clearly explained. I have built some SP Webparts for my organization, as part of my research on how to make these Webparts GCC compliant I landed on your video which clears many doubts. Any specific guidance regarding SP Webparts?
Great video. Im still a little confused. So if a private entity/contractor wanted to be cmmc/nist 171/ITAR compliant, would them just purchasing the gcc high license solve that? Or would they have to conduct their own 3rd party cmmc/nist 171 assessments on their security controls (and pass the assessments) before they would even be able acquire a gcc high license?
No, GCC High on its own does not meet NIST 800-171, or CMMC. The architecture it is based on allows you to meet the data sovreignty requirements for export controlled CUI, and ITAR, but you must implement the controls in your own environment to meet NIST 800-171.
@@AgileITcom Thanks. When you say in your own environment, you mean the gcc high environment correct? And secondly, Are you familiar with the Microsoft Purview, compliance manager and how that works with gcc high?
@@tobeskokoatobes3968 My statements about shared responsibility apply to any environment, but yes, in the case GCC High. And yes, we are VERY familiar with Purview compliance manager. My favorite part about it in GCC High is that the CMMC templates are included and not a premium add-on.
I understand that my data and the employees are all in the US with GCC High, but are there any added technical controls related to compliance that can be implemented in Azure that are not in the Commercial product.
Larissa, yes, staff operating in Azure Government are required to pass a DoD IT-2 adjudication based on a successful Office of Personnel Management Tier 3 investigation. This is the required level for access to confidential and secret information. Depending on the level of compliance required by your contractual obligations (determined by the types of specified CUI you manage) this can be required. Regarding specifically technical controls, the answer is no, and I suspect this will not change. Why introduce a feature that expands security and compliance and not roll it out to less restrictive environments?
Microsoft currently lists many of their services as “In scope” for many of the required standards of NIST 800-171, DFARS, FIPS, etc- including Office 365 GCC. Do you know if they resolved any of the issues you’ve mentioned with Microsoft 365 GCC versus Office 365 GCC?
Yes, in February 2021, Microsoft added contractual flowdowns for DFARS 7012 to GCC (moderate) making it acceptable for housing CUI provided there are no specified CUI types such as Controlled Defense Information, ITAR, or NOFORM marked CUI.
![Kodak Black - Sharp Vibes [Official Music Video]](http://i.ytimg.com/vi/oEV0OoLJeIs/mqdefault.jpg)
thank you!
Great breakdown.
Thanks Ric!
clearly explained. I have built some SP Webparts for my organization, as part of my research on how to make these Webparts GCC compliant I landed on your video which clears many doubts. Any specific guidance regarding SP Webparts?
Great video. Im still a little confused. So if a private entity/contractor wanted to be cmmc/nist 171/ITAR compliant, would them just purchasing the gcc high license solve that? Or would they have to conduct their own 3rd party cmmc/nist 171 assessments on their security controls (and pass the assessments) before they would even be able acquire a gcc high license?
No, GCC High on its own does not meet NIST 800-171, or CMMC. The architecture it is based on allows you to meet the data sovreignty requirements for export controlled CUI, and ITAR, but you must implement the controls in your own environment to meet NIST 800-171.
@@AgileITcom Thanks. When you say in your own environment, you mean the gcc high environment correct? And secondly, Are you familiar with the Microsoft Purview, compliance manager and how that works with gcc high?
@@tobeskokoatobes3968 My statements about shared responsibility apply to any environment, but yes, in the case GCC High. And yes, we are VERY familiar with Purview compliance manager. My favorite part about it in GCC High is that the CMMC templates are included and not a premium add-on.
I understand that my data and the employees are all in the US with GCC High, but are there any added technical controls related to compliance that can be implemented in Azure that are not in the Commercial product.
Larissa, yes, staff operating in Azure Government are required to pass a DoD IT-2 adjudication based on a successful Office of Personnel Management Tier 3 investigation. This is the required level for access to confidential and secret information. Depending on the level of compliance required by your contractual obligations (determined by the types of specified CUI you manage) this can be required.
Regarding specifically technical controls, the answer is no, and I suspect this will not change. Why introduce a feature that expands security and compliance and not roll it out to less restrictive environments?
Microsoft currently lists many of their services as “In scope” for many of the required standards of NIST 800-171, DFARS, FIPS, etc- including Office 365 GCC. Do you know if they resolved any of the issues you’ve mentioned with Microsoft 365 GCC versus Office 365 GCC?
Yes, in February 2021, Microsoft added contractual flowdowns for DFARS 7012 to GCC (moderate) making it acceptable for housing CUI provided there are no specified CUI types such as Controlled Defense Information, ITAR, or NOFORM marked CUI.