Critical Updates Regarding CMMC GCC & GCC High Licensing: How These Changes Will Impact your Organization’s CMMC Strategy
With enforcement set to begin for the CMMC, we’ve received a lot of questions from clients about the role that government licensing (GCC & GCC High) for CSPs (Office 365 Commercial, Azure, AWS etc.) will have in relation to addressing their respective CMMC 3-5 requirements. It’s long been known that this type of government licensing is extremely costly from both a price and implementation standpoint, and as a result, is a major concern for many contractors faced with possibly needing it to address their required CMMC level.
As of today, Microsoft’s official stance is now that GCC “High” will be the required licensing for organizations managing CUI and for those that are required to adhere to CMMC levels 3-5. The DoD’s logic is that GCC High is the safest option that covers all DFARS contractual obligations- which would cover CMMC levels 3 through 5- and because Microsoft’s own compliance division has it on good authority that companies certifying to be C3PAs are being trained to treat the organizations they audit as government entities which itself requires Cloud Service Providers to meet FedRAMP High standards.
In short, this critical update will significantly alter the way in which CMMC 3-5 required organizations ultimately plan and incorporate these changes to their existing IT strategies. Not only will this be an additional and considerable licensing cost to bear, it may also require additional, unanticipated resources to address your compliance requirements, that currently are not included with the GCC High level licensing.
GCC vs GCC High: Why the Difference Matters
Generally speaking, there are two different types of Government licensing available from Microsoft in particular: GCC and GCC High.
GCC meet all DFARS requirements, including DFARS 7012 and paragraphs c-g, but unlike GCC High, it does not meet ITAR or EAR requirements if certain US persons export controls are required in your contract.
To that point, another big difference between the two, is that GCC High is a 100% standalone environment with all data centers residing in the United States and support personnel being screened individuals who are based in the country as well; US-persons.
For those reasons, GCC level licensing may not be enough for some organizations with export control contractual requirements, and, as per usual, it comes down to the contract of the prime and the prime’s requirements for that subcontractor to make that determination.
In the event that your contract requires that security measures be flowed down to the subcontractors, CSPs (O365 Commercial, Azure, AWS) used by the contractor in question will need to meet those flow down requirements as well. Because GCC licensing wasn’t designed and specifically built to address government regulatory requirements, Microsoft will only sign a contractual obligation for flow down under GCC High.
In short, if the contract requires data sovereignty in the United States and/or that only US-based persons have access to the data (as would be the case with ITAR, EAR, etc.), then GCC High would be required. It’s important to reiterate, that these requirements would also apply to not just the primes, but to the subcontractors as well.
What Does This Mean to Your Organization?
In a larger sense, all of this means that clients with A) DFARS and CMMC obligations, who B) are using commercial versions of Azure or Office 365 will be C) required to migrate to either GCC or GCC High.
Depending upon your contractual obligations, clients who are using GCC and also meet criterium A-C, may need to migrate to GCC High in the very near future. It’s important to note that GCC High has no month-to-month payment option and must be paid up-front on an annual basis. Additional licenses can always be added during the term on a pro-rated basis.
All of these changes will likely impact these organizations using CSPs (O365 Commercial, Azure, AWS) that have DFARS 7012 or CMMC Level 3-5 requirements in their contracts. But moving beyond the infrastructure side of the conversation, the real impact really comes down to cost – both in terms of the migration costs and the additional, 3rd party licensing fees moving forward.
There are other features as well as functionality factors and limitations to consider as well. Because every piece of code and feature set needs to be carefully scrutinized before release into GCC High, it is much slower to receive new features. One such example is that GCC High receives new product and feature updates at a much slower pace than either GCC or even standard Commercial level licensing. To further complicate the issue, there are several instances where certain features within GCC and Commercial licensing are not included with GCC High without introducing an additional 3rd party solution to enable and provide those missing features and functions. If you use Microsoft Teams, audio conferencing bridges would be one such example of these limitations. Dial-in conferencing within a Teams environment in GCC High currently requires third parties, and those third parties charge significantly more than Microsoft does for Commercial and GCC for that same level of features and functionality.
All of this is in stark contrast to what was previously believed to be understood – namely that Commercial could meet DFARS/CMMC 3-5 requirements with supplemental services like a SIEM (Security information and event management) product, however, Microsoft has changed its official stance that only GCC-for now- or GCC High can meet the reporting requirements within paragraphs c-g. Because of that, they only recommend GCC High for all CUI since it is the only platform that they will contractually agree to meet all CSP (O365 Commercial, Azure, AWS) requirements with.
As stated, these additional costs are primarily tied to the licensing and migration fees, but there is also the likely possibility of having to invest in other 3rd party solutions if any mission critical features are required but are not currently included with GCC High.
Lessons Learned and Next Steps
At TSI, we’ll be the first to acknowledge that we’ve received conflicting information over the past year from both the Department of Defense’s CIO office and Microsoft regarding what is truly required from CSPs (O365 Commercial, Azure, AWS) under the CMMC. That said, it’s evidently clear that this is still an evolving process and because of that, we should expect to see even more changes in the near future.
But since Microsoft’s official stance today is that GCC High should be used for all situations involving CUI, that will be our own recommendation moving forward. However, the one thing that has not changed and that should come to a relief to many, is the fact that these additional expenses are an allowable cost to the DoD primes and although we have yet to see how this actually plays out, the uptick in licensing costs SHOULD be able to be offset with increased pricing to the DoD, funneled up from the primes.
Despite this change, you should take comfort in the fact that your partners at TSI are making every effort to stay on top of this situation, also that we can provide you with the most accurate and actionable advice regarding CMMC compliance and their evolving requirements. So, if you have any additional questions about GCC, GCC High or if you’d just like to discuss your organization’s unique needs with a compliance expert, please contact either myself or one of my colleagues at TSI today.