There’s been a myth going around that GCC High is required for CMMC. For the most part, this myth has been dispelled by a CMMC-AB member during a May 2020 presentation. There is no requirement for Microsoft’s GCC High to meet any level of CMMC. While itis the only version of the Microsoft 365 platform that meets DFARS 7012 requirements according to paragraphs C-G, GCC High is not the only option for your overall compliance strategy when doing business with the DoD.
GCC High is not the only Microsoft solution that satisfies CMMC compliance. GCC and the Commercial versions of the platform can be configured to NIST 800-171 specifications and most of CMMC’s requirements with native security products/capabilities. For example, CMMC Level 3 security requirements can be met with both GCC and Commercial even if they do not meet DFARS 7012 or ITAR.
The differences that stand out most between Microsoft’s GCC High and GCC and Commercial are:
Some smaller organizations often take the risk and go with GCC or Commercial until they can justify the investment in GCC High. However, doing so means ignoring the DFARS 7012 reporting requirements and hoping nothing goes wrong in the meantime. If an incident does occur, it could invoke a False Claims Act (FCA) violation.
Because of GCC High’s costs, some businesses are willing to take the risk because they have minimal, if any, interaction with CUI. Moreover, their business with the DoD is a smaller component of their portfolio. Instead of making an immediate decision, some decide to make the switch from GCC or Commercial within a two to five year timeframe. If you have been considering taking this route, you should ask yourself these three questions:
If you are unwilling to take the risks of going without CUI protection, but are not ready to go the GCC High route, PreVeil delivers exceptional security and is highly affordable. It is easy to deploy and use while supporting CMMC Level 3 compliance.
PreVeil is the better option for growing organizations that do business with the DoD but are not yet ready to invest the capital needed to move to GCC High.
BONUS: PreVeil is hosting Katie Arrington (CISO for the Office of the Undersecretary of Defense for Acquisition), J.C. Dodson (Global CISO of BAE Systems), and Rob Egerton (Chief Strategy Officer & Chief Information Officer, Monroe Engineering). This diverse panel of presenters will highlight the strategies and technology considerations that DIB suppliers of all sizes are taking into account as they prepare for CMMC.
If you are a DoD contractor with supply chain concerns, this webinar is for you. Register today!