Microsoft Teams in Office 365 GCC High - CMMC Considerations
The Department of Defense (DoD), its agencies and organizations, and supply chain - Defense Industrial Base (DIB) - have shied away from remote working and SaaS offerings in the cloud for understandable security concerns. However, times have changed. The workforce includes several new generational bands, technology has inhibited new possibilities, and cybersecurity products/tools are far more enhanced than 10 years previously. Additionally, threats to operational continuity like the recent COVID-19 pandemic are becoming an almost annual occurrence. Weather events, physical security threats, power outages, cyber attacks, and other external factors create scenarios where working from home or remotely becomes the best option for a group of users (if not the entire enterprise). Enter Microsoft Teams for Office 365 GCC High. Security and Compliance with Teams in Office 365 GCC High / Microsoft 365 GCC High (M365) Microsoft Teams US Government can meet many of the requirements in CMMC pertaining to information systems in the cloud. Much of which is met through overarching Office 365 security and products. For starters, the Identification and Authentication (IA) requirements (1.077, 2.078, 2.079, 2.080, 2.081, 2.082, 3.083, 3.084) are met in spades by properly configured Azure Active Directory and Multi Factor Authentication (MFA) within the Office 365 GCC High tenant. This of course extends to Microsoft Teams, as well as SharePoint and others.Why Microsoft Enterprise Mobility + Security (EMS) & ATP are Necessary for NIST Compliance
In a 2018 report provided by the National Defense Industrial Association (NDIA), researchers found companies “severely underestimate(d) the costs of becoming compliant by as much as a factor of 10”. The burden of compliance is significant yet important, and businesses are considering ways to secure their information systems without breaking the bank. One area of cost savings at first glance: email only users. These individuals will likely only need a corporate email, which would reasonably lead IT leadership to purchase an Exchange Only license and carry on. However, we advise contractors purchase Office 365 Advanced Threat Protection (ATP) and Enterprise Mobility + Security (EM+S) in addition to their Exchange license as a best practice for NIST 800-171 compliance. Without the proper understanding of NIST compliance requirements, it is easy to misinterpret the need for ATP & EM+S licensing. It is also reasonable to think consultants are trying to make a quick dollar by upselling. Assuming these individuals are not entirely self-serving, let’s dive into this a little more using a friendly campfire analogy. S’mores. Purchasing an Exchange Only license is like having a s’more without the marshmallow & the graham. The marshmallow & the graham are necessary for the security and protection of the chocolate. They are the quintessential vessels that encompass and bring cohesion to the s’more as a whole. S’more explanation below.CMMC Recovery (RE) Domain Overview and Strategy
One of the key areas where the Cybersecurity Maturity Model Certification (CMMC) expands on NIST 800-171 is system recovery, specifically the ability to recover from any event that compromises the integrity and availability of data. Backups are called out in the Recovery (RE) Domain and include the requirement to backup all content, not just CUI and other critical content. Further, testing backups is now a requirement and likely to be validated during a CMMC assessment.Office 2010 & 2013 Clients End-of-Support Affecting Microsoft 365 GCC High Tenants and CMMC Impact
& 2013 Clients End-of-Support Affecting Microsoft 365 GCC High Tenants and CMMC ImpactOn November 1, 2021, Microsoft will no longer support Office 2010 & 2013 clients for Microsoft 365 Government Community Cloud (GCC) and Microsoft 365 GCC High tenants, and will deny access to Microsoft 365 GCC High. To ensure business continuity, reduce security risk, and maintain CMMC compliance, Summit 7 recommends assessing and planning your organizational upgrade today.
