CMMC 2 0 and GCC High: Which Microsoft Environment do you need for CMMC 2.0 Compliance?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] all right so continuing from our last video since cnmc 2.0 was announced last week everybody's wanted to know what this means for gcc and gcc high in terms of compliance with cmmc so i'm here to answer a couple questions the first one of course being what's changed that one's easy for those of you here for the tldr too too long don't read nothing has changed now you can't go back to your ceo with this i'm going to go ahead and go through some of my former slides explaining why your decision to go with commercial gcc or gcc high has nothing to do with cnmc so first off and i'm going to get out of the way here first off we need to know how we got to cmmc now i've presented this a number of times in past slides but it's important to remember that the federal acquisition regulation is augmented by the defense federal acquisition regulation supplement defars and specifically clause 7012 which mandates nist 800-171 now with cmmc 1.0 that was put into action by dfars7021 and the rest of this is extraneous data if you want more information you can watch the video we just did that talks about how we got to cmmc 2.0 but it is important to remember that d far's 7021 did not eliminate 7012 d far 70 12 did not eliminate the far these all stack on top of each other so the next thing i want to talk about is data residency versus data sovereignty this is going to be really important in about two slides data residency is something you hear when you think about or when you hear about gdpr when you hear about data residency in terms of citizens of a country where their data must reside in a certain place you hear facebook instagram all of those companies running into issues usually in ireland for where their information stays data sovereignty is a different beast with data residency that data can stay in one place but go anywhere with data sovereignty that data has to stay within the specific confines of a geographic or governmental political area this is going to be another thing to consider here in a minute now the next thing i want to talk about is what is gcc high and how the environments are stacked again i've done this slide a number of times so i'm going to just kind of brush through this as quickly as possible so you can understand the architecture and why things lay where they do so in the beginning there was office 365 we all know and love it it's commercial now the government community cloud was built to meet the needs of state local and federal governments that had to protect the information of their citizens and for that microsoft created gcc now this all lives on azure commercial azure commercial is a global infrastructure it has follow the sun's support meaning that if you call for support at 6 pm and the call centers are open in bangladesh you will get someone in bangladesh to answer that call additionally the engineers because it's the cloud can work from anywhere and so the support personnel monitoring the infrastructure are also global azure has global availability this is a great wonderful thing and it works for data residency it does not work for data sovereignty finally there's dynamics 365. now with gcc there was a requirement to have a cloud environment for sas providers software as a service providers who were giving services to state local and federal governments so microsoft created azure government which had data sovereignty and we'll talk a little bit about the specific requirements around the environment as well as the personnel here in a moment now on top of that microsoft built the office 365 dod environment for the department of defense this was great data sovereignty it had impact level 5 everything the dod needed but what this left was a gap for defense contractors who needed to work with the dod because there was no cloud environment that could meet the requirements of dfar 7012 which we spoke about a minute ago and i'll explain this a little bit more in depth in a second so in order to provide an environment for the defense industrial base microsoft created gcc high now what you see here are the srg impact levels four and five are the ones that we're focused on for gcc high and dod and then off here at the edge we also have azure government secret which is impact level six don't ask me about it you're not getting in without the help of your contracting agency all right so now let's talk about compliance against the different microsoft 365 enclaves the points we want to look at here specifically are defar 7012 itar c-line cdi nist 800 171 and then cmmc levels so when we look at microsoft commercial you can see that default 7012 it cannot be met and now i want to slow down for a second and explain why dfr's 7012 which mandated nist 800 171 has its own protections or own requirements for reporting cyber incidents and as part of that there is a requirement that you are able to hold forensic data for a specified amount of time microsoft will not contractually support this onerous requirement in commercial for what they charge and again because there's no defars you can see no itar no cui but you can't see nist 800 171. i'll get into that as well and cnmc level one now the reason why it can meet in this 800 171 is there is no requirement for environment you're going to hear me chant that a number of times before the end of this video no requirement or environment nist 800-171 can be met in commercial now in terms of gcc the government community cloud now you see that this does have the ability to meet defaults with in the important part here is with contractual flow downs so if you have contractual requirements to meet d47012 in terms of holding forensic data in the event of a cyber incident gcc high or gcc is sufficient to meet dfr7012 it is insufficient for itar you can manage cui however there you can only manage non-specified cui and i'll explain that again in the next slide in a much deeper way and of course it will meet nist 800 171 and will meet cmmc level 2 and 3. now gcc high gcc high is a data sovereign environment and here's where you start to see the big impacts so yes dfars yes itar yes without the little star for cui and cdi that it can manage export controlled controlled unclassified information nist 800 171 is a yes and cmmc all levels one through three and then of course dod is just here so what i want to talk about real quickly is the difference in screening for personnel between gcc and gcc high so gcc and gcc high have all of the same classifications here between citizenship and fingerprint check however their background checks are different gcc has a criminal justice information systems background screening which is state educated review of criminal history now in terms of gcc high this is a dod it2 uh adjudication based on a successful office of personnel management tier 3 investigation this is the same background check as if you were going to manage classified information without having a classified clearance this means that the environment and the people working in it are capable of meeting these higher watermarked controls for controlled unclassified information with export controls so now let's align cmmc 2.0 levels to the microsoft environments with what we know so far so what environment do you need for cnmc 2.0 well let's start with federal contract information which aligned with the old levels one and two and is now cmmc level one for this you can easily use microsoft commercial now let's look at controlled unclassified information this is a bit different remember that it was dfr 7012 that mandated nist 800 171 for protecting cui to meet dfar's 7012 incident reporting requirements you must use gcc or gcc high however to meet cmmc level 2 and 3 you can technically use commercial as there is like i said no requirement for environment in either cmmc or nist 800 171 at this time there is still documentation we're waiting on now let's talk about cmmc level 3 and nist 800 172. again there is still no requirement for environment so you can technically get by with commercial if you ignore defaults this is important if you're watching this video in five years and cnmc has rolled out to the entire federal acquisition system which we expect it to because you may not be subject to dfars and you may not be using cnmc to protect controlled unclassified information but for now it is important to set that aside and know that if you are subject to dfars you definitely need gcc or gcc high so why would you pick gcc over gcc higher one environment over another well export controls like itar and ear mark cui like controlled technical information cti nuclear and space contracts and anything with no foreign markings require data sovereignty they have to stay in the u.s and for specified cui that requires u.s citizens background cleared individuals and data sovereignty so taking it back down to a nutshell in commercial you can meet cmmc level one in gcc you can meet cmmc levels two and three with the caveat that it has to be unspecified cui and in gcc high you can meet cnmc levels two and three along with specified cui with export controls like itar nasa no foreign cdi etc so hopefully this was helpful but of course we are still waiting for the dod to release the next bit of information the and what cmmc 2.0 is really going to look like once we know that i'll be back to give you a hand once again please if you have any questions or comments leave them below in the comments section give us a like and follow i love to answer questions i love to know that my content is helpful and i'd love to hear your suggestions on how to make it better thanks a lot and have a great day you

Info

Channel: Agile IT

Views: 186

Rating: undefined out of 5

Keywords: Microsoft, Cloud Computing, GCC High, GCC, CMMC, DFARS, ITAR, CTI, CDI, CUI, CMMC 2.0

Id: h1bC5Qowse0

Channel Id: undefined

Length: 12min 0sec (720 seconds)

Published: Mon Nov 08 2021