As a cybersecurity service provider specializing in CMMC compliance services, we’ve been getting that question a lot lately.
This post will provide answers, some helpful tips, and additional guidance on where you can go for more information.
But first, let’s do a high-level review of all of the different components and regulations that we’re going to discuss. First, we’ll discuss Microsoft’s digital communication and storage applications, now officially known as MS 365 (aka Office 365), accessed in the MS Azure cloud.
Next, we’ll talk about the Azure infrastructure that houses the MS 365 apps and the apps themselves in the context of CMMC Level 2 compliance.
So, let’s start with the Azure Cloud infrastructure. There are several Azure Cloud offerings, including Azure Commercial and Azure Government Community Cloud, or GCC. Here’s how Microsoft breaks it down:
This section covers the following Office 365 [Now MS 365] environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud – High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD):This environment is for the exclusive use by the US Department of Defense.
That’s an excellent taxonomy. We’re not concerned with the government cloud restricted to DoD, so let’s consider CMMC Level 2 in the context of Azure GCC, GCC High, and MS 365.
The differences between Commercial, GCC, GCCH, and Azure commercial.
The differences in the services can be extremely subtle, and we don’t want to get into the weeds. But The differences in service required to meet federal government and DoD cybersecurity regulations can get extremely granular. In this case, applicable compliance regulations include DFARS 252.204-7012 for Cloud Service Providers (CSPs), NIST SP 800-171, and CMMC Level 2.
All tiers and infrastructures of the Azure cloud are functionally designed to meet FedRAMP requirements. Cloud service tier classification starts to get more complex when federal standards and regulations require that only U.S. citizens can perform certain functions such as:
- Access data center facilities where regulated information is stored
- Provide restricted levels of tech support
- Develop, troubleshoot, and debug restricted software applications, etc.
Additional operational and logistical restrictions can include requirements such as using only data center facilities in the continental U.S. (CONUS) and restricting data and confidential communications access to U.S. persons. Extensive background checks are also required for employees with the highest levels of system access.
These layered operational and logistical regulatory restrictions create the physical and logical boundaries that separate the tiers in the Azure Cloud. A simple way to look at it is to consider GCC as a restricted, segregated enclave inside Azure Commercial, and GCC High as an even more restricted enclave inside GCC.
In a nutshell, as reported by the Tech Community at Microsoft, Azure GCC supports FedRAMP High Impact Level requirements. Data protection standards for Federal Contract Information (FCI) in CMMC 2.0 L1 are provided in Azure Commercial and GCC. Some L2 and L3 requirements are also supported in GCC, but certain categories of CUI and CDI are NOT supported for CMMC 2.0 Levels 2 and 3.
MS 365 services in Azure and CMMC Level 2 compliance summarized.
You can see how the infrastructure tiers in Azure impact the ability to use MS 365 apps inside the guardrails of your CMMC compliance checklist. It’s not so much the apps that are, or are not, compliant, although that’s a factor in itself. Compliance often depends on where the apps reside. Remember that MS 365 apps are just another tenant in the Azure Cloud infrastructure.
It’s also important to note that feature parity in MS 365 apps decreases as the environments become increasingly restrictive. Features like replication, backup, communications, and data management capabilities for MS 365 apps start to fall off as compliance restrictions intensify.
We discuss CMMC 2.0 in detail in a previous post. But the bottom line is companies are now required to reference the CMMC documentation to ensure compliance and data protection for CUI. This process can be extremely challenging and time-consuming. In many cases, an organization will need the guidance of a third-party expert to gauge its existing compliance infrastructure and make ongoing adjustments as the regulatory environment evolves.
Organizations handling CUI must be able to demonstrate compliance with the controls set out in NIST SP 800-171 to meet CMMC L2. And these controls are codified in DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement) for cloud service providers.
The net-net is that in order to meet all data protection requirements for CUI using MS 365 apps in compliance with CMMC Level 2, you will need to deploy in MS 365 GCC High.
Creating a CMMC L2 Enclave in the Azure Cloud
While federal contracting companies can utilize Azure Commercial and GCC to meet some CMMC L2 requirements to safeguard CUI, by making external and internal security modifications, we generally do not recommend it.
We recognize that all organizations are unique, but we also recommend considering the totality of your circumstances, now and into the future. Data migrations from lower Azure tiers, like Commercial and GCC, to higher tiers, like GCC High, can be extremely expensive, intrusive, and time-consuming.
Tying it all together
Your organization needs to evaluate all the risks and benefits of your Azure Cloud implementation in context. The world of CMMC 2.0 compliance in cloud technologies is still evolving. Technology solutions need to be adaptable to that evolutionary process.
We’re here to help our clients stay abreast of the changes taking place in the world of DFARS, NIST SP 800-171 controls, DFARS 252.204-7012 for Cloud Service Providers, and CMMC Level 2. And that includes assistance with selecting your level of service in Azure.
Where can you go for more information, like how much does it cost to deploy MS 365 GCC High, what does the process look like, etc.?
Whether you need to migrate to MS 365 GCC High or build a CMMC Level 2 compliant enclave in Azure, our experienced team of technicians is here to help.
At CKSS, our team of regulatory compliance security specialists has extensive experience helping small to medium-sized organizations implement and maintain robust, cost-effective information security programs at all levels. But we’re here to listen first.
After we fully understand your requirements and budget, we’ll help you achieve and maintain compliance with FISMA, DFARS/NIST SP 800-171, and CMMC 2.0 in the Azure Cloud.
We offer strategic advisory services, security compliance templates, security and compliance staff augmentation, and managed security and compliance services, including Chief Information Security Officer (CISO) services.
Do you have questions about levels of service in the Azure Cloud, CMMC 2 compliance, or MS 365 GCC High?
We’re here to help.
Call us at 443.464.1589 or get in touch with our team online today.