Many DoD contractors are inquiring about whether their standard commercial version of Microsoft Office 365 will be sufficient enough to meet CMMC requirements.
The short answer is, “it depends.” Here’s why:
- For DoD contractors who seek to be CMMC Level 1 compliant, Microsoft 365 commercial (The standard version most offices are familiar with) will be sufficient given that they’ve implemented 17 basic cyber hygiene practices from NIST 800-171. This is in accordance with 48 CFR 52.204-21.
- For DoD contractors who seek to be CMMC Level 2 compliant, they will need to upgrade to Microsoft 365 Government Community Cloud (GCC). They will also have to make sure they have implemented all 110 controls from NIST 800-171. There are other options available, however, for those contractors that want to continue to use Microsoft Office products that they are familiar with, GCC is the best option. For contractors requiring ITAR compliance, GCC High must be used. Read about the differences between GCC and GCC High and why we advise Level 2 contractors to use GCC High here.
CMMC Level 2 requires Controlled Unclassified Information (CUI) to be stored and transmitted on data centers located within the continental United States. ITAR requires additional controls in which CUI can only be accessed by authorized U.S. citizens. Because GCC High utilizes Microsoft’s US Sovereign Cloud, it is compliant with CMMC Level 2 and ITAR.
Below is a table showing the differences between the Microsoft platforms:
If you are considering using Microsoft GCC and migrating your business’s current data and office software over to GCC or GCC High, consider our Microsoft GCC High Migration Services. For all contractors, even those who only seek to attain CMMC Level 1, see our CMMC Preparation Services which can help make sure you are prepared for CMMC, as well as meet current DFARS law. We’ve helped thousands of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171 and CMMC.