive our customers into Microsoft 365 Government (GCC High) are:
- DFARS 7012
- CUI containing a higher watermark for compliance (e.g. ITAR)
In other words, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies requiring CMMC Level 3+ are best aligned with Azure Government and Microsoft 365 GCC High for DFARS 7012 and for data handling of CUI. For more information, please refer to
Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offeringsand Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty.
- RichardWakeman
Microsoft
Howdy Sean Spicer! We do have an intended roadmap to release the Compliance Manager in Microsoft 365 Government (GCC High). It will also include templates for CMMC Level 1-5. The timeline does not have a committed date, as the CMMC program itself has delayed, especially for Level 3+. We are cautiously optimistic to release the templates by the end of the year.
As for the requirement for GCC High. Here is my standard pitch and happy to talk to you about it in more depth. Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government and Microsoft 365 Government (GCC High) have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC.
The two most commonly discussed requirements that drive our customers into Microsoft 365 Government (GCC High) are:
- DFARS 7012
- CUI containing a higher watermark for compliance (e.g. ITAR)
In other words, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies requiring CMMC Level 3+ are best aligned with Azure Government and Microsoft 365 GCC High for DFARS 7012 and for data handling of CUI. For more information, please refer to
Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offeringsand Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty.
RichardWakeman Can you tell me where to find the customer responsibility matrix for GCC High? I have one for Moderate O365 MT, but cannot find one for GCC High. I am trying to get CMMC certified and need to make sure we implement the controls correctly. Thanks.
- RichardWakeman
CaLo1 The GCC High SSP and CRM is only available today under an NDA. Please connect with me on email to align with the requirements to gain access.
Thanks RichardWakeman
Great answer, and thank you. ITAR is the first thing I ask of new prospects, as many are confused about where they are going to land with CMMC. It's a challenging conversation at times, particularly among the more informed customers, as they are (sort of correctly) looking at CMMC from a maturity standpoint, so they figure they will just do level 1 and 2 in commercial, and keep moving up the ladder that way. ITAR and CUI contract language is the best lever I have found to explain why they need GCC High. Thankjs again for the thoughtful response!
