What is GCC High?

The Defense Industrial Base (DIB) is comprised of highly regulated organizations that require special environments to host their security systems and tools. That’s why Microsoft created the Government Community Cloud (GCC) High. It’s a cloud-based environment designed specifically to meet the stringent cybersecurity needs of the Department of Defense (DoD) and federal contractors.

GCC vs. GCC High

GCC High shouldn’t be confused with the original Government Community Cloud environment. GCC isn’t suitable for handling controlled unclassified information (CUI) or controlled defense information, while GCC-High helps DIB organizations meet DoD-specific compliance requirements such as:

  • CMMC
  • DFARS
  • NIST 800-171
  • ITAR, and more
GCC High

GCC High Supports Compliance and Ease of Use for Defense Organizations

Regulations like Cybersecurity Maturity Model Certification (CMMC) mean DIB organizations require highly specialized tools and environments to host sensitive data. With that being said, on a day-to-day basis, many companies would prefer to use software that’s already been approved, implemented, and familiar to employees.

To compromise, GCC High includes subscriptions to essential Microsoft tools and pairs them with additional security that empowers organizations to meet strict industry requirements. These subscriptions include:

  • Exchange Online
  • One Drive
  • Skype for Business
  • Microsoft Teams

 

Preparing for the DFARS Interim Rule

As CMMC becomes a requirement for organizations that want to work with the DoD in 2021, companies are urgently trying to streamline compliance efforts.

To add to the stress, the DFARS Interim Rule is requiring that DoD government contractors possess at least a basic NIST SP-800-171 DoD assessment that is no more than 3 years old. This assessment can be done online through the Defense Contract Management Agency and is required by November 30, 2020.

CMMC compliance requires every single DoD contractor to have an appropriate level of cybersecurity maturity by creating strict, standardized cybersecurity measures. This helps protect sensitive government data, regardless of company size or industry experience.

“CMMC will ensure a more level and fair playing field for companies bidding on DoD contracts.”

“Today, some small businesses bidding on work might self-attest that they meet requirements to handle certain kinds of information, but in fact only are planning to meet those requirements, while another business might actually be meeting the requirements.”

– Katie Arrington, DoD Chief Information Security Officer for Acquisition

Get the CMMC & DFARS Compliance Guide for Defense Contractors

Learn how Conquest Cyber's proprietary risk management software and managed security services help defense contractors achieve over 80% CMMC compliance in as little as 90 days.

Download the CMMC & DFARS Compliance Guide
GCC High

Levels of Maturity for Cyber Controls

CMMC serves as a verification tool to establish appropriate levels of maturity for cyber controls. The Office of the Under Secretary of Defense for Acquisition & Sustainment elaborates that:

“The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.”

With levels ranging from 1 to 5, the requirements to achieve CMMC compliance increase as each level progresses. For example:

  • Level 1: Examines basic cyber hygiene and everyday controls requiring compliance with FAR 52 controls.
  • Level 5: Requires advanced, state of the art cyber controls. This level includes compliance with all NIST SP 800-171 controls and many enhancements from 800-171b.

For example, according to NIST 800-171 3.5.1 and 3.5.2, organizations must identify all system users, processes acting on behalf of a user, and devices. To help meet this requirement, Microsoft’s GCC High has stringent background check capabilities for employees that align with the Office of Personnel Management (OPM) level 3 background check.

Because GCC-High is also reserved for organizations in the DIB sector, DoD contractors, and Federal Agencies, organizations must also be validated by Microsoft to use it. Being CMMC compliant and having a reliable cloud environment to accommodate sensitive data, is critical for organizations to earn high-value DoD contracts.

Learn More: Achieving Level 4 CMMC with ARMED™ and Microsoft

The Role of Cyber Risk Advisory in Navigating CMMC Compliance

As a Microsoft Gold Competency Partner and FastTrack Ready Partner, Conquest Cyber has the expertise and software to support the unique cybersecurity needs of the defense industrial base. This includes access to award-winning cybersecurity professionals who have an extensive background in the industry and a wide variety of certifications including:

  • Certified Information Systems Security Officer (CISSO)
  • Certified Information Security Manager (CISM)
  • Certificate of Cloud Security Knowledge (CCSK), and more.

Learn More About ARMED™

GCC High & ARMED™

Alongside their team’s 24/7 support, Conquest Cyber’s proprietary software, ARMED™, automates cybersecurity procedures, eliminating slow manual processes, and giving valuable time back to security personnel to focus more on business growth initiatives.

Thanks to its unique, patent-pending technology that enhances Microsoft Defender and Azure Sentinel, ARMED™ allows Conquest Cyber’s security professionals to remediate gaps in an organization’s cybersecurity system and meet compliance requirements.

ARMED™ can help DIB organizations achieve 80% of advanced cybersecurity levels of CMMC compliance in just over 90 days. By combining comprehensive cybersecurity features from Microsoft’s GCC High with the ARMED™ software suite, defense contractors can modernize their critical infrastructure and prepare for a higher level of CMMC.

ARMED™ Software for CMMC compliance

Case Study

Conquest Cyber Provides Compliant Access to Office365 in a GCC High Environment

One of Conquest’s clients is a federally recognized Native American tribe in Northern California. Their goal was to provide secure and compliant access to Office 365 Productivity Workloads in a Government Community Cloud (GCC) High environment.

To achieve this goal, they were required to:

  • Perform enhancements to the information security program to include building a continuous monitoring program
  • Enhance internal protection controls
  • Improve existing documentation around the security process
  • Build an incident response program to eliminate potential threats

Learn how they were able to enable compliant access to Office365 in a GCC High Environment.

Sources:

  1. Defense Contract Management Agency
  2. Defense.Gov, “DOD to Require Cybersecurity Certification in Some Contract Bids”
  3. Office of the Under Secretary of Defense for Acquisition & Sustainment, “Cybersecurity Maturity Model Certification”
  4. National Institute of Standards and Technology, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
  5. Department of Defense, “Cloud Computing Security Requirements Guide”